On Tue, 2014-12-09 at 14:18 +, Martinsson Patrik wrote:
>
> > It's cute that GNOME keyring can provide PKCS#11 functionality and you
> > can store certificates and keys in there. But you aren't *using* that
> > functionality. So just unregister the module entirely by deleting its
> > file from
On Tue, 2014-12-09 at 14:18 +, Martinsson Patrik wrote:
> On Tue, 2014-12-09 at 13:54 +, David Woodhouse wrote:
> > On Tue, 2014-12-09 at 13:15 +, Martinsson Patrik wrote:
> > > So, If I don't have opensc-module, one way or another in
> > > (sql):/etc/pki/nssdb I will loose all function
On Tue, 2014-12-09 at 13:54 +, David Woodhouse wrote:
> On Tue, 2014-12-09 at 13:15 +, Martinsson Patrik wrote:
> > So, If I don't have opensc-module, one way or another in
> > (sql):/etc/pki/nssdb I will loose all functionality that gsd brings me,
> > for example "lock screen at card remov
On Tue, 2014-12-09 at 13:15 +, Martinsson Patrik wrote:
> So, If I don't have opensc-module, one way or another in
> (sql):/etc/pki/nssdb I will loose all functionality that gsd brings me,
> for example "lock screen at card removal".
Not sql:/etc/pki/nssdb; this is another one that that uses
On Mon, 2014-12-08 at 16:59 +, David Woodhouse wrote:
> On Mon, 2014-12-08 at 16:44 +, Martinsson Patrik wrote:
> > Well,not really, it turns out that the gnome-settings-daemon loads the
> > opensc-module directly from /etc/pki/nssdb. So if I don't import the
> > opensc-module in there, gno
On Mon, 2014-12-08 at 13:56 -0800, Robert Relyea wrote:
> On 12/08/2014 08:59 AM, David Woodhouse wrote:
> > I still maintain that the path to sanity involves killing
> > /etc/pki/nssdb entirely, and then you can look at applying *correct*
> > fixes to whatever's still not behaving correctly.
>
On Mon, 2014-12-08 at 13:53 -0800, Robert Relyea wrote:
> Nothing in the above paragraph is true.
>
> openning
> 1)sql:/etc/pki/nssdb is *STILL* the recommended action for applications
> (whether or not nssysinit is installed), and
"Recommended" in the sense of "do as I say, not as I do", of cou
On 12/08/2014 08:59 AM, David Woodhouse wrote:
I still maintain that the path to sanity involves killing
/etc/pki/nssdb entirely, and then you can look at applying *correct*
fixes to whatever's still not behaving correctly.
The whole point of /etc/pki/nssdb is so you have one place to install
On 12/08/2014 05:05 AM, David Woodhouse wrote:
On Mon, 2014-12-08 at 10:15 +, Martinsson Patrik wrote:
So, to summarize,
$> sudo update-alternatives --install /usr/lib64/libnssckbi.so
libnssckbi.so.x86_64 /usr/lib64/p11-kit-proxy.so 1000
$> cat /etc/pki/nssdb/pkcs11.txt
library=/usr/lib64/p
On Mon, 2014-12-08 at 16:44 +, Martinsson Patrik wrote:
> Well,not really, it turns out that the gnome-settings-daemon loads the
> opensc-module directly from /etc/pki/nssdb. So if I don't import the
> opensc-module in there, gnome-settings-daemon wont recognize
> inserts/removals. I choosed to
On Mon, 2014-12-08 at 13:05 +, David Woodhouse wrote:
> On Mon, 2014-12-08 at 10:15 +, Martinsson Patrik wrote:
> > So, to summarize,
> > $> sudo update-alternatives --install /usr/lib64/libnssckbi.so
> > libnssckbi.so.x86_64 /usr/lib64/p11-kit-proxy.so 1000
> >
> > $> cat /etc/pki/nssd
On Mon, 2014-12-08 at 13:05 +, David Woodhouse wrote:
> If you fix the unlock-at-login issue then you shouldn't have to disable
> this in any application for which there isn't already a "Does not
> support Protected Authentication Path" bug filed. I.e. evolution.
I just fixed Evolution, FWIW:
On Mon, 2014-12-08 at 10:15 +, Martinsson Patrik wrote:
> So, to summarize,
> $> sudo update-alternatives --install /usr/lib64/libnssckbi.so
> libnssckbi.so.x86_64 /usr/lib64/p11-kit-proxy.so 1000
>
> $> cat /etc/pki/nssdb/pkcs11.txt
> library=/usr/lib64/p11-kit-proxy.so
> name=p11-kit-proxy
On Thu, 2014-12-04 at 22:25 +, Martinsson Patrik wrote:
>
> Maybe I should have been clearer from the beginning, it was actually
> just pam_pkcs11 that didn't automatically picked up my CA, sorry if it
> got confusing.
OK, and I suppose that makes sense. Because pam_pkcs11 doesn't *want* to
b
On 12/04/2014 02:00 PM, David Woodhouse wrote:
On Thu, 2014-12-04 at 10:33 -0800, Robert Relyea wrote:
That one. libnssckbi.so is what provides the default trust roots. It's
*always* supposed to be loaded in an NSS system. You shouldn't need to
add it manually. I don't.
Huh? that is not true. l
cmod.db.
