How To:Configure bsdtcp authentication

From The Open Source Backup Wiki (Amanda, MySQL Backup, BackupPC)
Revision as of 22:03, 1 December 2008 by Pyeatman (talk | contribs)
Jump to navigationJump to search

As for network services, typically inetd or xinetd, the initial version of Amanda used only bsd authentication. Starting with Amanda 2.5, bsdudp and bsdtcp authentication methods were introduced (for more information, please see Server/Client_authentication). Although the bsd authentication method remains to be the default for Amanda source code (Nov 2008), some packaged versions of Amanda come pre-configured to use the newer and preferred bsdtcp authentication method such as the Zmanda Community Edition packages.

Given which authentication method will be used, a network server entry for amandad (Amanda daemon) must be configured correctly on each Amanda client. This configuration is necessary for the backup process amdump which runs on the Amanda server to gain access to each client.

This article will progressively march through inetd and xinetd examples of bsd, bsdudp, and bsdtcp authentication methods for Amanda 2.5 and later. For configuration of a pre-2.5 client (bsd only), please see Backing up an older Amanda 2.4 client at the bottom of this page.

.amandahosts file

It is very common for Amanda to be compiled to use the .amandahosts file to control access on clients and server using the bsd, bsdudp, and bsdtcp authentication methods.

The .amandahosts file is located in the Amanda user's home directory, commonly /var/lib/amanda. This file should be readable and writable only by the Amanda backup user.

The format of .amandahosts is

<amandaserver.example.com> <backup_user> <service(s)>

The first field is the fully qualified domain name of the server which is being granted access to the local client machine as backup_user to perform service(s).

service(s) are the amandad services allowed to be run on the configured client/server amdump - is used for backing up a client. Specifying this allows an Amanda server running an amdump command to connect to an Amanda client to perform a backup. amindexd - is the daemon that accesses Amanda's index database. Specifying this allows an Amanda client running amrecover to access the database on an Amanda server to determine which files and directories have been backed up on the client. amidxtaped - is the daemon that accesses Amanda's log files. Specifying this allows an Amanda client running amrecover to access tape information on an Amanda server.

Example of the .amandahosts file on an Amanda client

amandaserver.example.com amandabackup amdump 

Example of the .amandahosts file on an Amanda server

amandaclient1.example.com root amindexd amidxtaped

General info on using inetd

Template for Amanda client inetd service entry

 <service_name>  <socket_type>   <protocol>  <wait/nowait>   <amanda_backup_user>  <absolute_path_to_amandad>   amandad  <server_args>

General info on using xinetd

Template for Amanda client xinetd service file

 service amanda
 {
       only_from               = <Amanda server>
       socket_type             = <socket type>
       protocol                = <protocol>
       wait                    = <"yes"/"no">
       user                    = <amanda backup user>
       group                   = <amanda backup user group id>
       groups                  = yes
       server                  = <absolute path to amandad>
       server_args             = <amandad server arguments>
       disable                 = no
 }

Xinetd offers the "only_from" parameter which provides a second layer of protection to the permissions allowed in the .amandahosts file. It is thus not necessary but certainly can be used.

bsd

If an authentication method is not specified, bsd is the default. Thus, the auth argument to the amandad command does not need to be specified yet makes things perfectly clear.

client

Clients need to specify the amdump argument to the amandad command and may make the authentication method clear with the auth argument.

inetd example

Example of using bsd authorization for inetd server assuming Amanda user is "amanda"

amanda          dgram   udp     wait    amanda  /usr/lib/amanda/amandad      amandad -auth=bsd amdump amindexd amidxtaped

xinetd example

Example xinetd.d amanda client service file with backup user "amandabackup"

service amanda
{
       only_from       = amandaserver.example.com
       socket_type     = dgram
       protocol        = udp
       wait            = yes
       user            = amandabackup
       group           = disk
       groups          = yes
       server          = /usr/lib/amanda/amandad
       server_args     = -auth=bsd amdump
       disable         = no 
}

server

If an Amanda server will also be a backup client to itself, it will use the same client configuration. However, as the Amanda server is also the recovery server for all clients via the amrecover command, the x/inetd service entry on the Amanda server should also include amindexd and amidxtaped arguments to the amandad command.

