How To:Configure bsdtcp authentication: Difference between revisions

From wiki.zmanda.com
Jump to navigation Jump to search
No edit summary
 
(→‎xinetd example: fixed incorrect user name.)
 
(37 intermediate revisions by 11 users not shown)
Line 1: Line 1:
==xinetd configuration==
{{How To Header}}
NOTE: For authoritative documentation on configuring authentication in Amanda, see {{man|7|amanda-auth}}.


Amandad (Amanda client process) must be configured correctly as xinetd or inetd server on each Amanda client.  This configuration is necessary for backup process - [[amdump]].
== Which One? ==
There are several authentication mechanisms available for Amanda, so which one should you choose?


'''Template for /etc/xinet.d/amanda file'''
Use BSDTCP (easier to set up, risky on a public network) or SSH (better security for open networks) authentication.
 
This article describes BSDTCP.  The details of SSH authentication are given in [[How To:Set up transport encryption with SSH]].
 
BSD is only present for backward-compatibility with versions of Amanda older than 2.5.0.  BSDUDP is a version of BSDTCP that also uses UDP, and UDP is very difficult to debug (since tools like netcat aren't useful).
 
The details of BSD and BSDUDP are given in [[How To:Configure Backward-compatible Authentication Methods]].  For configuration of a pre-2.5 client (bsd only), please see [[How To:Configure Backward-compatible Authentication Methods#Backing_up_an_older_Amanda_2.4_client|Backing up an older Amanda 2.4 client]].
 
== .amandahosts file ==
 
It is very common for Amanda to be compiled to use the .amandahosts file to control access on clients and server using the bsd, bsdudp, and bsdtcp authentication methods.
 
The ''.amandahosts'' file is located in the Amanda user's home directory, commonly ''/var/lib/amanda''.  This file should be readable and writable only by the Amanda backup user.
 
The format of .amandahosts is
 
<amandaserver.example.com> <backup_user> <service(s)>
 
The first field is the fully qualified domain name of the server which is being granted access to the local client machine as ''backup_user'' to perform ''service(s)''.  
 
''service(s)'' are the amandad services allowed to be run on the configured client/server
''amdump'' - is used for backing up a client.  Specifying this allows an Amanda server running an '''amdump''' command to connect to an Amanda client to perform a backup.
''amindexd'' - is the daemon that accesses Amanda's index database.  Specifying this allows an Amanda client running '''amrecover''' to access the database on an Amanda server to determine which files and directories have been backed up on the client.
amidxtaped - is the daemon that accesses Amanda's log files.  Specifying this allows an Amanda client running '''amrecover''' to access tape information on an Amanda server.
 
'''Example of the ''.amandahosts'' file on an Amanda client'''
amandaserver.example.com amandabackup amdump
 
'''Example of the ''.amandahosts'' file on an Amanda server'''
amandaclient1.example.com root amindexd amidxtaped
 
==General info on using inetd==
'''Template for Amanda client inetd service entry'''
  <service_name>  <socket_type>  <protocol>  <wait/nowait>  <amanda_backup_user>  <absolute_path_to_amandad>  amandad  <server_args>
 
==General info on using xinetd==
'''Template for Amanda client xinetd service file'''
   service amanda
   service amanda
   {
   {
         only_from              = <Amanda server>
         only_from              = <Amanda server>
         socket_type            = dgram
         socket_type            = <socket type>
         protocol                = udp
         protocol                = <protocol>
         wait                    = yes
         wait                    = <"yes"/"no">
         user                    = <amanda backup user>
         user                    = <amanda backup user>
         group                  = <amanda backup user group id>
         group                  = <amanda backup user group id>
         groups                  = yes
         groups                  = yes
         server                  = <absolute path to amandad>
         server                  = <absolute path to amandad>
         server_args            = -auth=bsd amdump
         server_args            = <amandad server arguments>
         disable                = no
         disable                = no
   }
   }


'''Example xinetd.d amanda client service file with backup user - amandabackup'''
Xinetd offers the "only_from" parameter which provides a second layer of protection to the permissions allowed in the [[#.amandahosts file|.amandahosts file]].  It is thus not necessary but certainly can be used.
 
==bsdtcp==
If you want to use bsdtcp authentication and are compiling from source code, you must specify the configure flag
  --with-bsdtcp-security
otherwise, amcheck will return messages like:
  Could not find security driver "bsdtcp" for host "yourhost". auth for this dle is invalid
 
=== client ===
Clients need to specify the ''auth'' and ''amdump'' arguments to the amandad command.
 
