On Tue, 2014-12-09 at 14:18 +, Martinsson Patrik wrote:
It's cute that GNOME keyring can provide PKCS#11 functionality and you
can store certificates and keys in there. But you aren't *using* that
functionality. So just unregister the module entirely by deleting its
file from
On Mon, 2014-12-08 at 13:53 -0800, Robert Relyea wrote:
Nothing in the above paragraph is true.
openning
1)sql:/etc/pki/nssdb is *STILL* the recommended action for applications
(whether or not nssysinit is installed), and
Recommended in the sense of do as I say, not as I do, of course :)
On Mon, 2014-12-08 at 13:56 -0800, Robert Relyea wrote:
On 12/08/2014 08:59 AM, David Woodhouse wrote:
I still maintain that the path to sanity involves killing
/etc/pki/nssdb entirely, and then you can look at applying *correct*
fixes to whatever's still not behaving correctly.
The
On Mon, 2014-12-08 at 16:59 +, David Woodhouse wrote:
On Mon, 2014-12-08 at 16:44 +, Martinsson Patrik wrote:
Well,not really, it turns out that the gnome-settings-daemon loads the
opensc-module directly from /etc/pki/nssdb. So if I don't import the
opensc-module in there,
On Tue, 2014-12-09 at 13:15 +, Martinsson Patrik wrote:
So, If I don't have opensc-module, one way or another in
(sql):/etc/pki/nssdb I will loose all functionality that gsd brings me,
for example lock screen at card removal.
Not sql:/etc/pki/nssdb; this is another one that that uses the
On Tue, 2014-12-09 at 13:54 +, David Woodhouse wrote:
On Tue, 2014-12-09 at 13:15 +, Martinsson Patrik wrote:
So, If I don't have opensc-module, one way or another in
(sql):/etc/pki/nssdb I will loose all functionality that gsd brings me,
for example lock screen at card removal.
On Tue, 2014-12-09 at 14:18 +, Martinsson Patrik wrote:
On Tue, 2014-12-09 at 13:54 +, David Woodhouse wrote:
On Tue, 2014-12-09 at 13:15 +, Martinsson Patrik wrote:
So, If I don't have opensc-module, one way or another in
(sql):/etc/pki/nssdb I will loose all functionality
On Mon, 2014-12-08 at 10:15 +, Martinsson Patrik wrote:
So, to summarize,
$ sudo update-alternatives --install /usr/lib64/libnssckbi.so
libnssckbi.so.x86_64 /usr/lib64/p11-kit-proxy.so 1000
$ cat /etc/pki/nssdb/pkcs11.txt
library=/usr/lib64/p11-kit-proxy.so
name=p11-kit-proxy
On Mon, 2014-12-08 at 13:05 +, David Woodhouse wrote:
If you fix the unlock-at-login issue then you shouldn't have to disable
this in any application for which there isn't already a Does not
support Protected Authentication Path bug filed. I.e. evolution.
I just fixed Evolution, FWIW:
On Mon, 2014-12-08 at 13:05 +, David Woodhouse wrote:
On Mon, 2014-12-08 at 10:15 +, Martinsson Patrik wrote:
So, to summarize,
$ sudo update-alternatives --install /usr/lib64/libnssckbi.so
libnssckbi.so.x86_64 /usr/lib64/p11-kit-proxy.so 1000
$ cat /etc/pki/nssdb/pkcs11.txt
On 12/08/2014 05:05 AM, David Woodhouse wrote:
On Mon, 2014-12-08 at 10:15 +, Martinsson Patrik wrote:
So, to summarize,
$ sudo update-alternatives --install /usr/lib64/libnssckbi.so
libnssckbi.so.x86_64 /usr/lib64/p11-kit-proxy.so 1000
$ cat /etc/pki/nssdb/pkcs11.txt
On 12/08/2014 08:59 AM, David Woodhouse wrote:
I still maintain that the path to sanity involves killing
/etc/pki/nssdb entirely, and then you can look at applying *correct*
fixes to whatever's still not behaving correctly.
The whole point of /etc/pki/nssdb is so you have one place to install
Hi again David (and everyone else),
Thanks again for all the explanations, it certainly (again) makes stuff
clearer and I now seem to have an reasonable idea about whats going on
and how to handle our situation.
On a standard Rhel 7 installation, the pkcs11.txt under /etc/pki/nssdb
*only*
On Thu, 2014-12-04 at 11:31 +, David Woodhouse wrote:
That one. libnssckbi.so is what provides the default trust roots. It's
*always* supposed to be loaded in an NSS system. You shouldn't need to
add it manually. I don't.
