How To:Set up transport encryption with SSH: Difference between revisions

From wiki.zmanda.com
Jump to navigation Jump to search
No edit summary
No edit summary
Line 1: Line 1:
* Configure Amanda with --with-ssh-security, it will install dumper/amcheck non-suid.<br/>
===Backup process [[amdump]]===
* Set "auth ssh" in the dumptype<br/>
* You must create an ssh key for the Amanda server. In this example, the key is put in the id_rsa_amdump file (Run as backup user - amandabackup):
* Both server and client must be configured exactly the same amanda username and location of amandad binaries needs to be the same or you can use amandad_path and client_username to specify path to amandad binary and client user name in dumptype definition in [[amanda.conf]] respectively.
  $ ssh-keygen -t rsa
* Run ssh-keygen to generate ssh keys
  Enter file in which to save the key (/home/amandabackup/.ssh/id_rsa)? /home/amandabackup/.ssh/id_rsa_amdump
# ssh-keygen -t rsa
 
It will create ~amanda_user/.ssh/id_rsa and ~amanda_user/.ssh/id_rsa.pub files.  
* You must set the ssh_keys option in all DLE for that host:
Copy ~amanda_user/.ssh/id_rsa.pub to the client machine through a secure channel and append it to amanda_user/.ssh/authorized_keys
  ssh_keys "/home/amandabackup/.ssh/id_rsa_amdump"
Example for secure channel for copying files:
 
copy id_rsa.pub to a floppy or flash drive and hand carry to the client machine.
* You mush append the /home/amandabackup/.ssh/id_rsa_amdump.pub file to the .ssh/authorized_keys file of all Amanda clients.
  # chmod 600 ~amanda_user/.ssh/authorized_keys
 
* Run ssh-add
* For security reasons, you must prepend the line with the following:
  {will prompt for the passphrase}
  from="<Amanda_server_fqdn_name>",no-port-forwarding,no-X11-forwarding,
  {it will add the RSA identities to the authentication agent}
  no-agent-forwarding,command="<absolute path to amandad> -auth=ssh amdump"
* Run amdump to do backups
This will limit that key to connect only from Amanda server and only be able to execute amandad.
 
* If your server username and client username are different, you must add the client_username option in dumptype definition for all DLEs in the client:
  client_username "client_backup_username"
 
* If your server amandad path and client amandad path are different, you must set the amandad_path option in all DLE for that hosts:
  amandad_path "client/amandad/path"
 
===Recovery process [[amrecover]]===
 
* Create a ssh key for root on all clients that can use [[amrecover]]. In this example, the key is put in the /root/.ssh/id_rsa_amrecover file:
 
Log in as root:
  # ssh-keygen -t rsa
  Enter file in which to save the key (/root/.ssh/id_rsa)? /root/.ssh/id_rsa_amrecover
 
* You must set the ssh_keys option in the ''/etc/amanda/amanda_client.conf'' file
  ssh_keys "/root/.ssh/id_rsa_amrecover"
 
* You mush append all client /home/root/.ssh/id_rsa_amrecover.pub file to the /home/amandabackup/.ssh/authorized_keys of the server.
 
* For security reasons, you must prefix all lines with the following:
  from="aclient_fqdn_name",no-port-forwarding,no-X11-forwarding,
  no-agent-forwarding,command="/path/to/amandad -auth=ssh amindexd amidxtaped"
This will limit every client key to connect from the client and only be able to execute amandad.

Revision as of 00:55, 20 June 2006

Backup process amdump

  • You must create an ssh key for the Amanda server. In this example, the key is put in the id_rsa_amdump file (Run as backup user - amandabackup):
 $ ssh-keygen -t rsa
 Enter file in which to save the key (/home/amandabackup/.ssh/id_rsa)? /home/amandabackup/.ssh/id_rsa_amdump
  • You must set the ssh_keys option in all DLE for that host:
 ssh_keys "/home/amandabackup/.ssh/id_rsa_amdump"
  • You mush append the /home/amandabackup/.ssh/id_rsa_amdump.pub file to the .ssh/authorized_keys file of all Amanda clients.
  • For security reasons, you must prepend the line with the following:
 from="<Amanda_server_fqdn_name>",no-port-forwarding,no-X11-forwarding,
 no-agent-forwarding,command="<absolute path to amandad> -auth=ssh amdump"

This will limit that key to connect only from Amanda server and only be able to execute amandad.

  • If your server username and client username are different, you must add the client_username option in dumptype definition for all DLEs in the client:
 client_username "client_backup_username"
  • If your server amandad path and client amandad path are different, you must set the amandad_path option in all DLE for that hosts:
 amandad_path "client/amandad/path"

Recovery process amrecover

  • Create a ssh key for root on all clients that can use amrecover. In this example, the key is put in the /root/.ssh/id_rsa_amrecover file:

Log in as root: 

 # ssh-keygen -t rsa
 Enter file in which to save the key (/root/.ssh/id_rsa)? /root/.ssh/id_rsa_amrecover
  • You must set the ssh_keys option in the /etc/amanda/amanda_client.conf file
 ssh_keys "/root/.ssh/id_rsa_amrecover"
  • You mush append all client /home/root/.ssh/id_rsa_amrecover.pub file to the /home/amandabackup/.ssh/authorized_keys of the server.
  • For security reasons, you must prefix all lines with the following:
from="aclient_fqdn_name",no-port-forwarding,no-X11-forwarding,
 no-agent-forwarding,command="/path/to/amandad -auth=ssh amindexd amidxtaped"

This will limit every client key to connect from the client and only be able to execute amandad.

Retrieved from ‘http://wiki.zmanda.com/index.php?title=How_To:Set_up_transport_encryption_with_SSH&oldid=3200