NetworkManager & PKCS#11 remoting
dwmw2 at infradead.org
Tue Jun 21 10:22:24 UTC 2016
On Tue, 2016-06-21 at 11:59 +0200, Nikos Mavrogiannopoulos wrote:
> What if there is a pkcs11 module called p11-kit-remote.so which all it
> does it use the open fds (e.g., taken from env) if available and
> operate as the proxied module.
That's basically built in to p11-kit right now. It's not a separate
PKCS#11 module but I suppose it *could* be.
Or p11-kit-proxy, loading an appropriate p11-kit config, would basically
have the same effect using the built-in code.
> In that case the process which receives the fds could override the
> global p11-kit config and set p11-kit-remote as the only supported
> module (that may not be currently possible). If that was possible
> wouldn't that work with either p11-kit-proxy or p11-kit direct
Perhaps a global function to "set the p11-kit config for this process",
called before any other p11-kit functions are invoked to load modules,
might work. Or maybe it could be an environment variable. Using it to
set a config that happens to contain only a single 'remote' module
would just be *one* of the ways it could be used.
Note that you probably do want the trust modules to still be available,
And we haven't explicitly talked about the case where client certs are
actually installed as *root* (since that's the only way it worked
before). Our corporate wifi/802.1x auth requires certs which we install
in /etc/pki and point NM at them there. And once we finally fix up
automatic renewal, they'll be renewed using the AD *machine* account
credentials; the user will never see them at all.
Admittedly those are in a file right now and not PKCS#11, but let's
bear in mind that we do also need to support the non-proxied case.
(Or maybe that just becomes 'proxied to something running as root')?
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 5760 bytes
Desc: not available
More information about the p11-glue