{ "content": [ { "type": "text", "text": "# sudo_logsrvd(8) (man)\n\n**Summary:** sudologsrvd — sudo event and I/O log server\n\n**Synopsis:** sudologsrvd [-hnV] [-f file] [-R percentage]\n\n## Flags\n\n| Flag | Long | Arg | Description |\n|------|------|-----|-------------|\n| -f | --file | — | Read configuration from file instead of the default, /etc/sudologsrvd.conf. |\n| -h | --help | — | |\n| -n | --no-fork | — | Run sudologsrvd in the foreground instead of detaching from the terminal and be‐ coming a daemon. |\n| -R | --random-drop | — | For each message, there is a percentage chance that the server will drop the con‐ nection. This is only intended for deb |\n| -V | --version | — | Print the sudologsrvd version and exit. |\n\n## Examples\n\n- `Unless you are using certificates signed by a well-known Certificate Authority (or a local en‐`\n- `terprise CA), you will need to create your own CA that can sign the certificates used by`\n- `sudologsrvd, sudosendlog, and the sudoers plugin. The following steps use the openssl(1)`\n- `command to create keys and certificates.`\n- `First, we need to create a directory structure to store the files for the CA. We'll create a`\n- `new directory hierarchy in /etc/ssl/sudo for this purpose.`\n- `# mkdir /etc/ssl/sudo`\n- `# cd /etc/ssl/sudo`\n- `# mkdir certs csr newcerts private`\n- `# chmod 700 private`\n- `# touch index.txt`\n- `# echo 1000 > serial`\n- `The serial and index.txt files are used to keep track of signed certificates.`\n- `Next, we need to make a copy of the openssl.conf file and customize it for our new CA. The`\n- `path to openssl.cnf is system-dependent but /etc/ssl/openssl.cnf is the most common location.`\n- `You will need to adjust the example below if it has a different location on your system.`\n- `# cp /etc/ssl/openssl.cnf .`\n- `Now edit the openssl.cnf file in the current directory and make sure it contains “ca” and`\n- `“CAdefault” sections. Those sections should include the following settings:`\n- `[ ca ]`\n- `defaultca = CAdefault`\n- `[ CAdefault ]`\n- `dir = /etc/ssl/sudo`\n- `certs = $dir/certs`\n- `database = $dir/index.txt`\n- `certificate = $dir/cacert.pem`\n- `serial = $dir/serial`\n- `If your openssl.conf file already has a “CAdefault” section, you may only need to modify the`\n- `“dir” setting.`\n- `In order to create and sign our own certificates, we need to create a private key and a cer‐`\n- `tificate for the root of the CA. First, create the private key and protect it with a pass`\n- `phrase:`\n- `# openssl genrsa -aes256 -out private/cakey.pem 4096`\n- `# chmod 400 private/cakey.pem`\n- `Next, generate the root certificate, using appropriate values for the site-specific fields:`\n- `# openssl req -config openssl.cnf -key private/cakey.pem \\`\n- `-new -x509 -days 7300 -sha256 -extensions v3ca \\`\n- `-out cacert.pem`\n- `Enter pass phrase for private/cakey.pem:`\n- `You are about to be asked to enter information that will be`\n- `incorporated into your certificate request.`\n- `What you are about to enter is what is called a Distinguished Name`\n- `or a DN.`\n- `There are quite a few fields but you can leave some blank.`\n- `For some fields there will be a default value,`\n- `If you enter '.', the field will be left blank.`\n- `-----`\n- `Country Name (2 letter code) [AU]:US`\n- `State or Province Name (full name) [Some-State]:Colorado`\n- `Locality Name (eg, city) []:`\n- `Organization Name (eg, company) [Internet Widgits Pty Ltd]:sudo`\n- `Organizational Unit Name (eg, section) []:sudo Certificate Authority`\n- `Common Name (e.g., server FQDN or YOUR name) []:sudo Root CA`\n- `Email Address []:`\n- `# chmod 444 cacert.pem`\n- `Finally, verify the root certificate:`\n- `# openssl x509 -noout -text -in cacert.pem`\n- `The server and client certificates will be signed by the previously created root CA. Usually,`\n- `the root CA is not used to sign server/client certificates directly. Instead, intermediate`\n- `certificates are created and signed with the root CA and the intermediate certs are used to`\n- `sign CSRs (Certificate Signing Request). In this example we'll skip this part for simplicity's`\n- `sake and sign the CSRs with the root CA.