Re: Relaxing SSL key permission checks

Stephen Frost <sfrost@snowman.net> writes:
> * Tom Lane (tgl@sss.pgh.pa.us) wrote:
>> I completely disagree that those file-permissions checks are useless.

> If that's something you're concerned with then the right answer is to
> monitor the file permissions- and there are tools which do exactly that.
> I disagree that it's PG's charter to do that and, frankly, you *won't*
> be told, in most cases, promptly about such a change.

I will just quote this bit from "man ssh":
    ~/.ssh/identity    ~/.ssh/id_dsa    ~/.ssh/id_ecdsa    ~/.ssh/id_rsa            Contains the private key for
authentication. These files contain            sensitive data and should be readable by the user but not acces-
  sible by others (read/write/execute).  ssh will simply ignore a            private key file if it is accessible by
others.

Now, I have heard it argued that the OpenSSH/L authors are a bunch of
idiots who know nothing about security.  But it's not like insisting
on restrictive permissions on key files is something we invented out
of the blue.  It's pretty standard practice, AFAICT.
        regards, tom lane