Re: Announce: OpenSSH 9.3p2 released

[Demi Marie Obenour <demi () invisiblethingslab com>]

On Fri, Jul 21, 2023 at 11:04:49AM +1000, Matthew Fernandez wrote:
> On 7/20/23 23:41, Sevan Janiyan wrote:
> > On 20/07/2023 14:24, Demi Marie Obenour wrote:
> > > Should there be a system-wide configuration file containing a list
> > > of known-good PKCS#11 libraries? ssh-agent having to guess if
> > > something is a PKCS#11 library is less than awesome.
> >
> > There's a compile time setting for paths from which you are able to load
> > libraries from.
>
> I don’t think this helps much though, right? The Qualys research that
> motivated this found an exploit chain using only libs present in /usr/lib in
> a default Ubuntu install. If you want to lock down loading to a specific
> non-/usr/lib path that you have control over, this suggests you know and are
> in control of the PKCS#11 providers you’re going to support. In which case,
> why not avoid dynamic loading to begin with? I guess the allowlist and new
> defaults are the answer to this conundrum though.

IMO the root cause of this problem is that PKCS#11 libraries are installed
in /usr/lib, rather than in /usr/lib/pkcs11 or another subdirectory.
There should be an automated way to check if a library is a PKCS#11
library without having to load it.
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab

Attachment: signature.asc
Description: