[sudo-users] sudo_logsrvd configuration
Stefan Johnson
tigerphoenixdragon at gmail.com
Wed Jul 28 07:08:46 MDT 2021
On Tue, Jul 27, 2021 at 9:32 PM Todd C. Miller <Todd.Miller at sudo.ws> wrote:
> On Tue, 27 Jul 2021 15:59:24 -0500, Stefan Johnson wrote:
>
> > The "log_servers" directive allows a list of log servers, but how do you
> > include the certificate for each of those log servers? The
> > "log_server_peer_cert" and "log_server_peer_key" directives seem to only
> > accept one entry. If I only include one log server in the sudoers file
> > with the appropriate cert, key, and cacert (log_server_cabundle
> directive)
> > it works fine, but if I try to include a list of certs and keys for each
> > server, it fails.
>
> The "log_server_peer_cert" and "log_server_peer_key" directives
> describe the cert and key for the sudo client, not the sudo_logsrvd
> server. Sudo will use the "log_server_cabundle" directive to verify
> the identity of all the servers it connects to. That file can contain
> multiple certs.
>
> > I also recognize that I might need to do a subject alternative names
> > certificate for all of the log servers and use that same cert everywhere.
>
> That is certainly one way to do it but it should also be possible
> to use a discrete cert for each server.
>
>
- todd
>
Thank you for the clarification. I have it working perfectly, now.
Stefan
More information about the sudo-users
mailing list