DEFAULT_PKCS11_WHITELIST on 64-bit Linux systems

Iain Morgan imorgan at
Thu Dec 29 09:35:32 AEDT 2016


On RHEL 6/amd64, the stock value for DEFAULT_PKCS11_WHITELIST is not
very useful. On such systems, /usr/lib64/* would need to be added to the
pattern list. Although users can specify the -P option every time they
launch ssh-agent, it might be nice to provide a means to specify a
default whitelist at build-time.

It's tempting to suggest that configure should automatically supply a
reasonable value for the whitelist based on the platform, but supporting
an option to configure would seem to be the simpler and safer solution.

% ./configure --with-default-pkcs11-whitelist="/usr/lib64/*'

any thought?

Iain Morgan

More information about the openssh-unix-dev mailing list