|
|
Line 1: |
Line 1: |
| {{How To Header}} | | {{How To Header}} |
| As for network services, typically inetd or xinetd, the initial version of Amanda used only bsd authentication. Starting with Amanda 2.5, bsdudp and bsdtcp authentication methods were introduced (for more information, please see [[Server/Client_authentication]]). Although the bsd authentication method remains to be the default for Amanda source code (Nov 2008), some packaged versions of Amanda come pre-configured to use the newer and preferred bsdtcp authentication method such as the [http://www.zmanda.com/download-amanda.php Zmanda Community Edition] packages.
| | NOTE: For authoritative documentation on configuring authentication in Amanda, see {{man|7|amanda-auth}}. |
|
| |
|
| Given which authentication method will be used, a network server entry for amandad (Amanda daemon) must be configured correctly on each Amanda client. This configuration is necessary for the backup process [[amdump]] which runs on the Amanda server to gain access to each client.
| | = Which One? = |
| | There are several authentication mechanisms available for Amanda, so which one should you choose? |
|
| |
|
| This article will progressively march through inetd and xinetd examples of bsd, bsdudp, and bsdtcp authentication methods for Amanda 2.5 and later. For configuration of a pre-2.5 client (bsd only), please see [[#Backing_up_an_older_Amanda_2.4_client|Backing up an older Amanda 2.4 client]] at the bottom of this page.
| | Use BSDTCP (easier to set up, risky on a public network) or SSH (better security for open networks) authentication. |
|
| |
|
| For the authoritative documentation on configuring authentication in Amanda, see {{man|7|amanda-auth}}.
| | This article describes BSDTCP. The details of SSH authentication are given in [[How To:Set up transport encryption with SSH]]. |
| | |
| | BSD is only present for backward-compatibility with versions of Amanda older than 2.5.0. BSDUDP is a version of BSDTCP that also uses UDP, and UDP is very difficult to debug (since tools like netcat aren't useful). |
| | |
| | The details of BSD and BSDUDP are given in [[How To:Configure Backward-compatible Authentication Methods]]. For configuration of a pre-2.5 client (bsd only), please see [[How To:Configure Backward-compatible Authentication Methods#Backing_up_an_older_Amanda_2.4_client|Backing up an older Amanda 2.4 client]]. |
|
| |
|
| == .amandahosts file == | | == .amandahosts file == |
Line 52: |
Line 57: |
|
| |
|
| Xinetd offers the "only_from" parameter which provides a second layer of protection to the permissions allowed in the [[#.amandahosts file|.amandahosts file]]. It is thus not necessary but certainly can be used. | | Xinetd offers the "only_from" parameter which provides a second layer of protection to the permissions allowed in the [[#.amandahosts file|.amandahosts file]]. It is thus not necessary but certainly can be used. |
|
| |
| == bsd ==
| |
| If an authentication method is not specified, ''bsd'' is the default. Thus, the auth argument to the amandad command does not need to be specified yet makes things perfectly clear.
| |
|
| |
| === client ===
| |
| Clients need to specify the ''amdump'' argument to the amandad command and may make the authentication method clear with the ''auth'' argument.
| |
|
| |
| ==== inetd example ====
| |
| '''Example of using bsd authorization for inetd server assuming Amanda user is "amanda"'''
| |
| amanda dgram udp wait amanda /usr/lib/amanda/amandad amandad -auth=bsd amdump amindexd amidxtaped
| |
|
| |
| ==== xinetd example ====
| |
| '''Example xinetd.d amanda client service file with backup user "amandabackup"'''
| |
| service amanda
| |
| {
| |
| only_from = amandaserver.example.com
| |
| socket_type = dgram
| |
| protocol = udp
| |
| wait = yes
| |
| user = amandabackup
| |
| group = disk
| |
| groups = yes
| |
| server = /usr/lib/amanda/amandad
| |
| server_args = -auth=bsd amdump
| |
| disable = no
| |
| }
| |
|
| |
| === server===
| |
| If an Amanda server will also be a backup client to itself, it will use the same client configuration. However, as the Amanda server is also the recovery server for all clients via the [[amrecover]] command, the x/inetd service entry on the Amanda server should also include ''amindexd'' and ''amidxtaped'' arguments to the amandad command.