The bsd authentication method is the default authentication method, thus a configuration with no auth parameter set will use bsd. Some packaged versions of Amanda, however, will set another authentication method in the global dumptype meaning it will now apply to all dumptypes based on this global dumptype (such as all dumptypes that ship with Amanda).

If you want to use the bsd authentication method to connect to a client and yet your server is trying to use some authentication method other than bsd, you must globally remove specifications to another authentication method in the global dumptype or explicitly specify bsd authentication method for desired clients in the disklist file on the Amanda server. For the latter, you must either specify the auth parameter directly in the disklist file or a dumptype that uses bsd authentication method.

Example of specifying bsd authentication directly in the disklist file.

server.example.com    {
       comp-user-tar
       auth "bsd"
       }    1

Example of a dumptype definition specifying bsd authentication.

define dumptype comp-user-tar {
        ...
        auth "bsd"
        ...
       }

inetd example

Example of using bsd authorization for inetd server assuming Amanda user is "amanda"

amanda          dgram   udp     wait    amanda  /usr/lib/amanda/amandad      amandad -auth=bsd amdump amindexd amidxtaped

If you are using TCP wrappers, your inetd entry may look like this assuming Amanda user is "amanda":

amanda          dgram   udp     wait    amanda  /usr/sbin/tcpd /usr/lib/amanda/amandad -auth=bsd amdump amindexd amidxtaped

xinetd example

Example of xinetd server entry that uses bsd for being a backup client to itself as well as a recovery server for all clients

service amanda
{
       only_from       = amandaserver.example.com amandaclient1.example.com amandaclient2.example.com
       socket_type     = dgram
       protocol        = udp
       wait            = yes
       user            = amandabackup
       group           = disk
       groups          = yes
       server          = /usr/lib/amanda/amandad
       server_args     = -auth=bsd amdump amindexd amidxtaped
       disable         = no 
}


bsdudp

If you want to use bsdudp authentication and are compiling from source code, you must specify the configure flag

 --with-bsdudp-security

otherwise, amcheck will return messages like:

 Could not find security driver "bsdudp" for host "yourhost". auth for this dle is invalid

client

Clients need to specify the auth and amdump arguments to the amandad command.

inetd example

Example of using bsdudp authentication for inetd server on an Amanda client using Amanda user "amanda"

amanda          dgram   udp     wait    amanda  /usr/lib/amanda/amandad      amandad -auth=bsdudp amdump

xinetd example

Example of using bsdudp authentication for xinetd server on an Amanda clicnet using Amanda user "amanda"

service amanda
{
       only_from       = amandaserver.example.com amandaclient.example.com
       socket_type     = dgram
       protocol        = udp
       wait            = yes
       user            = amandabackup
       group           = disk
       groups          = yes
       server          = /usr/lib/amanda/amandad
       server_args     = -auth=bsdudp amdump
       disable         = no 
}

server

You must specify in the disklist file on the Amanda server that you will use the bsdtcp authentication method to connect to any clients. You must either specify the auth parameter directly in the disklist file or a dumptype that specifies bsdtcp authentication method.

