How To:Set up transport encryption with SSH: Difference between revisions
Jump to navigation
Jump to search
| Line 52: | Line 52: | ||
no-agent-forwarding,command="/path/to/amandad -auth=ssh amindexd amidxtaped" | no-agent-forwarding,command="/path/to/amandad -auth=ssh amindexd amidxtaped" | ||
This will limit every client key to connect from the client and only be able to execute amandad. | This will limit every client key to connect from the client and only be able to execute amandad. | ||
*Make sure the Amanda server is in ssh known_hosts file (Make sure to use FQDN) | |||
#ssh server.zmanda.com | |||
The authenticity of host 'server.zmanda.com (192.168.10.1)' can't be established. | |||
RSA key fingerprint is 26:4e:df:a2:be:c8:cb:20:1c:68:8b:cc:c0:3b:8e:9d. | |||
Are you sure you want to continue connecting (yes/no)?yes | |||
Revision as of 18:45, 20 September 2006
Backup process amdump
- You must create an ssh key for the Amanda server, and make sure you just hit enter when asked for a key passphrase. In this example, the key is put in the id_rsa_amdump file (Run as backup user - amandabackup):
$ ssh-keygen -t rsa -C "SSH Key for Amanda Backups" Enter file in which to save the key (/home/amandabackup/.ssh/id_rsa)? /home/amandabackup/.ssh/id_rsa_amdump
- You must set the ssh_keys option in all DLE for that host:
ssh_keys "/home/amandabackup/.ssh/id_rsa_amdump"
- You mush append the /home/amandabackup/.ssh/id_rsa_amdump.pub file to the .ssh/authorized_keys (if unsure, check /etc/ssh/sshd_config for what your authorized_keys file is set to) file of all Amanda clients.
- For security reasons, you must prepend the line with the following:
from="<Amanda_server_fqdn_name>",no-port-forwarding,no-X11-forwarding, no-agent-forwarding,command="<absolute path to amandad> -auth=ssh amdump"
This will limit that key to connect only from Amanda server and only be able to execute amandad.
- If your server username and client username are different, you must add the client_username option in dumptype definition for all DLEs in the client:
client_username "client_backup_username"
- If your server amandad path and client amandad path are different, you must set the amandad_path option in all DLE for that hosts:
amandad_path "client/amandad/path"
- Use the dumptype similar to the following:
define dumptype nocomp-ssh {
root-tar
comment "ssh authorization and dumped with tar"
auth "ssh"
ssh_keys "/var/lib/amanda/.ssh/id_rsa_amdump"
compress none
}
- Make sure Amanda Client in the known_hosts file by doing:
$ ssh client1.zmanda.com The authenticity of host 'client1.zmanda.com (192.168.10.1)' can't be established. RSA key fingerprint is 26:4e:df:a2:be:c8:cb:20:1c:68:8b:cc:c0:3b:8e:9d. Are you sure you want to continue connecting (yes/no)?yes
Recovery process amrecover
- Create a ssh key for root on all clients that can use amrecover. In this example, the key is put in the /root/.ssh/id_rsa_amrecover file:
Log in as root:
# ssh-keygen -t rsa Enter file in which to save the key (/root/.ssh/id_rsa)? /root/.ssh/id_rsa_amrecover
- You must set the ssh_keys option in the /etc/amanda/amanda_client.conf file
ssh_keys "/root/.ssh/id_rsa_amrecover"
- You mush append all client /home/root/.ssh/id_rsa_amrecover.pub file to the /home/amandabackup/.ssh/authorized_keys of the server.
- For security reasons, you must prefix all lines with the following:
from="aclient_fqdn_name",no-port-forwarding,no-X11-forwarding, no-agent-forwarding,command="/path/to/amandad -auth=ssh amindexd amidxtaped"
This will limit every client key to connect from the client and only be able to execute amandad.
- Make sure the Amanda server is in ssh known_hosts file (Make sure to use FQDN)
#ssh server.zmanda.com The authenticity of host 'server.zmanda.com (192.168.10.1)' can't be established. RSA key fingerprint is 26:4e:df:a2:be:c8:cb:20:1c:68:8b:cc:c0:3b:8e:9d. Are you sure you want to continue connecting (yes/no)?yes