DEFAULT_PKCS11_WHITELIST on 64-bit Linux systems
Iain Morgan
imorgan at nas.nasa.gov
Wed Jan 4 09:14:27 AEDT 2017
On Tue, Jan 03, 2017 at 10:39:20 +0100, Jakub Jelen wrote:
> On 12/30/2016 02:40 AM, Damien Miller wrote:
> >On Wed, 28 Dec 2016, Iain Morgan wrote:
> >
> >>Hello,
> >>
> >>On RHEL 6/amd64, the stock value for DEFAULT_PKCS11_WHITELIST is not
> >>very useful. On such systems, /usr/lib64/* would need to be added to the
> >>pattern list. Although users can specify the -P option every time they
> >>launch ssh-agent, it might be nice to provide a means to specify a
> >>default whitelist at build-time.
> >>
> >>It's tempting to suggest that configure should automatically supply a
> >>reasonable value for the whitelist based on the platform, but supporting
> >>an option to configure would seem to be the simpler and safer solution.
> >>
> >>% ./configure --with-default-pkcs11-whitelist="/usr/lib64/*'
> >Sounds eminently reasonable. Maybe we could make the portable default
> >"/usr/lib*/*,/usr/local/lib*/*" too?
> Please do,
> these paths look sane. In RHEL/Fedora, all the pkcs11 libraries are
> under /usr/lib64/pkcs11/ on x86_64. Not sure, where else they can be
> on other systems, but your wildcard matches all of them.
>
> Regards,
>
Damien's proposed change would address the issue that I encountered.
While Jakob is correct that the various libraries exist under
/usr/lib64/pkcs11 on RHEL, adding /usr/lib64/pkcs11/* to the whitelist
did not work for me. That was because opensc-pkcs11.so is actually under
/usr/lib64 and is a symlink in /usr/lib64/pkcs11.
--
Iain Morgan
More information about the openssh-unix-dev
mailing list