`\n- `First, generate the private key without a pass phrase.`\n- `# openssl genrsa -out private/logsrvdkey.pem 2048`\n- `# chmod 400 private/logsrvdkey.pem`\n- `Next, create a certificate signing request (CSR) for the server's certificate. The organiza‐`\n- `tion name must match the name given in the root certificate. The common name should be either`\n- `the server's IP address or a fully qualified domain name.`\n- `# openssl req -config openssl.cnf -key private/logsrvdkey.pem -new \\`\n- `-sha256 -out csr/logsrvdcsr.pem`\n- `Enter pass phrase for private/logsrvdkey.pem:`\n- `You are about to be asked to enter information that will be`\n- `incorporated into your certificate request.`\n- `What you are about to enter is what is called a Distinguished Name`\n- `or a DN.`\n- `There are quite a few fields but you can leave some blank.`\n- `For some fields there will be a default value,`\n- `If you enter '.', the field will be left blank.`\n- `-----`\n- `Country Name (2 letter code) [AU]:US`\n- `State or Province Name (full name) [Some-State]:Colorado`\n- `Locality Name (eg, city) []:`\n- `Organization Name (eg, company) [Internet Widgits Pty Ltd]:sudo`\n- `Organizational Unit Name (eg, section) []:sudo log server`\n- `Common Name (e.g., server FQDN or YOUR name) []:logserver.example.com`\n- `Email Address []:`\n- `Please enter the following 'extra' attributes`\n- `to be sent with your certificate request`\n- `A challenge password []:`\n- `An optional company name []:`\n- `Now sign the CSR that was just created:`\n- `# openssl ca -config openssl.cnf -days 375 -notext -md sha256 \\`\n- `-in csr/logsrvdcsr.pem -out certs/logsrvdcert.pem`\n- `Using configuration from openssl.cnf`\n- `Enter pass phrase for ./private/cakey.pem:`\n- `Check that the request matches the signature`\n- `Signature ok`\n- `Certificate Details:`\n- `Serial Number: 4096 (0x1000)`\n- `Validity`\n- `Not Before: Nov 11 14:05:05 2019 GMT`\n- `Not After : Nov 20 14:05:05 2020 GMT`\n- `Subject:`\n- `countryName = US`\n- `stateOrProvinceName = Colorado`\n- `organizationName = sudo`\n- `organizationalUnitName = sudo log server`\n- `commonName = logserve.example.com`\n- `X509v3 extensions:`\n- `X509v3 Basic Constraints:`\n- `CA:FALSE`\n- `Netscape Comment:`\n- `OpenSSL Generated Certificate`\n- `X509v3 Subject Key Identifier:`\n- `4C:50:F9:D0:BE:1A:4C:B2:AC:90:76:56:C7:9E:16:AE:E6:9E:E5:B5`\n- `X509v3 Authority Key Identifier:`\n- `keyid:D7:91:24:16:B1:03:06:65:1A:7A:6E:CF:51:E9:5C:CB:7A:95:3E:0C`\n- `Certificate is to be certified until Nov 20 14:05:05 2020 GMT (375 days)`\n- `Sign the certificate? [y/n]:y`\n- `1 out of 1 certificate requests certified, commit? [y/n]y`\n- `Write out database with 1 new entries`\n- `Data Base Updated`\n- `Finally, verify the new certificate:`\n- `# openssl verify -CAfile cacert.pem certs/logsrvdcert.pem`\n- `certs/logsrvdcert.pem: OK`\n- `The /etc/ssl/sudo/certs directory now contains a signed and verified certificate for use with`\n- `sudologsrvd.`\n- `To generate a client certificate, repeat the process above using a different file name.`\n- `Configuring sudologsrvd to use TLS`\n- `To use TLS for client/server communication, both sudologsrvd and the sudoers plugin need to be`\n- `configured to use TLS. Configuring sudologsrvd for TLS requires the following settings, as‐`\n- `suming the same path names used earlier:`\n- `# Listen on port 30344 for TLS connections to any address.