Re: DEFAULT_PKCS11_WHITELIST on 64-bit Linux systems

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On 12/30/2016 02:40 AM, Damien Miller wrote:
On Wed, 28 Dec 2016, Iain Morgan wrote:

Hello,

On RHEL 6/amd64, the stock value for DEFAULT_PKCS11_WHITELIST is not
very useful. On such systems, /usr/lib64/* would need to be added to the
pattern list. Although users can specify the -P option every time they
launch ssh-agent, it might be nice to provide a means to specify a
default whitelist at build-time.

It's tempting to suggest that configure should automatically supply a
reasonable value for the whitelist based on the platform, but supporting
an option to configure would seem to be the simpler and safer solution.

% ./configure --with-default-pkcs11-whitelist="/usr/lib64/*'
Sounds eminently reasonable. Maybe we could make the portable default
"/usr/lib*/*,/usr/local/lib*/*" too?
Please do,
these paths look sane. In RHEL/Fedora, all the pkcs11 libraries are under /usr/lib64/pkcs11/ on x86_64. Not sure, where else they can be on other systems, but your wildcard matches all of them.

Regards,

--
Jakub Jelen
Software Engineer
Security Technologies
Red Hat

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux