Chapter 17. How to use different auth with Amanda

Jean-Louis Martineau

Original text;XML-conversion;Updates
AMANDA Core Team

Table of Contents

Introduction
BSD
BSDTCP
BSDUDP
KRB4
KRB5
RSH
SSH
For amdump:
For amrecover:

This document covers the use of the auth in Amanda 2.5.1 and higher.

Introduction

BSD

You must configure amanda with --with-bsd-security and --with-amandahosts.

The xinetd.d/amanda file on the client:

service amanda
{
      only_from               = 127.0.0.1
      socket_type             = dgram
      protocol                = udp
      wait                    = yes
      user                    = amanda
      group                   = amanda
      groups                  = yes
      server                  = /path/to/amandad
      server_args             = -auth=bsd amdump
      disable                 = no
}

The only_from line should list your tape server ip address.

The ~amanda/.amandahosts file on the client:

tapeserver.fqdn amanda amdump

If you want to also enable amindexd and amidxtaped, you must change the server_args line in the xinetd.d/amanda file on the tape server:

      server_args             = -auth=bsd amdump amindexd amidxtaped

The only_from line should list all machine that can use amdump/amrecover. It's the .amandahosts that will limit which client can use amdump/amindexd/amidxtaped.

The ~amanda/.amandahosts file on the tape server must have a line for each machi ne:

clientmachine1 amanda amindexd amidxtaped
clientmachine2 amanda amindexd amidxtaped

BSDTCP

Like bsd but you must configure amanda with --with-bsdtcp-security and --with-amandahosts and do 4 changes in the xinetd.d/amanda file:

      socket_type             = stream
      protocol                = tcp
      wait                    = no
      server_args             = -auth=bsdtcp amdump

BSDUDP

Like bsd but you must configure amanda with --with-bsdudp-security and --with-amandahosts and do 1 change in the xinetd.d/amanda file:

      server_args             = -auth=bsdudp amdump

KRB4

You must configure amanda with --with-krb4-security.

KRB5

You must configure amanda with --with-krb5-security.

RSH

You must configure amanda with --with-rsh-security.

It's your system that should allow your server user to rsh to your client user.

If your server username and client username are different, you must add the client_username option in all DLE for that host.

client_username "client_username"

If your server amandad path and client amandad path are different, you must set the amandad_path option in all DLE for that hosts.

amandad_path "client/amandad/path"

SSH

You must configure amanda with --with-ssh-security.

For amdump:

You must create an ssh key for your server. In this example, the key is put in the id_rsa_amdump file:

ssh-keygen -t rsa
Enter file in which to save the key (/home/amanda/.ssh/id_rsa)? /home/amanda/.ssh/id_rsa_amdump

You must set the ssh_keys option in all DLE for that host:

ssh_keys "/home/amanda/.ssh/id_rsa_amdump"

You mush append the /home/amanda/.ssh/id_rsa_amdump.pub file to the .ssh/authorized_keys file of all client host.

For security reason, you must prepend the line with the following:

from="tape_server_fqdn_name",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,command="/path/to/amandad -auth=ssh amdump"

That will limit that key to connect only from your server and only be able to execute amandad.

Like rsh if your server username and client username are different, you must add the client_username option in all DLE for that host:

client_username "client_username"

Like rsh, if your server amandad path and client amandad path are different, you must set the amandad_path option in all DLE for that hosts:

amandad_path "client/amandad/path"

For amrecover:

You must create an ssh key for root on all clients that can use amrecover. In this example, the key is put in the /root/.ssh/id_ rsa_amrecover file:

Log in as root:

ssh-keygen -t rsa
Enter file in which to save the key (/root/.ssh/id_rsa)? /root/.ssh/id_rsa_amrecover

You must set the ssh_keys option in the amanda_client.conf file

ssh_keys "/root/.ssh/id_rsa_amrecover"

You mush append all client /home/root/.ssh/id_rsa_amrecover.pub file to the /home/amanda/.ssh/authorized_keys of the server.

For security reason, you must prefix all lines with the following:

from="aclient_fqdn_name",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,command="/path/to/amandad -auth=ssh amindexd amidxtaped"

That will limit every client key to connect from the client and only be able to execute amandad.

Note

Refer to http://www.amanda.org/docs/howto-auth.html for the current version of this document.