`\n- `listenaddress = *:30344(tls)`\n- `# Path to the certificate authority bundle file in PEM format.`\n- `tlscacert = /etc/ssl/sudo/cacert.pem`\n- `# Path to the server's certificate file in PEM format.`\n- `tlscert = /etc/ssl/sudo/certs/logsrvdcert.pem`\n- `# Path to the server's private key file in PEM format.`\n- `tlskey = /etc/ssl/sudo/private/logsrvdkey.pem`\n- `The root CA cert (cacert.pem) must be installed on the system running sudologsrvd. If peer`\n- `authentication is enabled on the client, a copy of cacert.pem must be present on the client`\n- `system too.`\n\n## See Also\n\n- sudo.conf(5)\n- sudologsrvd.conf(5)\n- sudoers(5)\n- sudo(8)\n- sudosendlog(8)\n- sudoreplay(8)\n\n## Section Outline\n\n- **NAME** (2 lines)\n- **SYNOPSIS** (2 lines)\n- **DESCRIPTION** (21 lines) — 6 subsections\n - -f --file (2 lines)\n - -h --help (1 lines)\n - -n --no-fork (3 lines)\n - -R --random-drop (4 lines)\n - -V --version (2 lines)\n - Securing server connections (15 lines)\n- **FILES** (17 lines)\n- **EXAMPLES** (1 lines) — 4 subsections\n - Creating self-signed certificates (5 lines)\n - Initial setup (34 lines)\n - Creating the CA key and certificate (36 lines)\n - Creating and signing certificates (108 lines)\n- **SEE ALSO** (2 lines)\n- **AUTHORS** (8 lines)\n- **BUGS** (3 lines)\n- **SUPPORT** (3 lines)\n- **DISCLAIMER** (5 lines)\n- **Sudo 1.9.9 September 17, 2021 Sudo 1.9.9** (1 lines)\n\n## Full Content\n\n### NAME\n\nsudologsrvd — sudo event and I/O log server\n\n### SYNOPSIS\n\nsudologsrvd [-hnV] [-f file] [-R percentage]\n\n### DESCRIPTION\n\nsudologsrvd is a high-performance log server that accepts event and I/O logs from sudo. It\ncan be used to implement centralized logging of sudo logs. The server has two modes of opera‐\ntion: local and relay. By default, sudologsrvd stores the logs locally but it can also be\nconfigured to relay them to another server that supports the sudologsrv.proto(5) protocol.\n\nWhen not relaying, event log entries may be logged either via syslog(3) or to a local file.\nI/O Logs stored locally by sudologsrvd can be replayed via the sudoreplay(8) utility in the\nsame way as logs generated directly by the sudoers plugin.\n\nThe server also supports restarting interrupted log transfers. To distinguish completed I/O\nlogs from incomplete ones, the I/O log timing file is set to be read-only when the log is com‐\nplete.\n\nConfiguration parameters for sudologsrvd may be specified in the sudologsrvd.conf(5) file or\nthe file specified via the -f option.\n\nsudologsrvd rereads its configuration file when it receives SIGHUP and writes server state to\nthe debug file (if one is configured) when it receives SIGUSR1.\n\nThe options are as follows:\n\n#### -f --file\n\nRead configuration from file instead of the default, /etc/sudologsrvd.conf.\n\n#### -h --help\n\n#### -n --no-fork\n\nRun sudologsrvd in the foreground instead of detaching from the terminal and be‐\ncoming a daemon.\n\n#### -R --random-drop\n\nFor each message, there is a percentage chance that the server will drop the con‐\nnection. This is only intended for debugging the ability of a client to restart a\nconnection.\n\n#### -V --version\n\nPrint the sudologsrvd version and exit.\n\n#### Securing server connections\n\nThe I/O log data sent to sudologsrvd may contain sensitive information such as passwords and\nshould be secured using Transport Layer Security (TLS). Doing so requires having a signed cer‐\ntificate on the server and, if tlscheckpeer is enabled in sudologsrvd.conf(5), a signed cer‐\ntificate on the client as well.\n\nThe certificates can either be signed by a well-known Certificate Authority (CA), or a private\nCA can be used. Instructions for creating a private CA are included below in the EXAMPLES sec‐\ntion.