How To:Configure bsdtcp authentication: Difference between revisions

From wiki.zmanda.com
Jump to navigation Jump to search
(disklist changes)
(→‎xinetd example: fixed incorrect user name.)
 
(19 intermediate revisions by 3 users not shown)
Line 1: Line 1:
{{XXX|Dustin|Needs TLC, merging}}
{{How To Header}}
These configuration file are valid only Amanda 2.5.1 or later releases.
NOTE: For authoritative documentation on configuring authentication in Amanda, see {{man|7|amanda-auth}}.


== Configure amanda to support bsdudp or bsdtcp security==
== Which One? ==
Amanda must be configured with
There are several authentication mechanisms available for Amanda, so which one should you choose?
  --with-bsdtcp-security
 
or with
Use BSDTCP (easier to set up, risky on a public network) or SSH (better security for open networks) authentication.
  --with-bsdudp-security
 
This article describes BSDTCP.  The details of SSH authentication are given in [[How To:Set up transport encryption with SSH]].
 
BSD is only present for backward-compatibility with versions of Amanda older than 2.5.0.  BSDUDP is a version of BSDTCP that also uses UDP, and UDP is very difficult to debug (since tools like netcat aren't useful).


Otherwise, amcheck will return messages like:
The details of BSD and BSDUDP are given in [[How To:Configure Backward-compatible Authentication Methods]].  For configuration of a pre-2.5 client (bsd only), please see [[How To:Configure Backward-compatible Authentication Methods#Backing_up_an_older_Amanda_2.4_client|Backing up an older Amanda 2.4 client]].
  Could not find security driver "bsdtcp" for host "yourhost". auth for this dle is invalid


See [http://www.amanda.org/docs/howto-auth.html How to use different auth with Amanda]
== .amandahosts file ==


== Changes in the disklist file ==
It is very common for Amanda to be compiled to use the .amandahosts file to control access on clients and server using the bsd, bsdudp, and bsdtcp authentication methods.


On the Amanda server the entries in the '''disklist''' need to have the '''auth''' parameter.
The ''.amandahosts'' file is located in the Amanda user's home directory, commonly ''/var/lib/amanda''.  This file should be readable and writable only by the Amanda backup user.  


server.example.com    {
The format of .amandahosts is
        comp-user-tar
        auth "bsdtcp"
        }    1


This may also be set globally in the definition of the dumptype in '''amanda.conf'''
<amandaserver.example.com> <backup_user> <service(s)>


define dumptype comp-user-tar {
The first field is the fully qualified domain name of the server which is being granted access to the local client machine as ''backup_user'' to perform ''service(s)''.  
        ...
        auth "bsdtcp"
        ...
}


Older versions of Amanda client software (2.5.0 or earlier) have only the protocol "bsd"
''service(s)'' are the amandad services allowed to be run on the configured client/server
available(The default protocol is "bsd".)
''amdump'' - is used for backing up a client.  Specifying this allows an Amanda server running an '''amdump''' command to connect to an Amanda client to perform a backup.
''amindexd'' - is the daemon that accesses Amanda's index database. Specifying this allows an Amanda client running '''amrecover''' to access the database on an Amanda server to determine which files and directories have been backed up on the client.
amidxtaped - is the daemon that accesses Amanda's log filesSpecifying this allows an Amanda client running '''amrecover''' to access tape information on an Amanda server.


'''Example of the ''.amandahosts'' file on an Amanda client'''
amandaserver.example.com amandabackup amdump


== xinetd/inetd configuration file changes ==
'''Example of the ''.amandahosts'' file on an Amanda server'''
amandaclient1.example.com root amindexd amidxtaped


Amandad (Amanda client process) must be configured correctly as xinetd or inetd server on each Amanda client. This configuration is necessary for backup process - [[amdump]].
==General info on using inetd==
'''Template for Amanda client inetd service entry'''
  <service_name>  <socket_type>  <protocol>  <wait/nowait>  <amanda_backup_user>  <absolute_path_to_amandad>  amandad <server_args>


'''Template for /etc/xinet.d/amanda file'''
==General info on using xinetd==
'''Template for Amanda client xinetd service file'''
   service amanda
   service amanda
   {
   {
         only_from              = <Amanda server>
         only_from              = <Amanda server>
         socket_type            = dgram
         socket_type            = <socket type>
         protocol                = udp
         protocol                = <protocol>
         wait                    = yes
         wait                    = <"yes"/"no">
         user                    = <amanda backup user>
         user                    = <amanda backup user>
         group                  = <amanda backup user group id>
         group                  = <amanda backup user group id>
         groups                  = yes
         groups                  = yes
         server                  = <absolute path to amandad>
         server                  = <absolute path to amandad>
         server_args            = -auth=bsd amdump
         server_args            = <amandad server arguments>
         disable                = no
         disable                = no
   }
   }


'''Example xinetd.d amanda client service file with backup user - amandabackup'''
Xinetd offers the "only_from" parameter which provides a second layer of protection to the permissions allowed in the [[#.amandahosts file|.amandahosts file]].  It is thus not necessary but certainly can be used.


service amanda
==bsdtcp==
{
If you want to use bsdtcp authentication and are compiling from source code, you must specify the configure flag
        only_from      = amandaserver.example.com
  --with-bsdtcp-security
        socket_type    = dgram
otherwise, amcheck will return messages like:
        protocol        = udp
  Could not find security driver "bsdtcp" for host "yourhost". auth for this dle is invalid
        wait            = yes
        user            = amandabackup
        group          = disk
        groups          = yes
        server          = /usr/lib/amanda/amandad
        server_args    = -auth=bsd amdump
        disable        = no
}
 
Amanda server (tape server) can be also configured to use "bsd" authentication for restore process - [[amrecover]] command.  The ''server_args'' on the xinetd service entry on the server should include ''amindexd'' and ''amidxtaped''.  The ''only_from'' line should include all clients that can do recovery. 
 
'''Example of xinetd server entry that used bsd and can do both backup as well as recovery'''
service amanda
{
        only_from      = amandaserver.example.com amandaclient.example.com
        socket_type    = dgram
        protocol        = udp
        wait            = yes
        user            = amandabackup
        group          = disk
        groups          = yes
        server          = /usr/lib/amanda/amandad
        server_args    = -auth=bsd amdump amindexd amidxtaped
        disable        = no
}


=== client ===
Clients need to specify the ''auth'' and ''amdump'' arguments to the amandad command.


The ''bsdtcp'' authentication requires different xinetd/inetd service entries. The protocol will be ''tcp''. An example ''bsdtcp'' authentication xinetd service entry for a machine that can do both backup and recovery (differences with ''bsd'' authentication entry is highlighted):
==== inetd example ====
'''Example of inetd service entry using bsdtcp authorization and assuming Amanda user is "amanda"
amanda          stream tcp     nowait  amanda /usr/lib/amanda/amandad      amandad -auth=bsdtcp amdump


==== xinetd example ====
'''Example of xinetd service entry using bsdtcp authorization and assuming Amanda user is "amandabackup"
  service amanda
  service amanda
  {
  {
Line 99: Line 83:
         groups          = yes
         groups          = yes
         server          = /usr/lib/amanda/amandad
         server          = /usr/lib/amanda/amandad
         server_args    = -auth='''bsdtcp''' amdump amindexd amidxtaped
         server_args    = -auth='''bsdtcp''' amdump
         disable        = no  
         disable        = no  
  }
  }


The ''bsdudp'' authentication requires minor modification to xinetd service entry. An example showing differences with ''bsd'' authentication entry:
=== server ===
You must specify in the '''disklist''' file on the Amanda server that you will use the ''bsdtcp'' authentication method to connect to any clients.  You must either specify the ''auth'' parameter directly in the '''disklist''' file or a dumptype that specifies ''bsdtcp'' authentication method.
 
'''Example of specifying ''bsdtcp'' authentication directly in the '''disklist''' file.'''
server.example.com    {
        comp-user-tar
        auth "bsdtcp"
        }    1


service amanda
Example of a dumptype definition specifying ''bsdtcp'' authentication.
  {
  define dumptype comp-user-tar {
        only_from      = amandaserver.example.com amandaclient.example.com
        ...
        socket_type    = dgram
         auth "bsdtcp"
        protocol        = udp
         ...
        wait            = yes
        user            = amandabackup
        group          = disk
        groups         = yes
        server         = /usr/lib/amanda/amandad
        server_args    = -auth='''bsdudp''' amdump amindexd amidxtaped
        disable        = no
  }
  }


=== inetd.conf example ===
This may also be set globally in the same way by editing the "global" dumptype definition.
When using ''inetd'', the ''only_from'' variable is controlled by your ''hosts.allow'' file on the local system.  The example below assumes:  user=amanda  and  auth=bsd.
 
amanda          dgram  udp    wait    amanda  /usr/lib/amanda/amandad      amandad -auth=bsd amdump amindexd amidxtaped
 
When using auth=ssh, the above stuff is irrelevant and is not needed.
 
If you are using TCP wrappers, example inetd entry:
amanda          dgram  udp    wait    amanda  /usr/sbin/tcpd /usr/lib/amanda/amandad -auth=bsd amdump amindexd amidxtaped
 
 
== .amandahosts configuration file changes ==
 
The ''.amandahosts'' file is located in the home directory of the backup user (For example: ''/var/lib/amanda'').  This file should be readable and writable only by the backup user.
 
The format of .amandahosts is


<FQDN of the server> <backup user> <service(s)>
==== inetd example ====
'''Example of inetd service entry using bsdtcp authorization and assuming Amanda user is "amanda"
amanda          stream  tcp    nowait  amanda  /usr/lib/amanda/amandad      amandad -auth=bsdtcp amdump amindexd amidxtaped


FQDN is fully qualified domain name. The server can contact the local machine as backup server to perform the service(s).
==== xinetd example ====
 
'''Example of xinetd service entry using bsdtcp authorization and assuming Amanda user is "amanda"'''
Example:
The ''.amandahosts'' file on the Amanda client should have
amandaserver.example.com amandabackup amdump
 
The ''.amandahosts'' file on the Amanda server should have
 
amandaclient1.example.com root amindexd amidxtaped
 
== Backup an Older amanda 2.4 client ==
An amanda 2.5 server (user "amandabackup") can backup a amanda 2.4 client
(user "amanda").  For this the server must use a ''auth "bsd"'' for communication, though a global ''auth "bsdtcp"'' entry can be overridden in special dumptype defines for use on older clients.
 
'''Example of xinetd server entry that using auth "bsd" on an older amanda 2.4 client (using user "amanda")'''
  service amanda
  service amanda
  {
  {
         only_from      = amandaserver.example.com
         only_from      = amandaserver.example.com amandaclient.example.com
         socket_type    = dgram
         socket_type    = '''stream'''
         protocol        = udp
         protocol        = '''tcp'''
         wait            = yes
         wait            = '''no'''
         user            = amanda
         user            = amanda
         group          = disk
         group          = disk
         groups          = yes
         groups          = yes
         server          = /usr/lib/amanda/amandad
         server          = /usr/lib/amanda/amandad
        server_args    = -auth='''bsdtcp''' amdump amindexd amidxtaped
         disable        = no  
         disable        = no  
  }
  }
The ".amandahosts" file still will need to specify that the server connection is from a "amandabackup" user.
  amandaclient.example.com amandabackup amdump

Latest revision as of 16:11, 20 November 2010

This article is a part of the How Tos collection.

NOTE: For authoritative documentation on configuring authentication in Amanda, see amanda-auth(7).

Which One?

There are several authentication mechanisms available for Amanda, so which one should you choose?

Use BSDTCP (easier to set up, risky on a public network) or SSH (better security for open networks) authentication.

This article describes BSDTCP. The details of SSH authentication are given in How To:Set up transport encryption with SSH.

BSD is only present for backward-compatibility with versions of Amanda older than 2.5.0. BSDUDP is a version of BSDTCP that also uses UDP, and UDP is very difficult to debug (since tools like netcat aren't useful).

The details of BSD and BSDUDP are given in How To:Configure Backward-compatible Authentication Methods. For configuration of a pre-2.5 client (bsd only), please see Backing up an older Amanda 2.4 client.

.amandahosts file

It is very common for Amanda to be compiled to use the .amandahosts file to control access on clients and server using the bsd, bsdudp, and bsdtcp authentication methods.

The .amandahosts file is located in the Amanda user's home directory, commonly /var/lib/amanda. This file should be readable and writable only by the Amanda backup user.

The format of .amandahosts is 

<amandaserver.example.com> <backup_user> <service(s)>

The first field is the fully qualified domain name of the server which is being granted access to the local client machine as backup_user to perform service(s).

service(s) are the amandad services allowed to be run on the configured client/server amdump - is used for backing up a client. Specifying this allows an Amanda server running an amdump command to connect to an Amanda client to perform a backup. amindexd - is the daemon that accesses Amanda's index database. Specifying this allows an Amanda client running amrecover to access the database on an Amanda server to determine which files and directories have been backed up on the client. amidxtaped - is the daemon that accesses Amanda's log files. Specifying this allows an Amanda client running amrecover to access tape information on an Amanda server.

Example of the .amandahosts file on an Amanda client 

amandaserver.example.com amandabackup amdump

Example of the .amandahosts file on an Amanda server 

amandaclient1.example.com root amindexd amidxtaped

General info on using inetd

Template for Amanda client inetd service entry 

 <service_name>  <socket_type>   <protocol>  <wait/nowait>   <amanda_backup_user>  <absolute_path_to_amandad>   amandad  <server_args>

General info on using xinetd

Template for Amanda client xinetd service file 

 service amanda
 {
       only_from               = <Amanda server>
       socket_type             = <socket type>
       protocol                = <protocol>
       wait                    = <"yes"/"no">
       user                    = <amanda backup user>
       group                   = <amanda backup user group id>
       groups                  = yes
       server                  = <absolute path to amandad>
       server_args             = <amandad server arguments>
       disable                 = no
 }

Xinetd offers the "only_from" parameter which provides a second layer of protection to the permissions allowed in the .amandahosts file. It is thus not necessary but certainly can be used.

bsdtcp

If you want to use bsdtcp authentication and are compiling from source code, you must specify the configure flag 

 --with-bsdtcp-security

otherwise, amcheck will return messages like: 

 Could not find security driver "bsdtcp" for host "yourhost". auth for this dle is invalid

client

Clients need to specify the auth and amdump arguments to the amandad command.

inetd example

Example of inetd service entry using bsdtcp authorization and assuming Amanda user is "amanda" 

amanda          stream  tcp     nowait  amanda  /usr/lib/amanda/amandad      amandad -auth=bsdtcp amdump

xinetd example

Example of xinetd service entry using bsdtcp authorization and assuming Amanda user is "amandabackup" 

service amanda
{
       only_from       = amandaserver.example.com amandaclient.example.com
       socket_type     = stream
       protocol        = tcp
       wait            = no
       user            = amandabackup
       group           = disk
       groups          = yes
       server          = /usr/lib/amanda/amandad
       server_args     = -auth=bsdtcp amdump
       disable         = no 
}

server

You must specify in the disklist file on the Amanda server that you will use the bsdtcp authentication method to connect to any clients. You must either specify the auth parameter directly in the disklist file or a dumptype that specifies bsdtcp authentication method.

Example of specifying bsdtcp authentication directly in the disklist file. 

server.example.com    {
       comp-user-tar
       auth "bsdtcp"
       }    1

Example of a dumptype definition specifying bsdtcp authentication. 

define dumptype comp-user-tar {
        ...
        auth "bsdtcp"
        ...
}

This may also be set globally in the same way by editing the "global" dumptype definition.

inetd example

Example of inetd service entry using bsdtcp authorization and assuming Amanda user is "amanda" 

amanda          stream  tcp     nowait  amanda  /usr/lib/amanda/amandad      amandad -auth=bsdtcp amdump amindexd amidxtaped

xinetd example

Example of xinetd service entry using bsdtcp authorization and assuming Amanda user is "amanda" 

service amanda
{
       only_from       = amandaserver.example.com amandaclient.example.com
       socket_type     = stream
       protocol        = tcp
       wait            = no
       user            = amanda
       group           = disk
       groups          = yes
       server          = /usr/lib/amanda/amandad
       server_args     = -auth=bsdtcp amdump amindexd amidxtaped
       disable         = no 
}
Retrieved from ‘http://wiki.zmanda.com/index.php?title=How_To:Configure_bsdtcp_authentication&oldid=7846