How To:Set up transport encryption with SSH

From wiki.zmanda.com

Revision as of 00:55, 20 June 2006 by Paddy (talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Jump to navigation Jump to search

Backup process amdump

You must create an ssh key for the Amanda server. In this example, the key is put in the id_rsa_amdump file (Run as backup user - amandabackup):

 $ ssh-keygen -t rsa
 Enter file in which to save the key (/home/amandabackup/.ssh/id_rsa)? /home/amandabackup/.ssh/id_rsa_amdump

You must set the ssh_keys option in all DLE for that host:

 ssh_keys "/home/amandabackup/.ssh/id_rsa_amdump"

You mush append the /home/amandabackup/.ssh/id_rsa_amdump.pub file to the .ssh/authorized_keys file of all Amanda clients.

For security reasons, you must prepend the line with the following:

 from="<Amanda_server_fqdn_name>",no-port-forwarding,no-X11-forwarding,
 no-agent-forwarding,command="<absolute path to amandad> -auth=ssh amdump"

This will limit that key to connect only from Amanda server and only be able to execute amandad.

If your server username and client username are different, you must add the client_username option in dumptype definition for all DLEs in the client:

 client_username "client_backup_username"

If your server amandad path and client amandad path are different, you must set the amandad_path option in all DLE for that hosts:

 amandad_path "client/amandad/path"

Recovery process amrecover

Create a ssh key for root on all clients that can use amrecover. In this example, the key is put in the /root/.ssh/id_rsa_amrecover file:

Log in as root:

 # ssh-keygen -t rsa
 Enter file in which to save the key (/root/.ssh/id_rsa)? /root/.ssh/id_rsa_amrecover

You must set the ssh_keys option in the /etc/amanda/amanda_client.conf file

 ssh_keys "/root/.ssh/id_rsa_amrecover"

You mush append all client /home/root/.ssh/id_rsa_amrecover.pub file to the /home/amandabackup/.ssh/authorized_keys of the server.

For security reasons, you must prefix all lines with the following:

from="aclient_fqdn_name",no-port-forwarding,no-X11-forwarding,
 no-agent-forwarding,command="/path/to/amandad -auth=ssh amindexd amidxtaped"

This will limit every client key to connect from the client and only be able to execute amandad.

Retrieved from ‘http://wiki.zmanda.com/index.php?title=How_To:Set_up_transport_encryption_with_SSH&oldid=3200’