\n\nDebugging sudologsrvd\nsudologsrvd supports a flexible debugging framework that is configured via Debug lines in the\nsudo.conf(5) file.\n\nFor more information on configuring sudo.conf(5), please refer to its manual.\n\n### FILES\n\n/etc/sudo.conf Sudo front-end configuration\n\n/etc/sudologsrvd.conf Sudo log server configuration file\n\n/var/log/sudologsrvd/incoming\nDirectory where new journals are stored when the storefirst relay\nsetting is enabled.\n\n/var/log/sudologsrvd/outgoing\nDirectory where completed journals are stored when the storefirst\nrelay setting is enabled.\n\n/var/log/sudo-io Default I/O log file location\n\n/run/sudo/sudologsrvd.pid\nProcess ID file for sudologsrvd\n\n### EXAMPLES\n\n#### Creating self-signed certificates\n\nUnless you are using certificates signed by a well-known Certificate Authority (or a local en‐\nterprise CA), you will need to create your own CA that can sign the certificates used by\nsudologsrvd, sudosendlog, and the sudoers plugin. The following steps use the openssl(1)\ncommand to create keys and certificates.\n\n#### Initial setup\n\nFirst, we need to create a directory structure to store the files for the CA. We'll create a\nnew directory hierarchy in /etc/ssl/sudo for this purpose.\n\n# mkdir /etc/ssl/sudo\n# cd /etc/ssl/sudo\n# mkdir certs csr newcerts private\n# chmod 700 private\n# touch index.txt\n# echo 1000 > serial\n\nThe serial and index.txt files are used to keep track of signed certificates.\n\nNext, we need to make a copy of the openssl.conf file and customize it for our new CA. The\npath to openssl.cnf is system-dependent but /etc/ssl/openssl.cnf is the most common location.\nYou will need to adjust the example below if it has a different location on your system.\n\n# cp /etc/ssl/openssl.cnf .\n\nNow edit the openssl.cnf file in the current directory and make sure it contains “ca” and\n“CAdefault” sections. Those sections should include the following settings:\n\n[ ca ]\ndefaultca = CAdefault\n\n[ CAdefault ]\ndir = /etc/ssl/sudo\ncerts = $dir/certs\ndatabase = $dir/index.txt\ncertificate = $dir/cacert.pem\nserial = $dir/serial\n\nIf your openssl.conf file already has a “CAdefault” section, you may only need to modify the\n“dir” setting.\n\n#### Creating the CA key and certificate\n\nIn order to create and sign our own certificates, we need to create a private key and a cer‐\ntificate for the root of the CA. First, create the private key and protect it with a pass\nphrase:\n\n# openssl genrsa -aes256 -out private/cakey.pem 4096\n# chmod 400 private/cakey.pem\n\nNext, generate the root certificate, using appropriate values for the site-specific fields:\n\n# openssl req -config openssl.cnf -key private/cakey.pem \\\n-new -x509 -days 7300 -sha256 -extensions v3ca \\\n-out cacert.pem\n\nEnter pass phrase for private/cakey.pem:\nYou are about to be asked to enter information that will be\nincorporated into your certificate request.\nWhat you are about to enter is what is called a Distinguished Name\nor a DN.\nThere are quite a few fields but you can leave some blank.\nFor some fields there will be a default value,\nIf you enter '.', the field will be left blank.\n-----\nCountry Name (2 letter code) [AU]:US\nState or Province Name (full name) [Some-State]:Colorado\nLocality Name (eg, city) []:\nOrganization Name (eg, company) [Internet Widgits Pty Ltd]:sudo\nOrganizational Unit Name (eg, section) []:sudo Certificate Authority\nCommon Name (e.g., server FQDN or YOUR name) []:sudo Root CA\nEmail Address []:\n\n# chmod 444 cacert.pem\n\nFinally, verify the root certificate:\n\n# openssl x509 -noout -text -in cacert.pem\n\n#### Creating and signing certificates\n\nThe server and client certificates will be signed by the previously created root CA. Usually,\nthe root CA is not used to sign server/client certificates directly. Instead, intermediate\ncertificates are created and signed with the root CA and the intermediate certs are used to\nsign CSRs (Certificate Signing Request). In this example we'll skip this part for simplicity's\nsake and sign the CSRs with the root CA.