Is there any way of configuring your PEM agents such that they don't require the use of .pgpass file in root's home directory? This is a security risk from our (DBAs) perspective since the system admins (who own root) aren't necessarily supposed to have access to our Postgres databases or know our passwords. Everything I've read concerning errors like the following seems to point to the solution of using .pgpass on the monitored server so the agent can connect.
Don't get me wrong - sysadmins are some great people, but in using the .pgpass configuration, they could log in as the superuser and potentially break things. Is it possible to break away from having root own everything and have to be one to execute all of the PEM agent commands? We would like our DBA user (username: postgres, group: dba) to own and control these monitoring tools much like we can make a non-root user the owner of the Postgres server installations.
With 2.0.1 you can store the password in the agent/server binding (on the PEM Agent tab of the Server properties dialogue).
However, I should point out that anyone with root access to the server can trivially access the database anyway. Removing the password from ~root/.pgpass maybe keeps them out for 30 seconds longer, but that's about all.
Thanks for the pointer, Dave. Valid point about root being able to do whatever they want. We just like to keep a tight leash on our passwords and don't like to store them in plain-text form like in .pgpass.