Обсуждение: no password on postgres user and pgagent
Hello, I'd like to run pgagent with the postgres user, which doesn't have a password. I thought it'd be as simple as setting up an init script as: [ -- Begin <pgagent_start.sh> ---------------------------------------------- ] #! /bin/sh pgagent user=postgres host=localhost dbname=postgres [ -- End <pgagent_start.sh> ------------------------------------------------ ] and then the following should work: ---<--------------------cut here---------------start------------------->--- $ sudo -u postgres sh pgagent_start.sh sluque@otaria:~$ Mon May 9 16:23:00 2016 : WARNING: Couldn't create the primary connection (attempt 1): fe_sendauth: nopassword supplied Mon May 9 16:23:05 2016 : WARNING: Couldn't create the primary connection (attempt 2): fe_sendauth: no password supplied Mon May 9 16:23:10 2016 : WARNING: Couldn't create the primary connection (attempt 3): fe_sendauth: no password supplied Mon May 9 16:23:15 2016 : WARNING: Couldn't create the primary connection (attempt 4): fe_sendauth: no password supplied Mon May 9 16:23:20 2016 : WARNING: Couldn't create the primary connection (attempt 5): fe_sendauth: no password supplied Mon May 9 16:23:25 2016 : WARNING: Couldn't create the primary connection (attempt 6): fe_sendauth: no password supplied Mon May 9 16:23:30 2016 : WARNING: Couldn't create the primary connection (attempt 7): fe_sendauth: no password supplied Mon May 9 16:23:35 2016 : WARNING: Couldn't create the primary connection (attempt 8): fe_sendauth: no password supplied Mon May 9 16:23:40 2016 : WARNING: Couldn't create the primary connection (attempt 9): fe_sendauth: no password supplied Mon May 9 16:23:45 2016 : WARNING: Couldn't create the primary connection (attempt 10): fe_sendauth: no password supplied Mon May 9 16:23:45 2016 : ERROR: Stopping pgAgent: Couldn't establish the primary connection with the database server. ---<--------------------cut here---------------end--------------------->--- Does one *have* to supply a password for postgres? Thanks, -- Seb
Re: Seb 2016-05-10 <87r3daopfm.fsf@otaria.sebmel.org> > Hello, > > I'd like to run pgagent with the postgres user, which doesn't have a > password. I thought it'd be as simple as setting up an init script as: > > [ -- Begin <pgagent_start.sh> ---------------------------------------------- ] > #! /bin/sh > > pgagent user=postgres host=localhost dbname=postgres The default pg_hba.conf requires md5 passwords for "host=localhost" connections. If you remove that connection parameter, a passwordless UNIX socket connection will be used. (In which case pgagent must be running as the "postgres" OS user.) Christoph
On Tue, 10 May 2016 11:08:28 +0200, Christoph Berg <myon@debian.org> wrote: > Re: Seb 2016-05-10 <87r3daopfm.fsf@otaria.sebmel.org> >> Hello, >> I'd like to run pgagent with the postgres user, which doesn't have a >> password. I thought it'd be as simple as setting up an init script >> as: >> [ -- Begin <pgagent_start.sh> >> ---------------------------------------------- ] #! /bin/sh >> pgagent user=postgres host=localhost dbname=postgres > The default pg_hba.conf requires md5 passwords for "host=localhost" > connections. It's actually set to "peer" in my case (v. 9.5): [ -- <pg_hba.conf> lines 84 - 85 ------------------------------------------- ] # Database administrative login by Unix domain socket local all postgres peer [ -- End of <pg_hba.conf> lines 84 - 85 ------------------------------------ ] which is what I want; i.e. get user name from the operating system user and check that it matches requested database user name. If I understand right, this means that if I sudo or login as postgres, then that's what PostgreSQL gets. If postgres has no password and I can login without one, then the database server shouldn't ask for one. Why does pgagent expect one? Thanks, -- Seb
Re: Sebastian P. Luque 2016-05-10 <87d1ouvz6v.fsf@otaria.sebmel.org> > >> I'd like to run pgagent with the postgres user, which doesn't have a > >> password. I thought it'd be as simple as setting up an init script > >> as: > > >> [ -- Begin <pgagent_start.sh> > >> ---------------------------------------------- ] #! /bin/sh > > >> pgagent user=postgres host=localhost dbname=postgres > > > The default pg_hba.conf requires md5 passwords for "host=localhost" > > connections. > > It's actually set to "peer" in my case (v. 9.5): > > [ -- <pg_hba.conf> lines 84 - 85 ------------------------------------------- ] > # Database administrative login by Unix domain socket > local all postgres peer > [ -- End of <pg_hba.conf> lines 84 - 85 ------------------------------------ ] > > which is what I want; i.e. get user name from the operating system user > and check that it matches requested database user name. If I understand > right, this means that if I sudo or login as postgres, then that's what > PostgreSQL gets. If postgres has no password and I can login without > one, then the database server shouldn't ask for one. Why does pgagent > expect one? Because you try "host=localhost" which doesn't match the line you are citing. Look for host...md5. Christoph
On Tue, 10 May 2016 16:20:31 +0200, Christoph Berg <cb@df7cb.de> wrote: [...] >> which is what I want; i.e. get user name from the operating system >> user and check that it matches requested database user name. If I >> understand right, this means that if I sudo or login as postgres, >> then that's what PostgreSQL gets. If postgres has no password and I >> can login without one, then the database server shouldn't ask for >> one. Why does pgagent expect one? > Because you try "host=localhost" which doesn't match the line you are > citing. Look for host...md5. You're absolutely absolutely, and I had forgotten a few things about this. Things work as I expected when leaving out the "host" specification in the call to pgagent. This got me thinking whether it's a good idea to leave the postgres user without a password. The system is inside a work network, and a handful of users, both of which are trustworthy. But perhaps it would still be safer to create a password for postgres. Thanks for your help, -- Seb
Re: Sebastian P. Luque 2016-05-11 <87a8jwstef.fsf@otaria.sebmel.org> > This got me thinking whether it's a good idea to leave the postgres user > without a password. The system is inside a work network, and a handful > of users, both of which are trustworthy. But perhaps it would still be > safer to create a password for postgres. "no password" simply means "no password". It doesn't mean "can login without a password". Christoph