\n\nFirst, generate the private key without a pass phrase.\n\n# openssl genrsa -out private/logsrvdkey.pem 2048\n# chmod 400 private/logsrvdkey.pem\n\nNext, create a certificate signing request (CSR) for the server's certificate. The organiza‐\ntion name must match the name given in the root certificate. The common name should be either\nthe server's IP address or a fully qualified domain name.\n\n# openssl req -config openssl.cnf -key private/logsrvdkey.pem -new \\\n-sha256 -out csr/logsrvdcsr.pem\n\nEnter pass phrase for private/logsrvdkey.pem:\nYou are about to be asked to enter information that will be\nincorporated into your certificate request.\nWhat you are about to enter is what is called a Distinguished Name\nor a DN.\nThere are quite a few fields but you can leave some blank.\nFor some fields there will be a default value,\nIf you enter '.', the field will be left blank.\n-----\nCountry Name (2 letter code) [AU]:US\nState or Province Name (full name) [Some-State]:Colorado\nLocality Name (eg, city) []:\nOrganization Name (eg, company) [Internet Widgits Pty Ltd]:sudo\nOrganizational Unit Name (eg, section) []:sudo log server\nCommon Name (e.g., server FQDN or YOUR name) []:logserver.example.com\nEmail Address []:\n\nPlease enter the following 'extra' attributes\nto be sent with your certificate request\nA challenge password []:\nAn optional company name []:\n\nNow sign the CSR that was just created:\n\n# openssl ca -config openssl.cnf -days 375 -notext -md sha256 \\\n-in csr/logsrvdcsr.pem -out certs/logsrvdcert.pem\n\nUsing configuration from openssl.cnf\nEnter pass phrase for ./private/cakey.pem:\nCheck that the request matches the signature\nSignature ok\nCertificate Details:\nSerial Number: 4096 (0x1000)\nValidity\nNot Before: Nov 11 14:05:05 2019 GMT\nNot After : Nov 20 14:05:05 2020 GMT\nSubject:\ncountryName = US\nstateOrProvinceName = Colorado\norganizationName = sudo\norganizationalUnitName = sudo log server\ncommonName = logserve.example.com\nX509v3 extensions:\nX509v3 Basic Constraints:\nCA:FALSE\nNetscape Comment:\nOpenSSL Generated Certificate\nX509v3 Subject Key Identifier:\n4C:50:F9:D0:BE:1A:4C:B2:AC:90:76:56:C7:9E:16:AE:E6:9E:E5:B5\nX509v3 Authority Key Identifier:\nkeyid:D7:91:24:16:B1:03:06:65:1A:7A:6E:CF:51:E9:5C:CB:7A:95:3E:0C\n\nCertificate is to be certified until Nov 20 14:05:05 2020 GMT (375 days)\nSign the certificate? [y/n]:y\n\n1 out of 1 certificate requests certified, commit? [y/n]y\nWrite out database with 1 new entries\nData Base Updated\n\nFinally, verify the new certificate:\n\n# openssl verify -CAfile cacert.pem certs/logsrvdcert.pem\ncerts/logsrvdcert.pem: OK\n\nThe /etc/ssl/sudo/certs directory now contains a signed and verified certificate for use with\nsudologsrvd.\n\nTo generate a client certificate, repeat the process above using a different file name.\n\nConfiguring sudologsrvd to use TLS\nTo use TLS for client/server communication, both sudologsrvd and the sudoers plugin need to be\nconfigured to use TLS. Configuring sudologsrvd for TLS requires the following settings, as‐\nsuming the same path names used earlier:\n\n# Listen on port 30344 for TLS connections to any address.\nlistenaddress = *:30344(tls)\n\n# Path to the certificate authority bundle file in PEM format.\ntlscacert = /etc/ssl/sudo/cacert.pem\n\n# Path to the server's certificate file in PEM format.\ntlscert = /etc/ssl/sudo/certs/logsrvdcert.pem\n\n# Path to the server's private key file in PEM format.