| |
|
| |
| The ''bsd'' authentication method is the default authentication method, thus a configuration with no ''auth'' parameter set will use ''bsd''. Some packaged versions of Amanda, however, will set another authentication method in the global dumptype meaning it will now apply to all dumptypes based on this global dumptype (such as all dumptypes that ship with Amanda).
| |
|
| |
| If you want to use the ''bsd'' authentication method to connect to a client and yet your server is trying to use some authentication method other than ''bsd'', you must globally remove specifications to another authentication method in the global dumptype or explicitly specify ''bsd'' authentication method for desired clients in the '''disklist''' file on the Amanda server. For the latter, you must either specify the ''auth'' parameter directly in the '''disklist''' file or a dumptype that uses ''bsd'' authentication method.
| |
|
| |
| '''Example of specifying ''bsd'' authentication directly in the '''disklist''' file.'''
| |
| server.example.com {
| |
| comp-user-tar
| |
| auth "bsd"
| |
| } 1
| |
|
| |
| Example of a dumptype definition specifying ''bsd'' authentication.
| |
| define dumptype comp-user-tar {
| |
| ...
| |
| auth "bsd"
| |
| ...
| |
| }
| |
|
| |
| ==== inetd example ====
| |
| '''Example of using bsd authorization for inetd server assuming Amanda user is "amanda"'''
| |
| amanda dgram udp wait amanda /usr/lib/amanda/amandad amandad -auth=bsd amdump amindexd amidxtaped
| |
|
| |
| If you are using TCP wrappers, your inetd entry may look like this assuming Amanda user is "amanda":
| |
| amanda dgram udp wait amanda /usr/sbin/tcpd /usr/lib/amanda/amandad -auth=bsd amdump amindexd amidxtaped
| |
|
| |
| ==== xinetd example ====
| |
| '''Example of xinetd server entry that uses bsd for being a backup client to itself as well as a recovery server for all clients'''
| |
| service amanda
| |
| {
| |
| only_from = amandaserver.example.com amandaclient1.example.com amandaclient2.example.com
| |
| socket_type = dgram
| |
| protocol = udp
| |
| wait = yes
| |
| user = amandabackup
| |
| group = disk
| |
| groups = yes
| |
| server = /usr/lib/amanda/amandad
| |
| server_args = -auth=bsd amdump amindexd amidxtaped
| |
| disable = no
| |
| }
| |
|
| |
|
| |
| == bsdudp ==
| |
| If you want to use bsdudp authentication and are compiling from source code, you must specify the configure flag
| |
| --with-bsdudp-security
| |
| otherwise, amcheck will return messages like:
| |
| Could not find security driver "bsdudp" for host "yourhost". auth for this dle is invalid
| |
|
| |
| === client ===
| |
| Clients need to specify the ''auth'' and ''amdump'' arguments to the amandad command.
| |
| ==== inetd example ====
| |
| '''Example of using ''bsdudp'' authentication for inetd server on an Amanda client using Amanda user "amanda"'''
| |
| amanda dgram udp wait amanda /usr/lib/amanda/amandad amandad -auth=bsdudp amdump
| |
| ==== xinetd example ====
| |
| '''Example of using ''bsdudp'' authentication for xinetd server on an Amanda client using Amanda user "amandabackup"'''
| |
| service amanda
| |
| {
| |
| only_from = amandaserver.example.com amandaclient.example.com
| |
| socket_type = dgram
| |
| protocol = udp
| |
| wait = yes
| |
| user = amandabackup
| |
| group = disk
| |
| groups = yes
| |
| server = /usr/lib/amanda/amandad
| |
| server_args = -auth='''bsdudp''' amdump
| |
| disable = no
| |
| }
| |
|
| |
| === server ===
| |
| You must specify in the '''disklist''' file on the Amanda server that you will use the ''bsdtcp'' authentication method to connect to any clients. You must either specify the ''auth'' parameter directly in the '''disklist''' file or a dumptype that specifies ''bsdtcp'' authentication method.
