How To:Configure bsdtcp authentication: Difference between revisions
No edit summary |
(→xinetd example: fixed incorrect user name.) |
||
(12 intermediate revisions by 3 users not shown) | |||
Line 1: | Line 1: | ||
{{How To Header}} | |||
NOTE: For authoritative documentation on configuring authentication in Amanda, see {{man|7|amanda-auth}}. | |||
== Which One? == | |||
There are several authentication mechanisms available for Amanda, so which one should you choose? | |||
This article | Use BSDTCP (easier to set up, risky on a public network) or SSH (better security for open networks) authentication. | ||
This article describes BSDTCP. The details of SSH authentication are given in [[How To:Set up transport encryption with SSH]]. | |||
BSD is only present for backward-compatibility with versions of Amanda older than 2.5.0. BSDUDP is a version of BSDTCP that also uses UDP, and UDP is very difficult to debug (since tools like netcat aren't useful). | |||
The details of BSD and BSDUDP are given in [[How To:Configure Backward-compatible Authentication Methods]]. For configuration of a pre-2.5 client (bsd only), please see [[How To:Configure Backward-compatible Authentication Methods#Backing_up_an_older_Amanda_2.4_client|Backing up an older Amanda 2.4 client]]. | |||
== .amandahosts file == | == .amandahosts file == | ||
Line 19: | Line 27: | ||
''service(s)'' are the amandad services allowed to be run on the configured client/server | ''service(s)'' are the amandad services allowed to be run on the configured client/server | ||
''amdump'' - is used for backing up a client. Specifying this allows an Amanda server running an '''amdump''' command to connect to an Amanda client to perform a backup. | ''amdump'' - is used for backing up a client. Specifying this allows an Amanda server running an '''amdump''' command to connect to an Amanda client to perform a backup. | ||
''amindexd'' - is the daemon that accesses Amanda's index database. Specifying this allows an Amanda client running '''amrecover''' to access the | ''amindexd'' - is the daemon that accesses Amanda's index database. Specifying this allows an Amanda client running '''amrecover''' to access the database on an Amanda server to determine which files and directories have been backed up on the client. | ||
amidxtaped - is the daemon that accesses Amanda's | amidxtaped - is the daemon that accesses Amanda's log files. Specifying this allows an Amanda client running '''amrecover''' to access tape information on an Amanda server. | ||
'''Example of the ''.amandahosts'' file on an Amanda client''' | '''Example of the ''.amandahosts'' file on an Amanda client''' | ||
Line 28: | Line 36: | ||
amandaclient1.example.com root amindexd amidxtaped | amandaclient1.example.com root amindexd amidxtaped | ||
==inetd | ==General info on using inetd== | ||
'''Template for Amanda client inetd service entry''' | '''Template for Amanda client inetd service entry''' | ||
<service_name> <socket_type> <protocol> <wait/nowait> <amanda_backup_user> <absolute_path_to_amandad> amandad <server_args> | <service_name> <socket_type> <protocol> <wait/nowait> <amanda_backup_user> <absolute_path_to_amandad> amandad <server_args> | ||
==xinetd | ==General info on using xinetd== | ||
'''Template for Amanda client xinetd service file''' | '''Template for Amanda client xinetd service file''' | ||
service amanda | service amanda | ||
Line 48: | Line 56: | ||
} | } | ||
Xinetd offers the "only_from" parameter which provides a second layer of protection to the permissions allowed in the [[#.amandahosts file|.amandahosts file]]. It is thus not necessary but certainly can be used. | |||
==bsdtcp== | ==bsdtcp== | ||
Line 208: | Line 67: | ||
Clients need to specify the ''auth'' and ''amdump'' arguments to the amandad command. | Clients need to specify the ''auth'' and ''amdump'' arguments to the amandad command. | ||
==== inetd ==== | ==== inetd example ==== | ||
'''Example of inetd service entry using bsdtcp authorization and assuming Amanda user is "amanda" | '''Example of inetd service entry using bsdtcp authorization and assuming Amanda user is "amanda" | ||
amanda stream tcp nowait amanda /usr/lib/amanda/amandad amandad -auth=bsdtcp amdump | amanda stream tcp nowait amanda /usr/lib/amanda/amandad amandad -auth=bsdtcp amdump | ||
==== xinetd ==== | ==== xinetd example ==== | ||
'''Example of xinetd service entry using bsdtcp authorization and assuming Amanda user is "amandabackup" | |||
'''Example of xinetd service entry using bsdtcp authorization and assuming Amanda user is " | |||
service amanda | service amanda | ||
{ | { | ||
Line 250: | Line 105: | ||
This may also be set globally in the same way by editing the "global" dumptype definition. | This may also be set globally in the same way by editing the "global" dumptype definition. | ||
==== inetd ==== | ==== inetd example ==== | ||
'''Example of inetd service entry using bsdtcp authorization and assuming Amanda user is "amanda" | '''Example of inetd service entry using bsdtcp authorization and assuming Amanda user is "amanda" | ||
amanda stream tcp nowait amanda /usr/lib/amanda/amandad amandad -auth=bsdtcp amdump amindexd amidxtaped | amanda stream tcp nowait amanda /usr/lib/amanda/amandad amandad -auth=bsdtcp amdump amindexd amidxtaped | ||
==== xinetd ==== | ==== xinetd example ==== | ||
'''Example of xinetd service entry using bsdtcp authorization and assuming Amanda user is "amanda"''' | |||
'''Example of xinetd service entry using bsdtcp authorization and assuming Amanda user is "amanda" | |||
service amanda | service amanda | ||
{ | { | ||
Line 266: | Line 117: | ||
protocol = '''tcp''' | protocol = '''tcp''' | ||
wait = '''no''' | wait = '''no''' | ||
user = | user = amanda | ||
group = disk | group = disk | ||
groups = yes | groups = yes | ||
Line 273: | Line 124: | ||
disable = no | disable = no | ||
} | } | ||
Latest revision as of 16:11, 20 November 2010
This article is a part of the How Tos collection.
