How To:Configure bsdtcp authentication
This article is a part of the How Tos collection.
As for network services, typically inetd or xinetd, the initial version of Amanda used only bsd authentication. Starting with Amanda 2.5, bsdudp and bsdtcp authentication methods were introduced (for more information, please see Server/Client_authentication). Although the bsd authentication method remains to be the default for Amanda source code (Nov 2008), some packaged versions of Amanda come pre-configured to use the newer and preferred bsdtcp authentication method such as the Zmanda Community Edition packages.
Given which authentication method will be used, a network server entry for amandad (Amanda daemon) must be configured correctly on each Amanda client. This configuration is necessary for the backup process amdump which runs on the Amanda server to gain access to each client.
This article will progressively march through inetd and xinetd examples of bsd, bsdudp, and bsdtcp authentication methods for Amanda 2.5 and later. For configuration of a pre-2.5 client (bsd only), please see Backing up an older Amanda 2.4 client at the bottom of this page.
For the authoritative documentation on configuring authentication in Amanda, see amanda-auth(7).
.amandahosts file
It is very common for Amanda to be compiled to use the .amandahosts file to control access on clients and server using the bsd, bsdudp, and bsdtcp authentication methods.
The .amandahosts file is located in the Amanda user's home directory, commonly /var/lib/amanda. This file should be readable and writable only by the Amanda backup user.
The format of .amandahosts is
<amandaserver.example.com> <backup_user> <service(s)>
The first field is the fully qualified domain name of the server which is being granted access to the local client machine as backup_user to perform service(s).
service(s) are the amandad services allowed to be run on the configured client/server amdump - is used for backing up a client. Specifying this allows an Amanda server running an amdump command to connect to an Amanda client to perform a backup. amindexd - is the daemon that accesses Amanda's index database. Specifying this allows an Amanda client running amrecover to access the database on an Amanda server to determine which files and directories have been backed up on the client. amidxtaped - is the daemon that accesses Amanda's log files. Specifying this allows an Amanda client running amrecover to access tape information on an Amanda server.
Example of the .amandahosts file on an Amanda client
amandaserver.example.com amandabackup amdump
Example of the .amandahosts file on an Amanda server
amandaclient1.example.com root amindexd amidxtaped
General info on using inetd
Template for Amanda client inetd service entry
<service_name> <socket_type> <protocol> <wait/nowait> <amanda_backup_user> <absolute_path_to_amandad> amandad <server_args>
General info on using xinetd
Template for Amanda client xinetd service file
service amanda { only_from = <Amanda server> socket_type = <socket type> protocol = <protocol> wait = <"yes"/"no"> user = <amanda backup user> group = <amanda backup user group id> groups = yes server = <absolute path to amandad> server_args = <amandad server arguments> disable = no }
Xinetd offers the "only_from" parameter which provides a second layer of protection to the permissions allowed in the .amandahosts file. It is thus not necessary but certainly can be used.
bsd
If an authentication method is not specified, bsd is the default. Thus, the auth argument to the amandad command does not need to be specified yet makes things perfectly clear.
client
Clients need to specify the amdump argument to the amandad command and may make the authentication method clear with the auth argument.
inetd example
Example of using bsd authorization for inetd server assuming Amanda user is "amanda"
amanda dgram udp wait amanda /usr/lib/amanda/amandad amandad -auth=bsd amdump amindexd amidxtaped
xinetd example
Example xinetd.d amanda client service file with backup user "amandabackup"
service amanda { only_from = amandaserver.example.com socket_type = dgram protocol = udp wait = yes user = amandabackup group = disk groups = yes server = /usr/lib/amanda/amandad server_args = -auth=bsd amdump disable = no }
server
If an Amanda server will also be a backup client to itself, it will use the same client configuration. However, as the Amanda server is also the recovery server for all clients via the amrecover command, the x/inetd service entry on the Amanda server should also include amindexd and amidxtaped arguments to the amandad command.
The bsd authentication method is the default authentication method, thus a configuration with no auth parameter set will use bsd. Some packaged versions of Amanda, however, will set another authentication method in the global dumptype meaning it will now apply to all dumptypes based on this global dumptype (such as all dumptypes that ship with Amanda).
If you want to use the bsd authentication method to connect to a client and yet your server is trying to use some authentication method other than bsd, you must globally remove specifications to another authentication method in the global dumptype or explicitly specify bsd authentication method for desired clients in the disklist file on the Amanda server. For the latter, you must either specify the auth parameter directly in the disklist file or a dumptype that uses bsd authentication method.
Example of specifying bsd authentication directly in the disklist file.
server.example.com { comp-user-tar auth "bsd" } 1
Example of a dumptype definition specifying bsd authentication.
define dumptype comp-user-tar { ... auth "bsd" ... }
inetd example
Example of using bsd authorization for inetd server assuming Amanda user is "amanda"
amanda dgram udp wait amanda /usr/lib/amanda/amandad amandad -auth=bsd amdump amindexd amidxtaped
If you are using TCP wrappers, your inetd entry may look like this assuming Amanda user is "amanda":
amanda dgram udp wait amanda /usr/sbin/tcpd /usr/lib/amanda/amandad -auth=bsd amdump amindexd amidxtaped
xinetd example
Example of xinetd server entry that uses bsd for being a backup client to itself as well as a recovery server for all clients
service amanda { only_from = amandaserver.example.com amandaclient1.example.com amandaclient2.example.com socket_type = dgram protocol = udp wait = yes user = amandabackup group = disk groups = yes server = /usr/lib/amanda/amandad server_args = -auth=bsd amdump amindexd amidxtaped disable = no }
bsdudp
If you want to use bsdudp authentication and are compiling from source code, you must specify the configure flag
--with-bsdudp-security
otherwise, amcheck will return messages like:
Could not find security driver "bsdudp" for host "yourhost". auth for this dle is invalid
client
Clients need to specify the auth and amdump arguments to the amandad command.