| |
|
| |
| '''Example of specifying ''bsdudp'' authentication directly in the '''disklist''' file.'''
| |
| server.example.com {
| |
| comp-user-tar
| |
| auth "bsdudp"
| |
| } 1
| |
|
| |
| Example of a dumptype definition specifying ''bsdudp'' authentication.
| |
| define dumptype comp-user-tar {
| |
| ...
| |
| auth "bsdudp"
| |
| ...
| |
| }
| |
|
| |
| This may also be set globally in the same way by editing the "global" dumptype definition.
| |
|
| |
| ==== inetd example ====
| |
| '''Example of using ''bsdudp'' authentication for inetd server assuming Amanda user "amanda"'''
| |
| amanda dgram udp wait amanda /usr/lib/amanda/amandad amandad -auth=bsdudp amdump amindexd amidxtaped
| |
| ==== xinetd example ====
| |
| '''Example of using ''bsdudp'' authentication for xinetd server assuming Amanda user "amanda"'''
| |
| service amanda
| |
| {
| |
| only_from = amandaserver.example.com amandaclient.example.com
| |
| socket_type = dgram
| |
| protocol = udp
| |
| wait = yes
| |
| user = amandabackup
| |
| group = disk
| |
| groups = yes
| |
| server = /usr/lib/amanda/amandad
| |
| server_args = -auth='''bsdudp''' amdump amindexd amidxtaped
| |
| disable = no
| |
| }
| |
|
| |
|
| |
|
| ==bsdtcp== | | ==bsdtcp== |
Line 254: |
Line 124: |
| disable = no | | disable = no |
| } | | } |
|
| |
| == Backing up an older Amanda 2.4 client ==
| |
| Older versions of Amanda client software (2.5.0 or earlier) have only the protocol "bsd"
| |
| available.
| |
|
| |
| An Amanda 2.5 or later server (using user "amandabackup") may still back up an Amanda 2.4 client
| |
| (user "amanda"). For this, the server must use a ''auth "bsd"'' for communication, though a global ''auth "bsdtcp"'' entry can be overridden in special dumptype defines for use on older clients.
| |
|
| |
| '''Example of an inetd file entry on an older Amanda 2.4 client (using user "amanda") that only supports bsd authentication (and not as many amandad server arguments)'''
| |
| amanda dgram udp wait amanda /usr/lib/amanda/amandad amandad
| |
| '''Example of an xinetd file on an older amanda 2.4 client (using user "amanda") that only supports bsd authentication (and not some of the more current parameters such as "server_args")'''
| |
| service amanda
| |
| {
| |
| only_from = amandaserver.example.com
| |
| socket_type = dgram
| |
| protocol = udp
| |
| wait = yes
| |
| user = amanda
| |
| group = disk
| |
| groups = yes
| |
| server = /usr/lib/amanda/amandad
| |
| disable = no
| |
| }
| |
| The client's ".amandahosts" file will need to specify that the server connection is from user "amandabackup".
| |
| amandaserver.example.com amandabackup amdump
| |
This article is a part of the How Tos collection.
NOTE: For authoritative documentation on configuring authentication in Amanda, see amanda-auth(7).
Which One?
There are several authentication mechanisms available for Amanda, so which one should you choose?
Use BSDTCP (easier to set up, risky on a public network) or SSH (better security for open networks) authentication.
This article describes BSDTCP. The details of SSH authentication are given in How To:Set up transport encryption with SSH.
BSD is only present for backward-compatibility with versions of Amanda older than 2.5.0. BSDUDP is a version of BSDTCP that also uses UDP, and UDP is very difficult to debug (since tools like netcat aren't useful).
The details of BSD and BSDUDP are given in How To:Configure Backward-compatible Authentication Methods. For configuration of a pre-2.5 client (bsd only), please see Backing up an older Amanda 2.4 client.
