On 12/30/2016 02:40 AM, Damien Miller wrote:> On Wed, 28 Dec 2016, Iain Morgan wrote: > >> Hello, >> >> On RHEL 6/amd64, the stock value for DEFAULT_PKCS11_WHITELIST is not >> very useful. On such systems, /usr/lib64/* would need to be added to the >> pattern list. Although users can specify the -P option every time they >> launch ssh-agent, it might be nice to provide a means to specify a >> default whitelist at build-time. >> >> It's tempting to suggest that configure should automatically supply a >> reasonable value for the whitelist based on the platform, but supporting >> an option to configure would seem to be the simpler and safer solution. >> >> % ./configure --with-default-pkcs11-whitelist="/usr/lib64/*' > Sounds eminently reasonable. Maybe we could make the portable default > "/usr/lib*/*,/usr/local/lib*/*" too?Please do, these paths look sane. In RHEL/Fedora, all the pkcs11 libraries are under /usr/lib64/pkcs11/ on x86_64. Not sure, where else they can be on other systems, but your wildcard matches all of them. Regards, -- Jakub Jelen Software Engineer Security Technologies Red Hat
On Tue, Jan 03, 2017 at 10:39:20 +0100, Jakub Jelen wrote:> On 12/30/2016 02:40 AM, Damien Miller wrote: > >On Wed, 28 Dec 2016, Iain Morgan wrote: > > > >>Hello, > >> > >>On RHEL 6/amd64, the stock value for DEFAULT_PKCS11_WHITELIST is not > >>very useful. On such systems, /usr/lib64/* would need to be added to the > >>pattern list. Although users can specify the -P option every time they > >>launch ssh-agent, it might be nice to provide a means to specify a > >>default whitelist at build-time. > >> > >>It's tempting to suggest that configure should automatically supply a > >>reasonable value for the whitelist based on the platform, but supporting > >>an option to configure would seem to be the simpler and safer solution. > >> > >>% ./configure --with-default-pkcs11-whitelist="/usr/lib64/*' > >Sounds eminently reasonable. Maybe we could make the portable default > >"/usr/lib*/*,/usr/local/lib*/*" too? > Please do, > these paths look sane. In RHEL/Fedora, all the pkcs11 libraries are > under /usr/lib64/pkcs11/ on x86_64. Not sure, where else they can be > on other systems, but your wildcard matches all of them. > > Regards, >Damien's proposed change would address the issue that I encountered. While Jakob is correct that the various libraries exist under /usr/lib64/pkcs11 on RHEL, adding /usr/lib64/pkcs11/* to the whitelist did not work for me. That was because opensc-pkcs11.so is actually under /usr/lib64 and is a symlink in /usr/lib64/pkcs11. -- Iain Morgan
On Tue, 3 Jan 2017, Iain Morgan wrote:> Damien's proposed change would address the issue that I encountered. > > While Jakob is correct that the various libraries exist under > /usr/lib64/pkcs11 on RHEL, adding /usr/lib64/pkcs11/* to the whitelist > did not work for me. That was because opensc-pkcs11.so is actually under > /usr/lib64 and is a symlink in /usr/lib64/pkcs11.sI've committed the fix to relax the whitelist - thanks.