inetd example
Example of using bsdudp authentication for inetd server on an Amanda client using Amanda user "amanda"
amanda dgram udp wait amanda /usr/lib/amanda/amandad amandad -auth=bsdudp amdump
xinetd example
Example of using bsdudp authentication for xinetd server on an Amanda client using Amanda user "amandabackup"
service amanda { only_from = amandaserver.example.com amandaclient.example.com socket_type = dgram protocol = udp wait = yes user = amandabackup group = disk groups = yes server = /usr/lib/amanda/amandad server_args = -auth=bsdudp amdump disable = no }
server
You must specify in the disklist file on the Amanda server that you will use the bsdtcp authentication method to connect to any clients. You must either specify the auth parameter directly in the disklist file or a dumptype that specifies bsdtcp authentication method.
Example of specifying bsdudp authentication directly in the disklist file.
server.example.com { comp-user-tar auth "bsdudp" } 1
Example of a dumptype definition specifying bsdudp authentication.
define dumptype comp-user-tar { ... auth "bsdudp" ... }
This may also be set globally in the same way by editing the "global" dumptype definition.
inetd example
Example of using bsdudp authentication for inetd server assuming Amanda user "amanda"
amanda dgram udp wait amanda /usr/lib/amanda/amandad amandad -auth=bsdudp amdump amindexd amidxtaped
xinetd example
Example of using bsdudp authentication for xinetd server assuming Amanda user "amanda"
service amanda { only_from = amandaserver.example.com amandaclient.example.com socket_type = dgram protocol = udp wait = yes user = amandabackup group = disk groups = yes server = /usr/lib/amanda/amandad server_args = -auth=bsdudp amdump amindexd amidxtaped disable = no }
bsdtcp
If you want to use bsdtcp authentication and are compiling from source code, you must specify the configure flag
--with-bsdtcp-security
otherwise, amcheck will return messages like:
Could not find security driver "bsdtcp" for host "yourhost". auth for this dle is invalid
client
Clients need to specify the auth and amdump arguments to the amandad command.
inetd example
Example of inetd service entry using bsdtcp authorization and assuming Amanda user is "amanda"
amanda stream tcp nowait amanda /usr/lib/amanda/amandad amandad -auth=bsdtcp amdump
xinetd example
Example of xinetd service entry using bsdtcp authorization and assuming Amanda user is "amandabackup"
service amanda { only_from = amandaserver.example.com amandaclient.example.com socket_type = stream protocol = tcp wait = no user = amandabackup group = disk groups = yes server = /usr/lib/amanda/amandad server_args = -auth=bsdtcp amdump disable = no }
server
You must specify in the disklist file on the Amanda server that you will use the bsdtcp authentication method to connect to any clients. You must either specify the auth parameter directly in the disklist file or a dumptype that specifies bsdtcp authentication method.
Example of specifying bsdtcp authentication directly in the disklist file.
server.example.com { comp-user-tar auth "bsdtcp" } 1
Example of a dumptype definition specifying bsdtcp authentication.
define dumptype comp-user-tar { ... auth "bsdtcp" ... }
This may also be set globally in the same way by editing the "global" dumptype definition.
inetd example
Example of inetd service entry using bsdtcp authorization and assuming Amanda user is "amanda"
amanda stream tcp nowait amanda /usr/lib/amanda/amandad amandad -auth=bsdtcp amdump amindexd amidxtaped
xinetd example
Example of xinetd service entry using bsdtcp authorization and assuming Amanda user is "amanda"
service amanda { only_from = amandaserver.example.com amandaclient.example.com socket_type = stream protocol = tcp wait = no user = amandabackup group = disk groups = yes server = /usr/lib/amanda/amandad server_args = -auth=bsdtcp amdump amindexd amidxtaped disable = no }
Backing up an older Amanda 2.4 client
Older versions of Amanda client software (2.5.0 or earlier) have only the protocol "bsd" available.
An Amanda 2.5 or later server (using user "amandabackup") may still back up an Amanda 2.4 client (user "amanda"). For this, the server must use a auth "bsd" for communication, though a global auth "bsdtcp" entry can be overridden in special dumptype defines for use on older clients.
Example of an inetd file entry on an older Amanda 2.4 client (using user "amanda") that only supports bsd authentication (and not as many amandad server arguments)
amanda dgram udp wait amanda /usr/lib/amanda/amandad amandad
Example of an xinetd file on an older amanda 2.4 client (using user "amanda") that only supports bsd authentication (and not some of the more current parameters such as "server_args")
service amanda { only_from = amandaserver.example.com socket_type = dgram protocol = udp wait = yes user = amanda group = disk groups = yes server = /usr/lib/amanda/amandad disable = no }
The client's ".amandahosts" file will need to specify that the server connection is from user "amandabackup".
amandaserver.example.com amandabackup amdump