\ntlskey = /etc/ssl/sudo/private/logsrvdkey.pem\n\nThe root CA cert (cacert.pem) must be installed on the system running sudologsrvd. If peer\nauthentication is enabled on the client, a copy of cacert.pem must be present on the client\nsystem too.\n\n### SEE ALSO\n\nsudo.conf(5), sudologsrvd.conf(5), sudoers(5), sudo(8), sudosendlog(8), sudoreplay(8)\n\n### AUTHORS\n\nMany people have worked on sudo over the years; this version consists of code written primarily\nby:\n\nTodd C. Miller\n\nSee the CONTRIBUTORS file in the sudo distribution (https://www.sudo.ws/contributors.html) for\nan exhaustive list of people who have contributed to sudo.\n\n### BUGS\n\nIf you feel you have found a bug in sudologsrvd, please submit a bug report at\nhttps://bugzilla.sudo.ws/\n\n### SUPPORT\n\nLimited free support is available via the sudo-users mailing list, see\nhttps://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search the archives.\n\n### DISCLAIMER\n\nsudologsrvd is provided “AS IS” and any express or implied warranties, including, but not lim‐\nited to, the implied warranties of merchantability and fitness for a particular purpose are\ndisclaimed. See the LICENSE file distributed with sudo or https://www.sudo.ws/license.html for\ncomplete details.\n\n### Sudo 1.9.9 September 17, 2021 Sudo 1.9.9\n\n" } ], "structuredContent": { "command": "sudo_logsrvd", "section": "8", "mode": "man", "summary": "sudologsrvd — sudo event and I/O log server", "synopsis": "sudologsrvd [-hnV] [-f file] [-R percentage]", "tldr_summary": null, "tldr_examples": [], "tldr_source": null, "flags": [ { "flag": "-f", "long": "--file", "arg": null, "description": "Read configuration from file instead of the default, /etc/sudologsrvd.conf." }, { "flag": "-h", "long": "--help", "arg": null, "description": "" }, { "flag": "-n", "long": "--no-fork", "arg": null, "description": "Run sudologsrvd in the foreground instead of detaching from the terminal and be‐ coming a daemon." }, { "flag": "-R", "long": "--random-drop", "arg": null, "description": "For each message, there is a percentage chance that the server will drop the con‐ nection. This is only intended for debugging the ability of a client to restart a connection." }, { "flag": "-V", "long": "--version", "arg": null, "description": "Print the sudologsrvd version and exit." } ], "examples": [ "Unless you are using certificates signed by a well-known Certificate Authority (or a local en‐", "terprise CA), you will need to create your own CA that can sign the certificates used by", "sudologsrvd, sudosendlog, and the sudoers plugin. The following steps use the openssl(1)", "command to create keys and certificates.", "First, we need to create a directory structure to store the files for the CA. We'll create a", "new directory hierarchy in /etc/ssl/sudo for this purpose.", "# mkdir /etc/ssl/sudo", "# cd /etc/ssl/sudo", "# mkdir certs csr newcerts private", "# chmod 700 private", "# touch index.txt", "# echo 1000 > serial", "The serial and index.txt files are used to keep track of signed certificates.", "Next, we need to make a copy of the openssl.conf file and customize it for our new CA. The", "path to openssl.cnf is system-dependent but /etc/ssl/openssl.cnf is the most common location.", "You will need to adjust the example below if it has a different location on your system.", "# cp /etc/ssl/openssl.cnf .", "Now edit the openssl.cnf file in the current directory and make sure it contains “ca” and", "“CAdefault” sections. Those sections should include the following settings:", "[ ca ]", "defaultca = CAdefault", "[ CAdefault ]", "dir = /etc/ssl/sudo", "certs = $dir/certs", "database = $dir/index.txt", "certificate = $dir/cacert.pem", "serial = $dir/serial", "If your openssl.conf file already has a “CAdefault” section, you may only need to modify the", "“dir” setting.", "In