... except in the specific case where I was testing pam_pkcs11.
On 12/04/2014 03:31 AM, David Woodhouse wrote:
You say that this shouldn't be necessary (and probably a bug), just to
clarify things for me, do you mean that,
1 ) adding the libnssckbi.so to shouldn't be necessary since it should
already be there from the beginning, and that the bug is that
On Thu, 2014-12-04 at 10:33 -0800, Robert Relyea wrote:
That one. libnssckbi.so is what provides the default trust roots. It's
*always* supposed to be loaded in an NSS system. You shouldn't need to
add it manually. I don't.
Huh? that is not true. libnssckbi.so is loaded by nssysinit, or
Subject: Re: libnsssysinit
On Thu, 2014-12-04 at 10:33 -0800, Robert Relyea wrote:
That one. libnssckbi.so is what provides the default trust roots. It's
*always* supposed to be loaded in an NSS system. You shouldn't need to
add it manually. I don't.
Huh? that is not true. libnssckbi.so
On 12/04/2014 02:00 PM, David Woodhouse wrote:
On Thu, 2014-12-04 at 10:33 -0800, Robert Relyea wrote:
That one. libnssckbi.so is what provides the default trust roots. It's
*always* supposed to be loaded in an NSS system. You shouldn't need to
add it manually. I don't.
Huh? that is not true.
On Tue, 2014-12-02 at 20:30 +, David Woodhouse wrote:
On Tue, 2014-12-02 at 19:59 +, David Woodhouse wrote:
That doesn't happen here on F21, FWIW.
Firefox only asks me to log into my p11-kit-provided hardware tokens
when I go to a web site which wants a certificate, which is
On Mon, 2014-12-01 at 17:22 -0800, Robert Relyea wrote:
This is still the issue with nsssysinit. It currently only works if the
the application open sql:/etc/pki/nssdb. Currently firefox doesn't even
use the sql database.
Which has always been a bit of a facepalm realisation: Hey... we
Hello,
It has largely been superseded by p11-kit-trust, which in the NSS case
provides a replacement for libnssckbi.so and gives us consistency across
the entire system regardless of the crypto libraries in use. (This
wasn't in RHEL6; it came in with Fedora 19 so hopefully it's in RHEL7).
On Tue, 2014-12-02 at 11:16 -0500, Miloslav Trmač wrote:
Hello,
It has largely been superseded by p11-kit-trust, which in the NSS case
provides a replacement for libnssckbi.so and gives us consistency across
the entire system regardless of the crypto libraries in use. (This
wasn't in
Hello,
- Original Message -
On Tue, 2014-12-02 at 11:16 -0500, Miloslav Trmač wrote:
Hello,
It has largely been superseded by p11-kit-trust, which in the NSS case
provides a replacement for libnssckbi.so and gives us consistency across
the entire system regardless of the crypto
On Tue, 2014-12-02 at 12:00 -0500, Miloslav Trmač wrote:
Great. So that should solve Patrik's CA issues without needing to do
anything special. All that remains is to get the smartcards working by
loading p11-kit-proxy.so (or preferably the individual modules) too.
Is that something we
Hi again,
Thanks for all the info guys, it certainly answered some of my questions
(and I've also figured out some stuff while digging on my own).
With that being said, this still seems like a *huge* jungle for a
sysadmin, and while the introduction of p11-kit seems promising I'm
still somewhat
On Tue, 2014-12-02 at 18:24 +, Martinsson Patrik wrote:
So here's a round of new questions,
- There are different ways of loading pkcs11-modules into an application
where nss is one and p11-kit is another. And where p11-kit is a library
that an application can link to, and where nss is
On Tue, 2014-12-02 at 18:24 +, Martinsson Patrik wrote:
I quickly tried to import libp11-proxy.so in the users nssdb (and
in .mozillas) and it worked as expected. However, since all my
keyrings (?) now are in the slots, evolution (and chrome/ff etc) now
asks me for passwords to all my
On Tue, 2014-12-02 at 19:59 +, David Woodhouse wrote:
That doesn't happen here on F21, FWIW.
Firefox only asks me to log into my p11-kit-provided hardware tokens
when I go to a web site which wants a certificate, which is fair
enough.
And I haven't actually got Evolution to show me
Hi everyone,
I Need some help understanding the usage of the libnsssysinit-library
(or a recommended method in handling the scenario described below).
First I'll write shortly about our scenario,
- We manage around 150 Red Hat Clients (atm v6.6 but in the progress of
updating to 7.0)
- We use
29 matches
Mail list logo