[sudo-users] sudo_logsrvd configuration

Stefan Johnson tigerphoenixdragon at gmail.com
Wed Jul 28 07:08:46 MDT 2021

On Tue, Jul 27, 2021 at 9:32 PM Todd C. Miller <Todd.Miller at sudo.ws> wrote:

> On Tue, 27 Jul 2021 15:59:24 -0500, Stefan Johnson wrote:
> > The "log_servers" directive allows a list of log servers, but how do you
> > include the certificate for each of those log servers?  The
> > "log_server_peer_cert" and "log_server_peer_key" directives seem to only
> > accept one entry.  If I only include one log server in the sudoers file
> > with the appropriate cert, key, and cacert (log_server_cabundle
> directive)
> > it works fine, but if I try to include a list of certs and keys for each
> > server, it fails.
> The "log_server_peer_cert" and "log_server_peer_key" directives
> describe the cert and key for the sudo client, not the sudo_logsrvd
> server.  Sudo will use the "log_server_cabundle" directive to verify
> the identity of all the servers it connects to.  That file can contain
> multiple certs.
> > I also recognize that I might need to do a subject alternative names
> > certificate for all of the log servers and use that same cert everywhere.
> That is certainly one way to do it but it should also be possible
> to use a discrete cert for each server.
 - todd

Thank you for the clarification.  I have it working perfectly, now.


More information about the sudo-users mailing list