==== inetd example ====
'''Example of inetd service entry using bsdtcp authorization and assuming Amanda user is "amanda"
amanda          stream  tcp    nowait  amanda  /usr/lib/amanda/amandad      amandad -auth=bsdtcp amdump


==== xinetd example ====
'''Example of xinetd service entry using bsdtcp authorization and assuming Amanda user is "amandabackup"
  service amanda
  service amanda
  {
  {
         only_from      = amandaserver.company.com
         only_from      = amandaserver.example.com amandaclient.example.com
         socket_type    = dgram
         socket_type    = '''stream'''
         protocol        = udp
         protocol        = '''tcp'''
         wait            = no
         wait            = '''no'''
         user            = amandabackup
         user            = amandabackup
         group          = disk
         group          = disk
         groups          = yes
         groups          = yes
         server          = /usr/lib/amanda/amandad
         server          = /usr/lib/amanda/amandad
         server_args    = -auth=bsd amdump
         server_args    = -auth='''bsdtcp''' amdump
         disable        = no  
         disable        = no  
  }
  }


Amanda server (tape server) can be also configured to use "bsd" authentication for restore process - [[amrecover]] commandThe ''server_args'' on the xinetd service entry on the server should include ''amindexd'' and ''amidxtaped''.  The ''only_from'' line should include all clients that can do recovery.
=== server ===
You must specify in the '''disklist''' file on the Amanda server that you will use the ''bsdtcp'' authentication method to connect to any clientsYou must either specify the ''auth'' parameter directly in the '''disklist''' file or a dumptype that specifies ''bsdtcp'' authentication method.


'''Example of xinetd server entry that used bsd and can do both backup as well as recovery'''
'''Example of specifying ''bsdtcp'' authentication directly in the '''disklist''' file.'''
server.example.com    {
        comp-user-tar
        auth "bsdtcp"
        }    1
 
Example of a dumptype definition specifying ''bsdtcp'' authentication.
define dumptype comp-user-tar {
        ...
        auth "bsdtcp"
        ...
}
 
This may also be set globally in the same way by editing the "global" dumptype definition.
 
==== inetd example ====
'''Example of inetd service entry using bsdtcp authorization and assuming Amanda user is "amanda"
amanda          stream  tcp    nowait  amanda  /usr/lib/amanda/amandad      amandad -auth=bsdtcp amdump amindexd amidxtaped
 
==== xinetd example ====
'''Example of xinetd service entry using bsdtcp authorization and assuming Amanda user is "amanda"'''
  service amanda
  service amanda
  {
  {
         only_from      = amandaserver.company.com amandaclient.company.com
         only_from      = amandaserver.example.com amandaclient.example.com
         socket_type    = dgram
         socket_type    = '''stream'''
         protocol        = udp
         protocol        = '''tcp'''
         wait            = no
         wait            = '''no'''
         user            = amandabackup
         user            = amanda
         group          = disk
         group          = disk
         groups          = yes
         groups          = yes
         server          = /usr/lib/amanda/amandad
         server          = /usr/lib/amanda/amandad
         server_args    = -auth=bsd amdump amindexd amidxtaped
         server_args    = -auth='''bsdtcp''' amdump amindexd amidxtaped
         disable        = no  
         disable        = no  
  }
  }
==.amandahosts configuration==
The ''.amandahosts'' file is located in the home directory of the backup user (For example: ''/var/lib/amanda'').  This file should be readable and writable only by the backup user.
The format of .amandahosts is
<FQDN of the server> <backup user> <service(s)>
FQDN is fully qualified domain name. The server can contact the local machine as backup server to perform the service(s).
Example:
The ''.amandahosts'' file on the Amanda client should have
amandaserver.company.com amandabackup amdump
The ''.amandahosts'' file on the Amanda server should have
amandaclient1.company.com amandabackup amindexd amidxtaped

Latest revision as of 16:11, 20 November 2010

This article is a part of the How Tos collection.

NOTE: For authoritative documentation on configuring authentication in Amanda, see amanda-auth(7).

Which One?

There are several authentication mechanisms available for Amanda, so which one should you choose?

Use BSDTCP (easier to set up, risky on a public network) or SSH (better security for open networks) authentication.

This article describes BSDTCP. The details of SSH authentication are given in How To:Set up transport encryption with SSH.

BSD is only present for backward-compatibility with versions of Amanda older than 2.5.0. BSDUDP is a version of BSDTCP that also uses UDP, and UDP is very difficult to debug (since tools like netcat aren't useful).

