Re: Announce: OpenSSH 9.3p2 released

[Matthew Fernandez <matthew.fernandez () gmail com>]

On 7/20/23 23:41, Sevan Janiyan wrote:
> On 20/07/2023 14:24, Demi Marie Obenour wrote:
> > Should there be a system-wide configuration file containing a list of 
> > known-good PKCS#11 libraries? ssh-agent having to guess if something 
> > is a PKCS#11 library is less than awesome.
>
> There's a compile time setting for paths from which you are able to load 
> libraries from.

I don’t think this helps much though, right? The Qualys research that 
motivated this found an exploit chain using only libs present in 
/usr/lib in a default Ubuntu install. If you want to lock down loading 
to a specific non-/usr/lib path that you have control over, this 
suggests you know and are in control of the PKCS#11 providers you’re 
going to support. In which case, why not avoid dynamic loading to begin 
with? I guess the allowlist and new defaults are the answer to this 
conundrum though.