Maybe I should have been clearer from the beginning, it was actually just
pam_pkcs11 that didn't automatically picked up my CA, sorry if it got confusing.
/Patrik
Sent from Nine<http://www.9folders.com/>
From: David Woodhouse
Sent: Dec 4, 2014 11:02 PM
To: Robert Relyea
Cc:
On Thu, 2014-12-04 at 10:33 -0800, Robert Relyea wrote:
>
> > That one. libnssckbi.so is what provides the default trust roots. It's
> > *always* supposed to be loaded in an NSS system. You shouldn't need to
> > add it manually. I don't.
> Huh? that is not true. libnssckbi.so is loaded by nssysini
On 12/04/2014 03:31 AM, David Woodhouse wrote:
You say that this shouldn't be necessary (and probably a bug), just to
clarify things for me, do you mean that,
1 ) "adding the libnssckbi.so to shouldn't be necessary since it should
already be there from the beginning, and that the bug is that
On Thu, 2014-12-04 at 11:31 +, David Woodhouse wrote:
>
> That one. libnssckbi.so is what provides the default trust roots. It's
> *always* supposed to be loaded in an NSS system. You shouldn't need to
> add it manually. I don't.
... except in the specific case where I was testing pam_pkcs11.
On Thu, 2014-12-04 at 11:07 +, Martinsson Patrik wrote:
> On a standard Rhel 7 installation, the pkcs11.txt under /etc/pki/nssdb
> *only* contains,
>
> library=libnsssysinit.so
> ...
> And this is a good thing as it will dynamically load the users
> ~/.pki/nssdb in read-write mode on top of
Hi again David (and everyone else),
Thanks again for all the explanations, it certainly (again) makes stuff
clearer and I now seem to have an reasonable idea about whats going on
and how to handle our situation.
On a standard Rhel 7 installation, the pkcs11.txt under /etc/pki/nssdb
*only* conta
On Tue, 2014-12-02 at 20:30 +, David Woodhouse wrote:
> On Tue, 2014-12-02 at 19:59 +, David Woodhouse wrote:
> >
> > That doesn't happen here on F21, FWIW.
> >
> > Firefox only asks me to log into my p11-kit-provided hardware tokens
> > when I go to a web site which wants a certificate,
On Tue, 2014-12-02 at 19:59 +, David Woodhouse wrote:
>
> That doesn't happen here on F21, FWIW.
>
> Firefox only asks me to log into my p11-kit-provided hardware tokens
> when I go to a web site which wants a certificate, which is fair
> enough.
>
> And I haven't actually got Evolution to s
On Tue, 2014-12-02 at 18:24 +, Martinsson Patrik wrote:
>
> I quickly tried to import libp11-proxy.so in the users nssdb (and
> in .mozillas) and it worked as expected. However, since all my
> "keyrings" (?) now are in the slots, evolution (and chrome/ff etc) now
> asks me for passwords to
On Tue, 2014-12-02 at 18:24 +, Martinsson Patrik wrote:
> So here's a round of new questions,
>
> - There are different ways of loading pkcs11-modules into an application
> where nss is one and p11-kit is another. And where p11-kit is a library
> that an application can link to, and where ns
Hi again,
Thanks for all the info guys, it certainly answered some of my questions
(and I've also figured out some stuff while digging on my own).
With that being said, this still seems like a *huge* jungle for a
sysadmin, and while the introduction of p11-kit seems promising I'm
still somewhat
On Tue, 2014-12-02 at 12:00 -0500, Miloslav Trmač wrote:
> > Great. So that should solve Patrik's CA issues without needing to do
> > anything special. All that remains is to get the smartcards working by
> > loading p11-kit-proxy.so (or preferably the individual modules) too.
> >
> > Is that some
Hello,
- Original Message -
> On Tue, 2014-12-02 at 11:16 -0500, Miloslav Trmač wrote:
> > Hello,
> > > It has largely been superseded by p11-kit-trust, which in the NSS case
> > > provides a replacement for libnssckbi.so and gives us consistency across
> > > the entire system regardless of
On Tue, 2014-12-02 at 11:16 -0500, Miloslav Trmač wrote:
> Hello,
> > It has largely been superseded by p11-kit-trust, which in the NSS case
> > provides a replacement for libnssckbi.so and gives us consistency across
> > the entire system regardless of the crypto libraries in use. (This
> > wasn't
Hello,
> It has largely been superseded by p11-kit-trust, which in the NSS case
> provides a replacement for libnssckbi.so and gives us consistency across
> the entire system regardless of the crypto libraries in use. (This
> wasn't in RHEL6; it came in with Fedora 19 so hopefully it's in RHEL7).
On Mon, 2014-12-01 at 17:22 -0800, Robert Relyea wrote:
>
> This is still the issue with nsssysinit. It currently only works if the
> the application open sql:/etc/pki/nssdb. Currently firefox doesn't even
> use the sql database.
Which has always been a bit of a facepalm realisation: "Hey... we
To level set everyone, here, Martinsson is clearly running on RHEL, so
most of his questions and my answers where are RHEL specific.
On 11/19/2014 12:17 PM, Martinsson Patrik wrote:
Hi everyone,
I Need some help understanding the usage of the libnsssysinit-library
(or a recommended method in h
32 matches
Mail list logo
