On 12/30/2016 02:40 AM, Damien Miller wrote:
On Wed, 28 Dec 2016, Iain Morgan wrote:
Hello,
On RHEL 6/amd64, the stock value for DEFAULT_PKCS11_WHITELIST is not
very useful. On such systems, /usr/lib64/* would need to be added to the
pattern list. Although users can specify the -P option every time they
launch ssh-agent, it might be nice to provide a means to specify a
default whitelist at build-time.
It's tempting to suggest that configure should automatically supply a
reasonable value for the whitelist based on the platform, but supporting
an option to configure would seem to be the simpler and safer solution.
% ./configure --with-default-pkcs11-whitelist="/usr/lib64/*'
Sounds eminently reasonable. Maybe we could make the portable default
"/usr/lib*/*,/usr/local/lib*/*" too?
Please do,
these paths look sane. In RHEL/Fedora, all the pkcs11 libraries are
under /usr/lib64/pkcs11/ on x86_64. Not sure, where else they can be on
other systems, but your wildcard matches all of them.
Regards,
--
Jakub Jelen
Software Engineer
Security Technologies
Red Hat
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev