How To:Configure bsdtcp authentication: Difference between revisions

From wiki.zmanda.com
Jump to navigation Jump to search
No edit summary
(→‎xinetd example: fixed incorrect user name.)
 
(8 intermediate revisions by 2 users not shown)
Line 1: Line 1:
As for network services, typically inetd or xinetd, the initial version of Amanda used only bsd authentication.  Starting with Amanda 2.5, bsdudp and bsdtcp authentication methods were introduced (for more information, please see [[Server/Client_authentication]]).  Although the bsd authentication method remains to be the default for Amanda source code (Nov 2008), some packaged versions of Amanda come pre-configured to use the newer and preferred bsdtcp authentication method such as the [http://www.zmanda.com/download-amanda.php Zmanda Community Edition] packages.
{{How To Header}}
NOTE: For authoritative documentation on configuring authentication in Amanda, see {{man|7|amanda-auth}}.


Given which authentication method will be used, a network server entry for amandad (Amanda daemon) must be configured correctly on each Amanda client.  This configuration is necessary for the backup process [[amdump]] which runs on the Amanda server to gain access to each client.
== Which One? ==
There are several authentication mechanisms available for Amanda, so which one should you choose?


This article will progressively march through inetd and xinetd examples of bsd, bsdudp, and bsdtcp authentication methods for Amanda 2.5 and later.  For configuration of a pre-2.5 client (bsd only), please see [[#Backing_up_an_older_Amanda_2.4_client|Backing up an older Amanda 2.4 client]] at the bottom of this page.
Use BSDTCP (easier to set up, risky on a public network) or SSH (better security for open networks) authentication.
 
This article describes BSDTCP.  The details of SSH authentication are given in [[How To:Set up transport encryption with SSH]].
 
BSD is only present for backward-compatibility with versions of Amanda older than 2.5.0.  BSDUDP is a version of BSDTCP that also uses UDP, and UDP is very difficult to debug (since tools like netcat aren't useful).
 
The details of BSD and BSDUDP are given in [[How To:Configure Backward-compatible Authentication Methods]].  For configuration of a pre-2.5 client (bsd only), please see [[How To:Configure Backward-compatible Authentication Methods#Backing_up_an_older_Amanda_2.4_client|Backing up an older Amanda 2.4 client]].


== .amandahosts file ==
== .amandahosts file ==
Line 49: Line 57:


Xinetd offers the "only_from" parameter which provides a second layer of protection to the permissions allowed in the [[#.amandahosts file|.amandahosts file]].  It is thus not necessary but certainly can be used.
Xinetd offers the "only_from" parameter which provides a second layer of protection to the permissions allowed in the [[#.amandahosts file|.amandahosts file]].  It is thus not necessary but certainly can be used.
== bsd ==
If an authentication method is not specified, ''bsd'' is the default.  Thus, the auth argument to the amandad command does not need to be specified yet makes things perfectly clear.
=== client ===
Clients need to specify the ''amdump'' argument to the amandad command and may make the authentication method clear with the ''auth'' argument.
==== inetd example ====
'''Example of using bsd authorization for inetd server assuming Amanda user is "amanda"'''
amanda          dgram  udp    wait    amanda  /usr/lib/amanda/amandad      amandad -auth=bsd amdump amindexd amidxtaped
==== xinetd example ====
'''Example xinetd.d amanda client service file with backup user "amandabackup"'''
service amanda
{
        only_from      = amandaserver.example.com
        socket_type    = dgram
        protocol        = udp
        wait            = yes
        user            = amandabackup
        group          = disk
        groups          = yes
        server          = /usr/lib/amanda/amandad
        server_args    = -auth=bsd amdump
        disable        = no
}
=== server===
If an Amanda server will also be a backup client to itself, it will use the same client configuration.  However, as the Amanda server is also the recovery server for all clients via the [[amrecover]] command, the x/inetd service entry on the Amanda server should also include ''amindexd'' and ''amidxtaped'' arguments to the amandad command. 
The ''bsd'' authentication method is the default authentication method, thus a configuration with no ''auth'' parameter set will use ''bsd''.  Some packaged versions of Amanda, however, will set another authentication method in the global dumptype meaning it will now apply to all dumptypes based on this global dumptype (such as all dumptypes that ship with Amanda).
If you want to use the ''bsd'' authentication method to connect to a client and yet your server is trying to use some authentication method other than ''bsd'', you must globally remove specifications to another authentication method in the global dumptype or explicitly specify ''bsd'' authentication method for desired clients in the '''disklist''' file on the Amanda server.  For the latter, you must either specify the ''auth'' parameter directly in the '''disklist''' file or a dumptype that uses ''bsd'' authentication method.
'''Example of specifying ''bsd'' authentication directly in the '''disklist''' file.'''
server.example.com    {
        comp-user-tar
        auth "bsd"
        }    1
Example of a dumptype definition specifying ''bsd'' authentication.
define dumptype comp-user-tar {
        ...
        auth "bsd"
        ...
        }
==== inetd example ====
'''Example of using bsd authorization for inetd server assuming Amanda user is "amanda"'''
amanda          dgram  udp    wait    amanda  /usr/lib/amanda/amandad      amandad -auth=bsd amdump amindexd amidxtaped
If you are using TCP wrappers, your inetd entry may look like this assuming Amanda user is "amanda":
amanda          dgram  udp    wait    amanda  /usr/sbin/tcpd /usr/lib/amanda/amandad -auth=bsd amdump amindexd amidxtaped
==== xinetd example ====
'''Example of xinetd server entry that uses bsd for being a backup client to itself as well as a recovery server for all clients'''
service amanda
{
        only_from      = amandaserver.example.com amandaclient1.example.com amandaclient2.example.com
        socket_type    = dgram
        protocol        = udp
        wait            = yes
        user            = amandabackup
        group          = disk
        groups          = yes
        server          = /usr/lib/amanda/amandad
        server_args    = -auth=bsd amdump amindexd amidxtaped
        disable        = no
}
== bsdudp ==
If you want to use bsdudp authentication and are compiling from source code, you must specify the configure flag
  --with-bsdudp-security
otherwise, amcheck will return messages like:
  Could not find security driver "bsdudp" for host "yourhost". auth for this dle is invalid
=== client ===
Clients need to specify the ''auth'' and ''amdump'' arguments to the amandad command.
==== inetd example ====
'''Example of using ''bsdudp'' authentication for inetd server on an Amanda client using Amanda user "amanda"'''
amanda          dgram  udp    wait    amanda  /usr/lib/amanda/amandad      amandad -auth=bsdudp amdump
==== xinetd example ====
'''Example of using ''bsdudp'' authentication for xinetd server on an Amanda clicnet using Amanda user "amanda"'''
service amanda
{
        only_from      = amandaserver.example.com amandaclient.example.com
        socket_type    = dgram
        protocol        = udp
        wait            = yes
        user            = amandabackup
        group          = disk
        groups          = yes
        server          = /usr/lib/amanda/amandad
        server_args    = -auth='''bsdudp''' amdump
        disable        = no
}
=== server ===
You must specify in the '''disklist''' file on the Amanda server that you will use the ''bsdtcp'' authentication method to connect to any clients.  You must either specify the ''auth'' parameter directly in the '''disklist''' file or a dumptype that specifies ''bsdtcp'' authentication method.
'''Example of specifying ''bsdudp'' authentication directly in the '''disklist''' file.'''
server.example.com    {
        comp-user-tar
        auth "bsdudp"
        }    1
Example of a dumptype definition specifying ''bsdudp'' authentication.
define dumptype comp-user-tar {
        ...
        auth "bsdudp"
        ...
}
This may also be set globally in the same way by editing the "global" dumptype definition.
==== inetd example ====
'''Example of using ''bsdudp'' authentication for inetd server assuming Amanda user "amanda"'''
amanda          dgram  udp    wait    amanda  /usr/lib/amanda/amandad      amandad -auth=bsdudp amdump amindexd amidxtaped
==== xinetd example ====
'''Example of using ''bsdudp'' authentication for xinetd server assuming Amanda user "amanda"'''
service amanda
{
        only_from      = amandaserver.example.com amandaclient.example.com
        socket_type    = dgram
        protocol        = udp
        wait            = yes
        user            = amandabackup
        group          = disk
        groups          = yes
        server          = /usr/lib/amanda/amandad
        server_args    = -auth='''bsdudp''' amdump amindexd amidxtaped
        disable        = no
}


==bsdtcp==
==bsdtcp==
Line 199: Line 72:


==== xinetd example ====
==== xinetd example ====
'''Example of xinetd service entry using bsdtcp authorization and assuming Amanda user is "amanda"
'''Example of xinetd service entry using bsdtcp authorization and assuming Amanda user is "amandabackup"
  service amanda
  service amanda
  {
  {
Line 237: Line 110:


==== xinetd example ====
==== xinetd example ====
'''Example of xinetd service entry using bsdtcp authorization and assuming Amanda user is "amanda"
'''Example of xinetd service entry using bsdtcp authorization and assuming Amanda user is "amanda"'''
  service amanda
  service amanda
  {
  {
Line 244: Line 117:
         protocol        = '''tcp'''
         protocol        = '''tcp'''
         wait            = '''no'''
         wait            = '''no'''
         user            = amandabackup
         user            = amanda
         group          = disk
         group          = disk
         groups          = yes
         groups          = yes
Line 251: Line 124:
         disable        = no  
         disable        = no  
  }
  }
== Backing up an older Amanda 2.4 client ==
Older versions of Amanda client software (2.5.0 or earlier) have only the protocol "bsd"
available.
An Amanda 2.5 or later server (using user "amandabackup") may still back up an Amanda 2.4 client
(user "amanda").  For this, the server must use a ''auth "bsd"'' for communication, though a global ''auth "bsdtcp"'' entry can be overridden in special dumptype defines for use on older clients.
'''Example of an inetd file entry on an older Amanda 2.4 client (using user "amanda") that only supports bsd authentication (and not as many amandad server arguments)'''
amanda          dgram  udp    wait    amanda  /usr/lib/amanda/amandad      amandad
'''Example of an xinetd file on an older amanda 2.4 client (using user "amanda") that only supports bsd authentication (and not some of the more current parameters such as "server_args")'''
service amanda
{
        only_from      = amandaserver.example.com
        socket_type    = dgram
        protocol        = udp
        wait            = yes
        user            = amanda
        group          = disk
        groups          = yes
        server          = /usr/lib/amanda/amandad
        disable        = no
}
The client's ".amandahosts" file will need to specify that the server connection is from user "amandabackup".
  amandaserver.example.com amandabackup amdump

Latest revision as of 16:11, 20 November 2010

This article is a part of the How Tos collection.

NOTE: For authoritative documentation on configuring authentication in Amanda, see amanda-auth(7).

Which One?

There are several authentication mechanisms available for Amanda, so which one should you choose?

Use BSDTCP (easier to set up, risky on a public network) or SSH (better security for open networks) authentication.

This article describes BSDTCP. The details of SSH authentication are given in How To:Set up transport encryption with SSH.

BSD is only present for backward-compatibility with versions of Amanda older than 2.5.0. BSDUDP is a version of BSDTCP that also uses UDP, and UDP is very difficult to debug (since tools like netcat aren't useful).

The details of BSD and BSDUDP are given in How To:Configure Backward-compatible Authentication Methods. For configuration of a pre-2.5 client (bsd only), please see Backing up an older Amanda 2.4 client.

.amandahosts file

It is very common for Amanda to be compiled to use the .amandahosts file to control access on clients and server using the bsd, bsdudp, and bsdtcp authentication methods.

The .amandahosts file is located in the Amanda user's home directory, commonly /var/lib/amanda. This file should be readable and writable only by the Amanda backup user.

The format of .amandahosts is 

<amandaserver.example.com> <backup_user> <service(s)>

The first field is the fully qualified domain name of the server which is being granted access to the local client machine as backup_user to perform service(s).

service(s) are the amandad services allowed to be run on the configured client/server amdump - is used for backing up a client. Specifying this allows an Amanda server running an amdump command to connect to an Amanda client to perform a backup. amindexd - is the daemon that accesses Amanda's index database. Specifying this allows an Amanda client running amrecover to access the database on an Amanda server to determine which files and directories have been backed up on the client. amidxtaped - is the daemon that accesses Amanda's log files. Specifying this allows an Amanda client running amrecover to access tape information on an Amanda server.

Example of the .amandahosts file on an Amanda client 

amandaserver.example.com amandabackup amdump

Example of the .amandahosts file on an Amanda server 

amandaclient1.example.com root amindexd amidxtaped

General info on using inetd

Template for Amanda client inetd service entry 

 <service_name>  <socket_type>   <protocol>  <wait/nowait>   <amanda_backup_user>  <absolute_path_to_amandad>   amandad  <server_args>

General info on using xinetd

Template for Amanda client xinetd service file 

 service amanda
 {
       only_from               = <Amanda server>
       socket_type             = <socket type>
       protocol                = <protocol>
       wait                    = <"yes"/"no">
       user                    = <amanda backup user>
       group                   = <amanda backup user group id>
       groups                  = yes
       server                  = <absolute path to amandad>
       server_args             = <amandad server arguments>
       disable                 = no
 }

Xinetd offers the "only_from" parameter which provides a second layer of protection to the permissions allowed in the .amandahosts file. It is thus not necessary but certainly can be used.

bsdtcp

If you want to use bsdtcp authentication and are compiling from source code, you must specify the configure flag 

 --with-bsdtcp-security

otherwise, amcheck will return messages like: 

 Could not find security driver "bsdtcp" for host "yourhost". auth for this dle is invalid

client

Clients need to specify the auth and amdump arguments to the amandad command.

inetd example

Example of inetd service entry using bsdtcp authorization and assuming Amanda user is "amanda" 

amanda          stream  tcp     nowait  amanda  /usr/lib/amanda/amandad      amandad -auth=bsdtcp amdump

xinetd example

Example of xinetd service entry using bsdtcp authorization and assuming Amanda user is "amandabackup" 

service amanda
{
       only_from       = amandaserver.example.com amandaclient.example.com
       socket_type     = stream
       protocol        = tcp
       wait            = no
       user            = amandabackup
       group           = disk
       groups          = yes
       server          = /usr/lib/amanda/amandad
       server_args     = -auth=bsdtcp amdump
       disable         = no 
}

server

You must specify in the disklist file on the Amanda server that you will use the bsdtcp authentication method to connect to any clients. You must either specify the auth parameter directly in the disklist file or a dumptype that specifies bsdtcp authentication method.

Example of specifying bsdtcp authentication directly in the disklist file. 

server.example.com    {
       comp-user-tar
       auth "bsdtcp"
       }    1

Example of a dumptype definition specifying bsdtcp authentication. 

define dumptype comp-user-tar {
        ...
        auth "bsdtcp"
        ...
}

This may also be set globally in the same way by editing the "global" dumptype definition.

inetd example

Example of inetd service entry using bsdtcp authorization and assuming Amanda user is "amanda" 

amanda          stream  tcp     nowait  amanda  /usr/lib/amanda/amandad      amandad -auth=bsdtcp amdump amindexd amidxtaped

xinetd example

Example of xinetd service entry using bsdtcp authorization and assuming Amanda user is "amanda" 

service amanda
{
       only_from       = amandaserver.example.com amandaclient.example.com
       socket_type     = stream
       protocol        = tcp
       wait            = no
       user            = amanda
       group           = disk
       groups          = yes
       server          = /usr/lib/amanda/amandad
       server_args     = -auth=bsdtcp amdump amindexd amidxtaped
       disable         = no 
}
Retrieved from ‘http://wiki.zmanda.com/index.php?title=How_To:Configure_bsdtcp_authentication&oldid=7846