NOTE: For authoritative documentation on configuring authentication in Amanda, see amanda-auth(7).
Which One?
There are several authentication mechanisms available for Amanda, so which one should you choose?
Use BSDTCP (easier to set up, risky on a public network) or SSH (better security for open networks) authentication.
This article describes BSDTCP. The details of SSH authentication are given in How To:Set up transport encryption with SSH.
BSD is only present for backward-compatibility with versions of Amanda older than 2.5.0. BSDUDP is a version of BSDTCP that also uses UDP, and UDP is very difficult to debug (since tools like netcat aren't useful).
The details of BSD and BSDUDP are given in How To:Configure Backward-compatible Authentication Methods. For configuration of a pre-2.5 client (bsd only), please see Backing up an older Amanda 2.4 client.
.amandahosts file
It is very common for Amanda to be compiled to use the .amandahosts file to control access on clients and server using the bsd, bsdudp, and bsdtcp authentication methods.
The .amandahosts file is located in the Amanda user's home directory, commonly /var/lib/amanda. This file should be readable and writable only by the Amanda backup user.
The format of .amandahosts is
<amandaserver.example.com> <backup_user> <service(s)>
The first field is the fully qualified domain name of the server which is being granted access to the local client machine as backup_user to perform service(s).
service(s) are the amandad services allowed to be run on the configured client/server amdump - is used for backing up a client. Specifying this allows an Amanda server running an amdump command to connect to an Amanda client to perform a backup. amindexd - is the daemon that accesses Amanda's index database. Specifying this allows an Amanda client running amrecover to access the database on an Amanda server to determine which files and directories have been backed up on the client. amidxtaped - is the daemon that accesses Amanda's log files. Specifying this allows an Amanda client running amrecover to access tape information on an Amanda server.
Example of the .amandahosts file on an Amanda client
amandaserver.example.com amandabackup amdump
Example of the .amandahosts file on an Amanda server
amandaclient1.example.com root amindexd amidxtaped
General info on using inetd
Template for Amanda client inetd service entry
<service_name> <socket_type> <protocol> <wait/nowait> <amanda_backup_user> <absolute_path_to_amandad> amandad <server_args>
General info on using xinetd
Template for Amanda client xinetd service file
service amanda { only_from = <Amanda server> socket_type = <socket type> protocol = <protocol> wait = <"yes"/"no"> user = <amanda backup user> group = <amanda backup user group id> groups = yes server = <absolute path to amandad> server_args = <amandad server arguments> disable = no }
Xinetd offers the "only_from" parameter which provides a second layer of protection to the permissions allowed in the .amandahosts file. It is thus not necessary but certainly can be used.
bsdtcp
If you want to use bsdtcp authentication and are compiling from source code, you must specify the configure flag
--with-bsdtcp-security
otherwise, amcheck will return messages like:
Could not find security driver "bsdtcp" for host "yourhost". auth for this dle is invalid
client
Clients need to specify the auth and amdump arguments to the amandad command.
inetd example
Example of inetd service entry using bsdtcp authorization and assuming Amanda user is "amanda"
amanda stream tcp nowait amanda /usr/lib/amanda/amandad amandad -auth=bsdtcp amdump
xinetd example
Example of xinetd service entry using bsdtcp authorization and assuming Amanda user is "amandabackup"
service amanda { only_from = amandaserver.example.com amandaclient.example.com socket_type = stream protocol = tcp wait = no user = amandabackup group = disk groups = yes server = /usr/lib/amanda/amandad server_args = -auth=bsdtcp amdump disable = no }
server
You must specify in the disklist file on the Amanda server that you will use the bsdtcp authentication method to connect to any clients. You must either specify the auth parameter directly in the disklist file or a dumptype that specifies bsdtcp authentication method.
Example of specifying bsdtcp authentication directly in the disklist file.
server.example.com { comp-user-tar auth "bsdtcp" } 1
Example of a dumptype definition specifying bsdtcp authentication.
define dumptype comp-user-tar { ... auth "bsdtcp" ... }
This may also be set globally in the same way by editing the "global" dumptype definition.
inetd example
Example of inetd service entry using bsdtcp authorization and assuming Amanda user is "amanda"
amanda stream tcp nowait amanda /usr/lib/amanda/amandad amandad -auth=bsdtcp amdump amindexd amidxtaped
xinetd example
Example of xinetd service entry using bsdtcp authorization and assuming Amanda user is "amanda"
service amanda { only_from = amandaserver.example.com amandaclient.example.com socket_type = stream protocol = tcp wait = no user = amanda group = disk groups = yes server = /usr/lib/amanda/amandad server_args = -auth=bsdtcp amdump amindexd amidxtaped disable = no }