DEFAULT_PKCS11_WHITELIST on 64-bit Linux systems

Jakub Jelen jjelen at
Tue Jan 3 20:39:20 AEDT 2017

On 12/30/2016 02:40 AM, Damien Miller wrote:
> On Wed, 28 Dec 2016, Iain Morgan wrote:
>> Hello,
>> On RHEL 6/amd64, the stock value for DEFAULT_PKCS11_WHITELIST is not
>> very useful. On such systems, /usr/lib64/* would need to be added to the
>> pattern list. Although users can specify the -P option every time they
>> launch ssh-agent, it might be nice to provide a means to specify a
>> default whitelist at build-time.
>> It's tempting to suggest that configure should automatically supply a
>> reasonable value for the whitelist based on the platform, but supporting
>> an option to configure would seem to be the simpler and safer solution.
>> % ./configure --with-default-pkcs11-whitelist="/usr/lib64/*'
> Sounds eminently reasonable. Maybe we could make the portable default
> "/usr/lib*/*,/usr/local/lib*/*" too?
Please do,
these paths look sane. In RHEL/Fedora, all the pkcs11 libraries are 
under /usr/lib64/pkcs11/ on x86_64. Not sure, where else they can be on 
other systems, but your wildcard matches all of them.


Jakub Jelen
Software Engineer
Security Technologies
Red Hat

More information about the openssh-unix-dev mailing list