The details of BSD and BSDUDP are given in How To:Configure Backward-compatible Authentication Methods. For configuration of a pre-2.5 client (bsd only), please see Backing up an older Amanda 2.4 client.

.amandahosts file

It is very common for Amanda to be compiled to use the .amandahosts file to control access on clients and server using the bsd, bsdudp, and bsdtcp authentication methods.

The .amandahosts file is located in the Amanda user's home directory, commonly /var/lib/amanda. This file should be readable and writable only by the Amanda backup user.

The format of .amandahosts is 

<amandaserver.example.com> <backup_user> <service(s)>

The first field is the fully qualified domain name of the server which is being granted access to the local client machine as backup_user to perform service(s).

service(s) are the amandad services allowed to be run on the configured client/server amdump - is used for backing up a client. Specifying this allows an Amanda server running an amdump command to connect to an Amanda client to perform a backup. amindexd - is the daemon that accesses Amanda's index database. Specifying this allows an Amanda client running amrecover to access the database on an Amanda server to determine which files and directories have been backed up on the client. amidxtaped - is the daemon that accesses Amanda's log files. Specifying this allows an Amanda client running amrecover to access tape information on an Amanda server.

Example of the .amandahosts file on an Amanda client 

amandaserver.example.com amandabackup amdump

Example of the .amandahosts file on an Amanda server 

amandaclient1.example.com root amindexd amidxtaped

General info on using inetd

Template for Amanda client inetd service entry 

 <service_name>  <socket_type>   <protocol>  <wait/nowait>   <amanda_backup_user>  <absolute_path_to_amandad>   amandad  <server_args>

General info on using xinetd

Template for Amanda client xinetd service file 

 service amanda
 {
       only_from               = <Amanda server>
       socket_type             = <socket type>
       protocol                = <protocol>
       wait                    = <"yes"/"no">
       user                    = <amanda backup user>
       group                   = <amanda backup user group id>
       groups                  = yes
       server                  = <absolute path to amandad>
       server_args             = <amandad server arguments>
       disable                 = no
 }

Xinetd offers the "only_from" parameter which provides a second layer of protection to the permissions allowed in the .amandahosts file. It is thus not necessary but certainly can be used.

bsdtcp

If you want to use bsdtcp authentication and are compiling from source code, you must specify the configure flag 

 --with-bsdtcp-security

otherwise, amcheck will return messages like: 

 Could not find security driver "bsdtcp" for host "yourhost". auth for this dle is invalid

client

Clients need to specify the auth and amdump arguments to the amandad command.

inetd example

Example of inetd service entry using bsdtcp authorization and assuming Amanda user is "amanda" 

amanda          stream  tcp     nowait  amanda  /usr/lib/amanda/amandad      amandad -auth=bsdtcp amdump

xinetd example

Example of xinetd service entry using bsdtcp authorization and assuming Amanda user is "amandabackup" 

service amanda
{
       only_from       = amandaserver.example.com amandaclient.example.com
       socket_type     = stream
       protocol        = tcp
       wait            = no
       user            = amandabackup
       group           = disk
       groups          = yes
       server          = /usr/lib/amanda/amandad
       server_args     = -auth=bsdtcp amdump
       disable         = no 
}

server

You must specify in the disklist file on the Amanda server that you will use the bsdtcp authentication method to connect to any clients. You must either specify the auth parameter directly in the disklist file or a dumptype that specifies bsdtcp authentication method.

Example of specifying bsdtcp authentication directly in the disklist file. 

server.example.com    {
       comp-user-tar
       auth "bsdtcp"
       }    1

Example of a dumptype definition specifying bsdtcp authentication. 

define dumptype comp-user-tar {
        ...
        auth "bsdtcp"
        ...
}

This may also be set globally in the same way by editing the "global" dumptype definition.

inetd example

Example of inetd service entry using bsdtcp authorization and assuming Amanda user is "amanda" 

amanda          stream  tcp     nowait  amanda  /usr/lib/amanda/amandad      amandad -auth=bsdtcp amdump amindexd amidxtaped

xinetd example

Example of xinetd service entry using bsdtcp authorization and assuming Amanda user is "amanda" 

service amanda
{
       only_from       = amandaserver.example.com amandaclient.example.com
       socket_type     = stream
       protocol        = tcp
       wait            = no
       user            = amanda
       group           = disk
       groups          = yes
       server          = /usr/lib/amanda/amandad
       server_args     = -auth=bsdtcp amdump amindexd amidxtaped
       disable         = no 
}
Retrieved from ‘http://wiki.zmanda.com/index.php?title=How_To:Configure_bsdtcp_authentication&oldid=7846