Hi Alexander, thanks for your patch. I am indeed reluctant to have OpenSSL added as a dependency to sudo. This might open a can of worms; other team members might give their opinion here as well.
And since we just are working on getting rid of sudo-ldap, having a variant, sudo-ssl, would probably be too much as well. I was not aware of sudo_logsrvd at all, since that's a daemon, it should probably be in its own package (or disabled). Would it be very unfriendly to indeed suggest using stunnel instead of native SSL? What is a motivation to use sudo_logsrvd instead of normal syslog? Greetings Marc On Wed, Jan 03, 2024 at 09:49:37AM +0100, Alexander Reichle-Schmehl wrote: > From: Alexander Reichle-Schmehl <a...@anguana.alphamar.org> > Subject: Bug#1059896: sudo: Please add openssl support for sudo and > sudo_logsrvd for secure transfer of sudo log files > To: Debian Bug Tracking System <sub...@bugs.debian.org> > Reply-To: Alexander Reichle-Schmehl <a...@anguana.alphamar.org>, > 1059...@bugs.debian.org > Date: Wed, 03 Jan 2024 09:49:37 +0100 > X-Mailer: reportbug 7.10.3+deb11u1 > > Package: sudo > Version: 1.9.5p2-3+deb11u1 > Severity: wishlist > Tags: patch > > Dear Maintainer, > > sudo 1.9 introduced the functionality to directly send log files (especially > input/output logs) to a log server. As these logs might contain private data, > they should be transfered using ssl. Both sudo as well as sudo_logsrvd > support this, when the feature is enabled at compile time. > > I send merge request on salsa to add this functionality, and verified, that > it works for me. > > However, I should also point out, that an alternative approach would be to use > stunnel. If you prefer that instead of adding additional complexity to an > security critical package, would you consider adding a Readme file explaining > how that's doen? I use it for sudo an other distribution anyway, and could > write one for you, if you prefer it that way. > > > Best regards, > Alexander > > > > -- System Information: > Debian Release: 11.8 > APT prefers oldstable-security > APT policy: (500, 'oldstable-security'), (500, 'oldoldstable-updates'), > (500, 'oldstable') > Architecture: amd64 (x86_64) > > Kernel: Linux 5.10.0-26-cloud-amd64 (SMP w/2 CPU threads) > Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), > LANGUAGE=en_US:en > Shell: /bin/sh linked to /bin/dash > Init: systemd (via /run/systemd/system) > LSM: AppArmor: enabled > > Versions of packages sudo depends on: > ii libaudit1 1:3.0-2 > ii libc6 2.31-13+deb11u7 > ii libpam-modules 1.4.0-9+deb11u1 > ii libpam0g 1.4.0-9+deb11u1 > ii libselinux1 3.1-3 > ii lsb-base 11.1.0 > ii zlib1g 1:1.2.11.dfsg-2+deb11u2 > > sudo recommends no packages. > > sudo suggests no packages. > > -- Configuration Files: > /etc/pam.d/sudo changed [not included] > /etc/sudoers [Errno 13] Permission denied: '/etc/sudoers' > /etc/sudoers.d/README [Errno 13] Permission denied: '/etc/sudoers.d/README' > > -- no debconf information
