How To:Configure Backward-compatible Authentication Methods
This article is a part of the How Tos collection.
Old Authentications
New versions of Amanda can communicate with very old versions of Amanda, and to do so they use some old authenticaitons. This page builds on How To:Configure bsdtcp authentication to explain how to configure some of these older authentication methods.
bsd
If an authentication method is not specified, bsd is the default. As with most defaults in Amanda, this is the case for backward-compatibility reasons, and unless you have old (Amanda-2.4) clients, you don't want to use bsd auth. Thus, the auth argument to the amandad command does not need to be specified yet makes things perfectly clear.
client
Clients need to specify the amdump argument to the amandad command and may make the authentication method clear with the auth argument.
inetd example
Example of using bsd authorization for inetd server assuming Amanda user is "amanda"
amanda dgram udp wait amanda /usr/lib/amanda/amandad amandad -auth=bsd amdump amindexd amidxtaped
xinetd example
Example xinetd.d amanda client service file with backup user "amandabackup"
service amanda { only_from = amandaserver.example.com socket_type = dgram protocol = udp wait = yes user = amandabackup group = disk groups = yes server = /usr/lib/amanda/amandad server_args = -auth=bsd amdump disable = no }
server
If an Amanda server will also be a backup client to itself, it will use the same client configuration. However, as the Amanda server is also the recovery server for all clients via the amrecover command, the x/inetd service entry on the Amanda server should also include amindexd and amidxtaped arguments to the amandad command.
The bsd authentication method is the default authentication method, thus a configuration with no auth parameter set will use bsd. Some packaged versions of Amanda, however, will set another authentication method in the global dumptype meaning it will now apply to all dumptypes based on this global dumptype (such as all dumptypes that ship with Amanda).
If you want to use the bsd authentication method to connect to a client and yet your server is trying to use some authentication method other than bsd, you must globally remove specifications to another authentication method in the global dumptype or explicitly specify bsd authentication method for desired clients in the disklist file on the Amanda server. For the latter, you must either specify the auth parameter directly in the disklist file or a dumptype that uses bsd authentication method.
Example of specifying bsd authentication directly in the disklist file.
server.example.com { comp-user-tar auth "bsd" } 1
Example of a dumptype definition specifying bsd authentication.
define dumptype comp-user-tar { ... auth "bsd" ... }
inetd example
Example of using bsd authorization for inetd server assuming Amanda user is "amanda"
amanda dgram udp wait amanda /usr/lib/amanda/amandad amandad -auth=bsd amdump amindexd amidxtaped
If you are using TCP wrappers, your inetd entry may look like this assuming Amanda user is "amanda":
amanda dgram udp wait amanda /usr/sbin/tcpd /usr/lib/amanda/amandad -auth=bsd amdump amindexd amidxtaped
xinetd example
Example of xinetd server entry that uses bsd for being a backup client to itself as well as a recovery server for all clients
service amanda { only_from = amandaserver.example.com amandaclient1.example.com amandaclient2.example.com socket_type = dgram protocol = udp wait = yes user = amandabackup group = disk groups = yes server = /usr/lib/amanda/amandad server_args = -auth=bsd amdump amindexd amidxtaped disable = no }
bsdudp
If you want to use bsdudp authentication and are compiling from source code, you must specify the configure flag
--with-bsdudp-security
otherwise, amcheck will return messages like:
Could not find security driver "bsdudp" for host "yourhost". auth for this dle is invalid
client
Clients need to specify the auth and amdump arguments to the amandad command.
inetd example
Example of using bsdudp authentication for inetd server on an Amanda client using Amanda user "amanda"
amanda dgram udp wait amanda /usr/lib/amanda/amandad amandad -auth=bsdudp amdump
xinetd example
Example of using bsdudp authentication for xinetd server on an Amanda client using Amanda user "amandabackup"
service amanda { only_from = amandaserver.example.com amandaclient.example.com socket_type = dgram protocol = udp wait = yes user = amandabackup group = disk groups = yes server = /usr/lib/amanda/amandad server_args = -auth=bsdudp amdump disable = no }
server
You must specify in the disklist file on the Amanda server that you will use the bsdtcp authentication method to connect to any clients. You must either specify the auth parameter directly in the disklist file or a dumptype that specifies bsdtcp authentication method.
Example of specifying bsdudp authentication directly in the disklist file.
server.example.com { comp-user-tar auth "bsdudp" } 1
Example of a dumptype definition specifying bsdudp authentication.
define dumptype comp-user-tar { ... auth "bsdudp" ... }
This may also be set globally in the same way by editing the "global" dumptype definition.
inetd example
Example of using bsdudp authentication for inetd server assuming Amanda user "amanda"
amanda dgram udp wait amanda /usr/lib/amanda/amandad amandad -auth=bsdudp amdump amindexd amidxtaped
xinetd example
Example of using bsdudp authentication for xinetd server assuming Amanda user "amanda"
service amanda { only_from = amandaserver.example.com amandaclient.example.com socket_type = dgram protocol = udp wait = yes user = amandabackup group = disk groups = yes server = /usr/lib/amanda/amandad server_args = -auth=bsdudp amdump amindexd amidxtaped disable = no }
Backing up an older Amanda 2.4 client
Older versions of Amanda client software (2.5.0 or earlier) have only the protocol "bsd" available.
An Amanda 2.5 or later server (using user "amandabackup") may still back up an Amanda 2.4 client (user "amanda"). For this, the server must use a auth "bsd" for communication, though a global auth "bsdtcp" entry can be overridden in special dumptype defines for use on older clients.
Example of an inetd file entry on an older Amanda 2.4 client (using user "amanda") that only supports bsd authentication (and not as many amandad server arguments)
amanda dgram udp wait amanda /usr/lib/amanda/amandad amandad
Example of an xinetd file on an older amanda 2.4 client (using user "amanda") that only supports bsd authentication (and not some of the more current parameters such as "server_args")
service amanda { only_from = amandaserver.example.com socket_type = dgram protocol = udp wait = yes user = amanda group = disk groups = yes server = /usr/lib/amanda/amandad disable = no }
The client's ".amandahosts" file will need to specify that the server connection is from user "amandabackup".
amandaserver.example.com amandabackup amdump