How To:Set up transport encryption with SSH

From wiki.zmanda.com

Revision as of 18:43, 20 September 2006 by Ktill (talk | contribs) (→‎Backup process [[amdump]])

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Jump to navigation Jump to search

Backup process amdump

You must create an ssh key for the Amanda server, and make sure you just hit enter when asked for a key passphrase. In this example, the key is put in the id_rsa_amdump file (Run as backup user - amandabackup):

 $ ssh-keygen -t rsa -C "SSH Key for Amanda Backups"
 Enter file in which to save the key (/home/amandabackup/.ssh/id_rsa)? /home/amandabackup/.ssh/id_rsa_amdump

You must set the ssh_keys option in all DLE for that host:

 ssh_keys "/home/amandabackup/.ssh/id_rsa_amdump"

You mush append the /home/amandabackup/.ssh/id_rsa_amdump.pub file to the .ssh/authorized_keys (if unsure, check /etc/ssh/sshd_config for what your authorized_keys file is set to) file of all Amanda clients.

For security reasons, you must prepend the line with the following:

 from="<Amanda_server_fqdn_name>",no-port-forwarding,no-X11-forwarding,
 no-agent-forwarding,command="<absolute path to amandad> -auth=ssh amdump"

This will limit that key to connect only from Amanda server and only be able to execute amandad.

If your server username and client username are different, you must add the client_username option in dumptype definition for all DLEs in the client:

 client_username "client_backup_username"

If your server amandad path and client amandad path are different, you must set the amandad_path option in all DLE for that hosts:

 amandad_path "client/amandad/path"

Use the dumptype similar to the following:

define dumptype nocomp-ssh {
  root-tar
  comment "ssh authorization and dumped with tar"
  auth "ssh"
  ssh_keys "/var/lib/amanda/.ssh/id_rsa_amdump"
  compress none
}

Make sure Amanda Client in the known_hosts file by doing:

$ ssh client1.zmanda.com
The authenticity of host 'client1.zmanda.com (192.168.10.1)' can't be established.
RSA key fingerprint is 26:4e:df:a2:be:c8:cb:20:1c:68:8b:cc:c0:3b:8e:9d.
Are you sure you want to continue connecting (yes/no)?yes

Recovery process amrecover

Create a ssh key for root on all clients that can use amrecover. In this example, the key is put in the /root/.ssh/id_rsa_amrecover file:

Log in as root:

 # ssh-keygen -t rsa
 Enter file in which to save the key (/root/.ssh/id_rsa)? /root/.ssh/id_rsa_amrecover

You must set the ssh_keys option in the /etc/amanda/amanda_client.conf file

 ssh_keys "/root/.ssh/id_rsa_amrecover"

You mush append all client /home/root/.ssh/id_rsa_amrecover.pub file to the /home/amandabackup/.ssh/authorized_keys of the server.

For security reasons, you must prefix all lines with the following:

from="aclient_fqdn_name",no-port-forwarding,no-X11-forwarding,
 no-agent-forwarding,command="/path/to/amandad -auth=ssh amindexd amidxtaped"

This will limit every client key to connect from the client and only be able to execute amandad.

Retrieved from ‘http://wiki.zmanda.com/index.php?title=How_To:Set_up_transport_encryption_with_SSH&oldid=3484’