no password on postgres user and pgagent

Hello,

I'd like to run pgagent with the postgres user, which doesn't have a
password. I thought it'd be as simple as setting up an init script as:

[ -- Begin <pgagent_start.sh> ---------------------------------------------- ]
#! /bin/sh

pgagent user=postgres host=localhost dbname=postgres
[ -- End <pgagent_start.sh> ------------------------------------------------ ]

and then the following should work:

---<--------------------cut here---------------start------------------->---
$ sudo -u postgres sh pgagent_start.sh
sluque(at)otaria:~$ Mon May 9 16:23:00 2016 : WARNING: Couldn't create the primary connection (attempt 1): fe_sendauth: no password supplied
Mon May 9 16:23:05 2016 : WARNING: Couldn't create the primary connection (attempt 2): fe_sendauth: no password supplied
Mon May 9 16:23:10 2016 : WARNING: Couldn't create the primary connection (attempt 3): fe_sendauth: no password supplied
Mon May 9 16:23:15 2016 : WARNING: Couldn't create the primary connection (attempt 4): fe_sendauth: no password supplied
Mon May 9 16:23:20 2016 : WARNING: Couldn't create the primary connection (attempt 5): fe_sendauth: no password supplied
Mon May 9 16:23:25 2016 : WARNING: Couldn't create the primary connection (attempt 6): fe_sendauth: no password supplied
Mon May 9 16:23:30 2016 : WARNING: Couldn't create the primary connection (attempt 7): fe_sendauth: no password supplied
Mon May 9 16:23:35 2016 : WARNING: Couldn't create the primary connection (attempt 8): fe_sendauth: no password supplied
Mon May 9 16:23:40 2016 : WARNING: Couldn't create the primary connection (attempt 9): fe_sendauth: no password supplied
Mon May 9 16:23:45 2016 : WARNING: Couldn't create the primary connection (attempt 10): fe_sendauth: no password supplied
Mon May 9 16:23:45 2016 : ERROR: Stopping pgAgent: Couldn't establish the primary connection with the database server.
---<--------------------cut here---------------end--------------------->---

Does one *have* to supply a password for postgres?

Thanks,

--
Seb

Re: Seb 2016-05-10 <87r3daopfm(dot)fsf(at)otaria(dot)sebmel(dot)org>
> Hello,
>
> I'd like to run pgagent with the postgres user, which doesn't have a
> password. I thought it'd be as simple as setting up an init script as:
>
> [ -- Begin <pgagent_start.sh> ---------------------------------------------- ]
> #! /bin/sh
>
> pgagent user=postgres host=localhost dbname=postgres

The default pg_hba.conf requires md5 passwords for "host=localhost"
connections. If you remove that connection parameter, a passwordless
UNIX socket connection will be used. (In which case pgagent must be
running as the "postgres" OS user.)

Christoph

On Tue, 10 May 2016 11:08:28 +0200,
Christoph Berg <myon(at)debian(dot)org> wrote:

> Re: Seb 2016-05-10 <87r3daopfm(dot)fsf(at)otaria(dot)sebmel(dot)org>
>> Hello,

>> I'd like to run pgagent with the postgres user, which doesn't have a
>> password. I thought it'd be as simple as setting up an init script
>> as:

>> [ -- Begin <pgagent_start.sh>
>> ---------------------------------------------- ] #! /bin/sh

>> pgagent user=postgres host=localhost dbname=postgres

> The default pg_hba.conf requires md5 passwords for "host=localhost"
> connections.

It's actually set to "peer" in my case (v. 9.5):

[ -- <pg_hba.conf> lines 84 - 85 ------------------------------------------- ]
# Database administrative login by Unix domain socket
local all postgres peer
[ -- End of <pg_hba.conf> lines 84 - 85 ------------------------------------ ]

which is what I want; i.e. get user name from the operating system user
and check that it matches requested database user name. If I understand
right, this means that if I sudo or login as postgres, then that's what
PostgreSQL gets. If postgres has no password and I can login without
one, then the database server shouldn't ask for one. Why does pgagent
expect one?

Thanks,

--
Seb

Re: Sebastian P. Luque 2016-05-10 <87d1ouvz6v(dot)fsf(at)otaria(dot)sebmel(dot)org>
> >> I'd like to run pgagent with the postgres user, which doesn't have a
> >> password. I thought it'd be as simple as setting up an init script
> >> as:
>
> >> [ -- Begin <pgagent_start.sh>
> >> ---------------------------------------------- ] #! /bin/sh
>
> >> pgagent user=postgres host=localhost dbname=postgres
>
> > The default pg_hba.conf requires md5 passwords for "host=localhost"
> > connections.
>
> It's actually set to "peer" in my case (v. 9.5):
>
> [ -- <pg_hba.conf> lines 84 - 85 ------------------------------------------- ]
> # Database administrative login by Unix domain socket
> local all postgres peer
> [ -- End of <pg_hba.conf> lines 84 - 85 ------------------------------------ ]
>
> which is what I want; i.e. get user name from the operating system user
> and check that it matches requested database user name. If I understand
> right, this means that if I sudo or login as postgres, then that's what
> PostgreSQL gets. If postgres has no password and I can login without
> one, then the database server shouldn't ask for one. Why does pgagent
> expect one?

Because you try "host=localhost" which doesn't match the line you are
citing. Look for host...md5.

Christoph

On Tue, 10 May 2016 16:20:31 +0200,
Christoph Berg <cb(at)df7cb(dot)de> wrote:

[...]

>> which is what I want; i.e. get user name from the operating system
>> user and check that it matches requested database user name. If I
>> understand right, this means that if I sudo or login as postgres,
>> then that's what PostgreSQL gets. If postgres has no password and I
>> can login without one, then the database server shouldn't ask for
>> one. Why does pgagent expect one?

> Because you try "host=localhost" which doesn't match the line you are
> citing. Look for host...md5.

You're absolutely absolutely, and I had forgotten a few things about
this. Things work as I expected when leaving out the "host"
specification in the call to pgagent.

This got me thinking whether it's a good idea to leave the postgres user
without a password. The system is inside a work network, and a handful
of users, both of which are trustworthy. But perhaps it would still be
safer to create a password for postgres.

Thanks for your help,
--
Seb

Re: Sebastian P. Luque 2016-05-11 <87a8jwstef(dot)fsf(at)otaria(dot)sebmel(dot)org>
> This got me thinking whether it's a good idea to leave the postgres user
> without a password. The system is inside a work network, and a handful
> of users, both of which are trustworthy. But perhaps it would still be
> safer to create a password for postgres.

"no password" simply means "no password". It doesn't mean "can login
without a password".

Christoph