.amandahosts file
It is very common for Amanda to be compiled to use the .amandahosts file to control access on clients and server using the bsd, bsdudp, and bsdtcp authentication methods.
The .amandahosts file is located in the Amanda user's home directory, commonly /var/lib/amanda. This file should be readable and writable only by the Amanda backup user.
The format of .amandahosts is
<amandaserver.example.com> <backup_user> <service(s)>
The first field is the fully qualified domain name of the server which is being granted access to the local client machine as backup_user to perform service(s).
service(s) are the amandad services allowed to be run on the configured client/server
amdump - is used for backing up a client. Specifying this allows an Amanda server running an amdump command to connect to an Amanda client to perform a backup.
amindexd - is the daemon that accesses Amanda's index database. Specifying this allows an Amanda client running amrecover to access the database on an Amanda server to determine which files and directories have been backed up on the client.
amidxtaped - is the daemon that accesses Amanda's log files. Specifying this allows an Amanda client running amrecover to access tape information on an Amanda server.
Example of the .amandahosts file on an Amanda client
amandaserver.example.com amandabackup amdump
Example of the .amandahosts file on an Amanda server
amandaclient1.example.com root amindexd amidxtaped
General info on using inetd
Template for Amanda client inetd service entry
<service_name> <socket_type> <protocol> <wait/nowait> <amanda_backup_user> <absolute_path_to_amandad> amandad <server_args>
General info on using xinetd
Template for Amanda client xinetd service file
service amanda
{
only_from = <Amanda server>
socket_type = <socket type>
protocol = <protocol>
wait = <"yes"/"no">
user = <amanda backup user>
group = <amanda backup user group id>
groups = yes
server = <absolute path to amandad>
server_args = <amandad server arguments>
disable = no
}
Xinetd offers the "only_from" parameter which provides a second layer of protection to the permissions allowed in the .amandahosts file. It is thus not necessary but certainly can be used.
bsdtcp
If you want to use bsdtcp authentication and are compiling from source code, you must specify the configure flag
--with-bsdtcp-security
otherwise, amcheck will return messages like:
Could not find security driver "bsdtcp" for host "yourhost". auth for this dle is invalid
client
Clients need to specify the auth and amdump arguments to the amandad command.
inetd example
Example of inetd service entry using bsdtcp authorization and assuming Amanda user is "amanda"
amanda stream tcp nowait amanda /usr/lib/amanda/amandad amandad -auth=bsdtcp amdump
xinetd example
Example of xinetd service entry using bsdtcp authorization and assuming Amanda user is "amandabackup"
service amanda
{
only_from = amandaserver.example.com amandaclient.example.com
socket_type = stream
protocol = tcp
wait = no
user = amandabackup
group = disk
groups = yes
server = /usr/lib/amanda/amandad
server_args = -auth=bsdtcp amdump
disable = no
}
server
You must specify in the disklist file on the Amanda server that you will use the bsdtcp authentication method to connect to any clients. You must either specify the auth parameter directly in the disklist file or a dumptype that specifies bsdtcp authentication method.
Example of specifying bsdtcp authentication directly in the disklist file.
server.example.com {
comp-user-tar
auth "bsdtcp"
} 1
Example of a dumptype definition specifying bsdtcp authentication.
define dumptype comp-user-tar {
...
auth "bsdtcp"
...
}
This may also be set globally in the same way by editing the "global" dumptype definition.
inetd example
Example of inetd service entry using bsdtcp authorization and assuming Amanda user is "amanda"
amanda stream tcp nowait amanda /usr/lib/amanda/amandad amandad -auth=bsdtcp amdump amindexd amidxtaped
xinetd example
Example of xinetd service entry using bsdtcp authorization and assuming Amanda user is "amanda"
service amanda
{
only_from = amandaserver.example.com amandaclient.example.com
socket_type = stream
protocol = tcp
wait = no
user = amandabackup
group = disk
groups = yes
server = /usr/lib/amanda/amandad
server_args = -auth=bsdtcp amdump amindexd amidxtaped
disable = no
}