How To:Configure bsdtcp authentication

From The Open Source Backup Wiki (Amanda, MySQL Backup, BackupPC)
Jump to navigationJump to search

This article is a part of the How Tos collection.

NOTE: For authoritative documentation on configuring authentication in Amanda, see amanda-auth(7).

Which One?

There are several authentication mechanisms available for Amanda, so which one should you choose?

Use BSDTCP (easier to set up, risky on a public network) or SSH (better security for open networks) authentication.

This article describes BSDTCP. The details of SSH authentication are given in How To:Set up transport encryption with SSH.

BSD is only present for backward-compatibility with versions of Amanda older than 2.5.0. BSDUDP is a version of BSDTCP that also uses UDP, and UDP is very difficult to debug (since tools like netcat aren't useful).

The details of BSD and BSDUDP are given in How To:Configure Backward-compatible Authentication Methods. For configuration of a pre-2.5 client (bsd only), please see Backing up an older Amanda 2.4 client.

.amandahosts file

It is very common for Amanda to be compiled to use the .amandahosts file to control access on clients and server using the bsd, bsdudp, and bsdtcp authentication methods.

The .amandahosts file is located in the Amanda user's home directory, commonly /var/lib/amanda. This file should be readable and writable only by the Amanda backup user.

The format of .amandahosts is

<amandaserver.example.com> <backup_user> <service(s)>

The first field is the fully qualified domain name of the server which is being granted access to the local client machine as backup_user to perform service(s).

service(s) are the amandad services allowed to be run on the configured client/server amdump - is used for backing up a client. Specifying this allows an Amanda server running an amdump command to connect to an Amanda client to perform a backup. amindexd - is the daemon that accesses Amanda's index database. Specifying this allows an Amanda client running amrecover to access the database on an Amanda server to determine which files and directories have been backed up on the client. amidxtaped - is the daemon that accesses Amanda's log files. Specifying this allows an Amanda client running amrecover to access tape information on an Amanda server.

Example of the .amandahosts file on an Amanda client

amandaserver.example.com amandabackup amdump 

Example of the .amandahosts file on an Amanda server

amandaclient1.example.com root amindexd amidxtaped

General info on using inetd

Template for Amanda client inetd service entry

 <service_name>  <socket_type>   <protocol>  <wait/nowait>   <amanda_backup_user>  <absolute_path_to_amandad>   amandad  <server_args>

General info on using xinetd

Template for Amanda client xinetd service file

 service amanda
 {
       only_from               = <Amanda server>
       socket_type             = <socket type>
       protocol                = <protocol>
       wait                    = <"yes"/"no">
       user                    = <amanda backup user>
       group                   = <amanda backup user group id>
       groups                  = yes
       server                  = <absolute path to amandad>
       server_args             = <amandad server arguments>
       disable                 = no
 }

Xinetd offers the "only_from" parameter which provides a second layer of protection to the permissions allowed in the .amandahosts file. It is thus not necessary but certainly can be used.

bsdtcp

If you want to use bsdtcp authentication and are compiling from source code, you must specify the configure flag

 --with-bsdtcp-security

otherwise, amcheck will return messages like:

 Could not find security driver "bsdtcp" for host "yourhost". auth for this dle is invalid

client

Clients need to specify the auth and amdump arguments to the amandad command.

inetd example

Example of inetd service entry using bsdtcp authorization and assuming Amanda user is "amanda"

amanda          stream  tcp     nowait  amanda  /usr/lib/amanda/amandad      amandad -auth=bsdtcp amdump

xinetd example

Example of xinetd service entry using bsdtcp authorization and assuming Amanda user is "amandabackup"

service amanda
{
       only_from       = amandaserver.example.com amandaclient.example.com
       socket_type     = stream
       protocol        = tcp
       wait            = no
       user            = amandabackup
       group           = disk
       groups          = yes
       server          = /usr/lib/amanda/amandad
       server_args     = -auth=bsdtcp amdump
       disable         = no 
}

server

You must specify in the disklist file on the Amanda server that you will use the bsdtcp authentication method to connect to any clients. You must either specify the auth parameter directly in the disklist file or a dumptype that specifies bsdtcp authentication method.

Example of specifying bsdtcp authentication directly in the disklist file.

server.example.com    {
       comp-user-tar
       auth "bsdtcp"
       }    1

Example of a dumptype definition specifying bsdtcp authentication.

define dumptype comp-user-tar {
        ...
        auth "bsdtcp"
        ...
}

This may also be set globally in the same way by editing the "global" dumptype definition.

inetd example

Example of inetd service entry using bsdtcp authorization and assuming Amanda user is "amanda"

amanda          stream  tcp     nowait  amanda  /usr/lib/amanda/amandad      amandad -auth=bsdtcp amdump amindexd amidxtaped

xinetd example

Example of xinetd service entry using bsdtcp authorization and assuming Amanda user is "amanda"

service amanda
{
       only_from       = amandaserver.example.com amandaclient.example.com
       socket_type     = stream
       protocol        = tcp
       wait            = no
       user            = amanda
       group           = disk
       groups          = yes
       server          = /usr/lib/amanda/amandad
       server_args     = -auth=bsdtcp amdump amindexd amidxtaped
       disable         = no 
}