Server/Client authentication: Difference between revisions
Paul.bijnens (talk | contribs) m (kereberos -> kerberos) |
|||
| Line 13: | Line 13: | ||
The authentication is done using ''.amandahosts'' files in the backup user's (for example: amandabackup) home directory. It uses TCP protocol between Amanda server and client. On the client, two reserved ports are used. On the server, all data streams are multiplexed to one port. | The authentication is done using ''.amandahosts'' files in the backup user's (for example: amandabackup) home directory. It uses TCP protocol between Amanda server and client. On the client, two reserved ports are used. On the server, all data streams are multiplexed to one port. | ||
=== | ===Kerberos authentication=== | ||
Amanda support | Amanda support Kerberos 4 and 5 authentication between Amanda server and client. Kerberos 4 uses UDP protocol and the number of DLEs is limited by UDP packet size. Kerberos 5 uses TCP and the server uses only one TCP port and data streams are multiplexed to this port. | ||
===SSH authentication=== | ===SSH authentication=== | ||
Revision as of 12:38, 12 February 2007
Amanda (release 2.5.1) supports "bsd", "bsdudp", "bsdtcp", "ssh" and kerberos authentication between Amanda server (also called tape server) and the client. The authentication is used for backup process (amdump) as well as recovery process (amrecover).
bsd authentication
The authentication is done using .amandahosts file in the backup user's (for example: amandabackup) home directory. The protocol between Amanda server and client is UDP. The number of disk list entries (DLEs) - Number of Amanda clients, is limited by size of UDP packet size. This authentication protocol will use different port for each data stream.
bsdudp authentication
The authentication is done using .amandahosts files in the backup user's (for example: amandabackup) home directory. It uses UDP protocol between Amanda server and client for data and hence the number of DLEs is limited by UDP packet size. It uses one TCP port to establish the connection and multipexes all data streams using one port on the server.
bsdtcp authentication
The authentication is done using .amandahosts files in the backup user's (for example: amandabackup) home directory. It uses TCP protocol between Amanda server and client. On the client, two reserved ports are used. On the server, all data streams are multiplexed to one port.
Kerberos authentication
Amanda support Kerberos 4 and 5 authentication between Amanda server and client. Kerberos 4 uses UDP protocol and the number of DLEs is limited by UDP packet size. Kerberos 5 uses TCP and the server uses only one TCP port and data streams are multiplexed to this port.
SSH authentication
Amanda client sends data to the server using SSH. SSH keys have to be set up so that Amanda server can communicate with clients using SSH.
RSH authentication
The Amanda server communicates using rsh protocol to the client. It communicates as backup user (for example: amandabackup).
Each Amanda client communicates with server using one TCP port and all data streams from the client are multiplexed over one port. The number of Amanda clients is limited by the number of reserved ports available for Amanda server. Some versions of rsh does not use reserved port and so, this restriction is not valid.
Build options
If you are building from source RPMs or tar ball, you can configure the set of authentication methods.
| Authentication | Configure option |
|---|---|
| bsd | --with-bsd-security --with-amandahosts |
| bsdtcp | --with-bsdtcp-security --with-amandahosts |
| bsdudp | --with-bsdudp-security --with-amandahosts |
| krb4 | --with-krb4-security |
| krb5 | --with-krb5-security |
| rsh | --with-rsh-security |
| ssh | --with-ssh-security |
Configuration
Authentication protocol to be used between Amanda server and client is configured using auth parameter in dumptype definition. See amanda.conf(5) man page for more information on the field.
- Configuring bsd/bsdudp/bsdtcp authentication
- Configuring rsh authentication
- Configuring SSH authentication
- Kerberos authentication
Ports used
List of TCP/UDP ports used by each authentication method in Amanda server and client: (Configure options are shown in the brackets)
| Authentication | Protocol | Amanda server | Amanda client |
|---|---|---|---|
| bsd | udp | one reserved port per amanda process (--with-udpportrange) | 10080 |
| tcp | one unreserved port (--with-tcpportrange) | 3 unreserved ports per DLE (--with-tcpportrange) | |
| bsdudp | udp | one reserved port per amanda process (--with-udpportrange) | 10080 |
| tcp | one unreserved port (-with-tcpportrange) | 1 unreserved port per DLE (--with-tcpportrange) | |
| bsdtcp | tcp | one reserved port per amanda process (--with-low-tcpportrange) | port 10080 |
Amanda server also uses two ports (dumper process) to communicate with the chunker/taper processes. These ports are in the range set by --with-tcpportrange