Example of specifying bsdudp authentication directly in the disklist file.

server.example.com    {
       comp-user-tar
       auth "bsdudp"
       }    1

Example of a dumptype definition specifying bsdudp authentication.

define dumptype comp-user-tar {
        ...
        auth "bsdudp"
        ...
}

This may also be set globally in the same way by editing the "global" dumptype definition.

inetd example

Example of using bsdudp authentication for inetd server assuming Amanda user "amanda"

amanda          dgram   udp     wait    amanda  /usr/lib/amanda/amandad      amandad -auth=bsdudp amdump amindexd amidxtaped

xinetd example

Example of using bsdudp authentication for xinetd server assuming Amanda user "amanda"

service amanda
{
       only_from       = amandaserver.example.com amandaclient.example.com
       socket_type     = dgram
       protocol        = udp
       wait            = yes
       user            = amandabackup
       group           = disk
       groups          = yes
       server          = /usr/lib/amanda/amandad
       server_args     = -auth=bsdudp amdump amindexd amidxtaped
       disable         = no 
}


bsdtcp

If you want to use bsdtcp authentication and are compiling from source code, you must specify the configure flag

 --with-bsdtcp-security

otherwise, amcheck will return messages like:

 Could not find security driver "bsdtcp" for host "yourhost". auth for this dle is invalid

client

Clients need to specify the auth and amdump arguments to the amandad command.

inetd example

Example of inetd service entry using bsdtcp authorization and assuming Amanda user is "amanda"

amanda          stream  tcp     nowait  amanda  /usr/lib/amanda/amandad      amandad -auth=bsdtcp amdump

xinetd example

Example of xinetd service entry using bsdtcp authorization and assuming Amanda user is "amanda"

service amanda
{
       only_from       = amandaserver.example.com amandaclient.example.com
       socket_type     = stream
       protocol        = tcp
       wait            = no
       user            = amandabackup
       group           = disk
       groups          = yes
       server          = /usr/lib/amanda/amandad
       server_args     = -auth=bsdtcp amdump
       disable         = no 
}

server

You must specify in the disklist file on the Amanda server that you will use the bsdtcp authentication method to connect to any clients. You must either specify the auth parameter directly in the disklist file or a dumptype that specifies bsdtcp authentication method.

Example of specifying bsdtcp authentication directly in the disklist file.

server.example.com    {
       comp-user-tar
       auth "bsdtcp"
       }    1

Example of a dumptype definition specifying bsdtcp authentication.

define dumptype comp-user-tar {
        ...
        auth "bsdtcp"
        ...
}

This may also be set globally in the same way by editing the "global" dumptype definition.

inetd example

Example of inetd service entry using bsdtcp authorization and assuming Amanda user is "amanda"

amanda          stream  tcp     nowait  amanda  /usr/lib/amanda/amandad      amandad -auth=bsdtcp amdump amindexd amidxtaped

xinetd example

Example of xinetd service entry using bsdtcp authorization and assuming Amanda user is "amanda"

service amanda
{
       only_from       = amandaserver.example.com amandaclient.example.com
       socket_type     = stream
       protocol        = tcp
       wait            = no
       user            = amandabackup
       group           = disk
       groups          = yes
       server          = /usr/lib/amanda/amandad
       server_args     = -auth=bsdtcp amdump amindexd amidxtaped
       disable         = no 
}

Backing up an older Amanda 2.4 client

Older versions of Amanda client software (2.5.0 or earlier) have only the protocol "bsd" available.

An Amanda 2.5 or later server (using user "amandabackup") may still back up an Amanda 2.4 client (user "amanda"). For this, the server must use a auth "bsd" for communication, though a global auth "bsdtcp" entry can be overridden in special dumptype defines for use on older clients.

Example of an inetd file entry on an older Amanda 2.4 client (using user "amanda") that only supports bsd authentication (and not as many amandad server arguments)

amanda          dgram   udp     wait    amanda  /usr/lib/amanda/amandad      amandad

Example of an xinetd file on an older amanda 2.4 client (using user "amanda") that only supports bsd authentication (and not some of the more current parameters such as "server_args")

service amanda
{
       only_from       = amandaserver.example.com
       socket_type     = dgram
       protocol        = udp
       wait            = yes
       user            = amanda
       group           = disk
       groups          = yes
       server          = /usr/lib/amanda/amandad
       disable         = no 
}

The client's ".amandahosts" file will need to specify that the server connection is from user "amandabackup".

 amandaserver.example.com amandabackup amdump