On 12/21/2017 06:40 PM, Tony Finch wrote:
> PostgreSQL version: 10.1
> OS: Debian Stretch 9.3
>
> I would like to be able to pass my SSL private key to psql via a pipe.
> This is so that I can use the gpg agent to decrypt my key without retyping
> my passphrase each time. (There isn't an agent for OpenSSL's own key
> decryption routines.) For example,
>
> $ psql 'host=db1 port=5432 sslmode=verify-full user=postgres \
> sslcert=postgres.crt sslkey='<(gpg -d postgres.pem.asc)
Hm, this does sound like a useful feature. Not sure if it counts as a
bug though, so the hackers list is probably more suited for this patch.
> I think it would be better to remove the check - with the patch below I
> can log in using the command quoted above.
>
> Alternatively you could only exclude S_ISDIR() and S_ISBLK() - the other
> cases allow getting keys from interesting placesq.
I do not know why this check was added in the first place so I am not
entirely sure what the right behavior should be. Maybe it would be
enough with an S_ISDIR() check.
Andreas