Hello, On RHEL 6/amd64, the stock value for DEFAULT_PKCS11_WHITELIST is not very useful. On such systems, /usr/lib64/* would need to be added to the pattern list. Although users can specify the -P option every time they launch ssh-agent, it might be nice to provide a means to specify a default whitelist at build-time. It's tempting to suggest that configure should automatically supply a reasonable value for the whitelist based on the platform, but supporting an option to configure would seem to be the simpler and safer solution. % ./configure --with-default-pkcs11-whitelist="/usr/lib64/*' any thought? -- Iain Morgan
On Wed, 28 Dec 2016, Iain Morgan wrote:> Hello, > > On RHEL 6/amd64, the stock value for DEFAULT_PKCS11_WHITELIST is not > very useful. On such systems, /usr/lib64/* would need to be added to the > pattern list. Although users can specify the -P option every time they > launch ssh-agent, it might be nice to provide a means to specify a > default whitelist at build-time. > > It's tempting to suggest that configure should automatically supply a > reasonable value for the whitelist based on the platform, but supporting > an option to configure would seem to be the simpler and safer solution. > > % ./configure --with-default-pkcs11-whitelist="/usr/lib64/*'Sounds eminently reasonable. Maybe we could make the portable default "/usr/lib*/*,/usr/local/lib*/*" too? -d
On 12/30/2016 02:40 AM, Damien Miller wrote:> On Wed, 28 Dec 2016, Iain Morgan wrote: > >> Hello, >> >> On RHEL 6/amd64, the stock value for DEFAULT_PKCS11_WHITELIST is not >> very useful. On such systems, /usr/lib64/* would need to be added to the >> pattern list. Although users can specify the -P option every time they >> launch ssh-agent, it might be nice to provide a means to specify a >> default whitelist at build-time. >> >> It's tempting to suggest that configure should automatically supply a >> reasonable value for the whitelist based on the platform, but supporting >> an option to configure would seem to be the simpler and safer solution. >> >> % ./configure --with-default-pkcs11-whitelist="/usr/lib64/*' > Sounds eminently reasonable. Maybe we could make the portable default > "/usr/lib*/*,/usr/local/lib*/*" too?Please do, these paths look sane. In RHEL/Fedora, all the pkcs11 libraries are under /usr/lib64/pkcs11/ on x86_64. Not sure, where else they can be on other systems, but your wildcard matches all of them. Regards, -- Jakub Jelen Software Engineer Security Technologies Red Hat
Reasonably Related Threads
- DEFAULT_PKCS11_WHITELIST on 64-bit Linux systems
- OpenSSH PKCS#11merge
- Re-adding PKCS#11 key in ssh-agent produces "agent refused operation" error.
- Using OpenSSH with smart cards HOWTO
- [Bug 2635] New: Unable to use SSH Agent and user level PKCS11Provider configuration directive