[Bug 3597] Why do we check both nsession_ids and remote_add_provider when judging whether allow remote addition of FIDO/PKCS11 provider libraries is disabled?

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Thu Aug 3 08:00:45 AEST 2023


--- Comment #3 from Damien Miller <djm at mindrot.org> ---
> For lower version, before openssh-8.9p1, only checking the 
> value of remote_add_provider is stricter, although it may 
> cause some problems else.

That won't work. Older versions have no way of telling whether a socket
is local or remote, so testing remote_add_provider alone would simply
ban all PKCS#11 loading.

You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list