order to create and sign our own certificates, we need to create a private key and a cer‐", "tificate for the root of the CA. First, create the private key and protect it with a pass", "phrase:", "# openssl genrsa -aes256 -out private/cakey.pem 4096", "# chmod 400 private/cakey.pem", "Next, generate the root certificate, using appropriate values for the site-specific fields:", "# openssl req -config openssl.cnf -key private/cakey.pem \\", "-new -x509 -days 7300 -sha256 -extensions v3ca \\", "-out cacert.pem", "Enter pass phrase for private/cakey.pem:", "You are about to be asked to enter information that will be", "incorporated into your certificate request.", "What you are about to enter is what is called a Distinguished Name", "or a DN.", "There are quite a few fields but you can leave some blank.", "For some fields there will be a default value,", "If you enter '.', the field will be left blank.", "-----", "Country Name (2 letter code) [AU]:US", "State or Province Name (full name) [Some-State]:Colorado", "Locality Name (eg, city) []:", "Organization Name (eg, company) [Internet Widgits Pty Ltd]:sudo", "Organizational Unit Name (eg, section) []:sudo Certificate Authority", "Common Name (e.g., server FQDN or YOUR name) []:sudo Root CA", "Email Address []:", "# chmod 444 cacert.pem", "Finally, verify the root certificate:", "# openssl x509 -noout -text -in cacert.pem", "The server and client certificates will be signed by the previously created root CA. Usually,", "the root CA is not used to sign server/client certificates directly. Instead, intermediate", "certificates are created and signed with the root CA and the intermediate certs are used to", "sign CSRs (Certificate Signing Request). In this example we'll skip this part for simplicity's", "sake and sign the CSRs with the root CA.", "First, generate the private key without a pass phrase.", "# openssl genrsa -out private/logsrvdkey.pem 2048", "# chmod 400 private/logsrvdkey.pem", "Next, create a certificate signing request (CSR) for the server's certificate. The organiza‐", "tion name must match the name given in the root certificate. The common name should be either", "the server's IP address or a fully qualified domain name.", "# openssl req -config openssl.cnf -key private/logsrvdkey.pem -new \\", "-sha256 -out csr/logsrvdcsr.pem", "Enter pass phrase for private/logsrvdkey.pem:", "You are about to be asked to enter information that will be", "incorporated into your certificate request.", "What you are about to enter is what is called a Distinguished Name", "or a DN.", "There are quite a few fields but you can leave some blank.", "For some fields there will be a default value,", "If you enter '.', the field will be left blank.", "-----", "Country Name (2 letter code) [AU]:US", "State or Province Name (full name) [Some-State]:Colorado", "Locality Name (eg, city) []:", "Organization Name (eg, company) [Internet Widgits Pty Ltd]:sudo", "Organizational Unit Name (eg, section) []:sudo log server", "Common Name (e.g., server FQDN or YOUR name) []:logserver.example.com", "Email Address []:", "Please enter the following 'extra' attributes", "to be sent with your certificate request", "A challenge password []:", "An optional company name []:", "Now sign the CSR that was just created:", "# openssl ca -config openssl.cnf -days 375 -notext -md sha256 \\", "-in csr/logsrvdcsr.pem -out certs/logsrvdcert.pem", "Using configuration from openssl.cnf", "Enter pass phrase for ./private/cakey.pem:", "Check that the request matches the signature", "Signature ok", "Certificate Details:", "Serial Number: 4096 (0x1000)", "Validity", "Not Before: Nov 11 14:05:05 2019 GMT", "Not After : Nov 20 14:05:05 2020 GMT", "Subject:", "countryName = US", "stateOrProvinceName = Colorado", "organizationName = sudo", "organizationalUnitName = sudo log server", "commonName = logserve.example.com", "X509v3 extensions:", "X509v3 Basic Constraints:", "CA:FALSE", "Netscape Comment:", "OpenSSL Generated Certificate", "X509v3 Subject Key Identifier:", "4C:50:F9:D0:BE:1A:4C:B2:AC:90:76:56:C7:9E:16:AE:E6:9E:E5:B5", "X509v3 Authority Key Identifier:", "keyid:D7:91:24:16:B1:03:06:65:1A:7A:6E:CF:51:E9:5C:CB:7A:95:3E:0C", "Certificate is to be certified until Nov 20 14:05:05 2020 GMT (375 days)", "Sign the certificate? [y/n]:y", "1 out of 1 certificate requests certified, commit? [y/n]y", "Write out database with 1 new entries", "Data Base Updated", "Finally, verify the new certificate:", "# openssl verify -CAfile cacert.pem certs/logsrvdcert.pem", "certs/logsrvdcert.pem: OK", "The /etc/ssl/sudo/certs directory now contains a signed and verified certificate for use with", "sudologsrvd.", "To generate a client certificate, repeat the process above using a different file name.", "Configuring sudologsrvd to use TLS", "To use TLS for client/server communication, both sudologsrvd and the sudoers plugin need to be", "configured to use TLS. Configuring sudologsrvd for TLS requires the following settings, as‐", "suming the same path names used earlier:", "# Listen on port 30344 for TLS connections to any address.", "listenaddress = *:30344(tls)", "# Path to the certificate authority bundle file in PEM format.", "tlscacert = /etc/ssl/sudo/cacert.pem", "# Path to the server's certificate file in PEM format.", "tlscert = /etc/ssl/sudo/certs/logsrvdcert.pem", "# Path to the server's private key file in PEM format.", "tlskey = /etc/ssl/sudo/private/logsrvdkey.pem", "The root CA cert (cacert.pem) must be installed on the system running sudologsrvd. If peer", "authentication is enabled on the client, a copy of cacert.pem must be present on the client", "system too." ], "see_also": [ { "name": "sudo.conf", "section": "5", "url": "https://www.chedong.com/phpMan.php/man/sudo.conf/5/json" }, { "name": "sudologsrvd.conf", "section": "5", "url": "https://www.chedong.com/phpMan.php/man/sudologsrvd.conf/5/json" }, { "name": "sudoers", "section": "5", "url": "https://www.chedong.com/phpMan.php/man/sudoers/5/json" }, { "name": "sudo", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/sudo/8/json" }, { "name": "sudosendlog", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/sudosendlog/8/json" }, { "name": "sudoreplay", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/sudoreplay/8/json" } ], "section_outline": [ { "name": "NAME", "lines": 2, "subsections": [] }, { "name": "SYNOPSIS", "lines": 2, "subsections": [] }, { "name": "DESCRIPTION", "lines": 21, "subsections": [ { "name": "-f --file", "lines": 2, "flag": "-f", "long": "--file" }, { "name": "-h --help", "lines": 1, "flag": "-h", "long": "--help" }, { "name": "-n --no-fork", "lines": 3, "flag": "-n", "long": "--no-fork" }, { "name": "-R --random-drop", "lines": 4, "flag": "-R", "long": "--random-drop" }, { "name": "-V --version", "lines": 2, "flag": "-V", "long": "--version" }, { "name": "Securing server connections", "lines": 15 } ] }, { "name": "FILES", "lines": 17, "subsections": [] }, { "name": "EXAMPLES", "lines": 1, "subsections": [ { "name": "Creating self-signed certificates", "lines": 5 }, { "name": "Initial setup", "lines": 34 }, { "name": "Creating the CA key and certificate", "lines": 36 }, { "name": "Creating and signing certificates", "lines": 108 } ] }, { "name": "SEE ALSO", "lines": 2, "subsections": [] }, { "name": "AUTHORS", "lines": 8, "subsections": [] }, { "name": "BUGS", "lines": 3, "subsections": [] }, { "name": "SUPPORT", "lines": 3, "subsections": [] }, { "name": "DISCLAIMER", "lines": 5, "subsections": [] }, { "name": "Sudo 1.9.9 September 17, 2021 Sudo 1.9.9", "lines": 1, "subsections": [] } ] } }