Configuring bsd/bsdudp/bsdtcp authentication
From The Open Source Backup Wiki (Amanda, MySQL Backup)
| XXX | User:Dustin: Needs TLC, merging |
These configuration file are valid only Amanda 2.5.1 or later releases.
Contents |
Configure amanda to support bsdudp or bsdtcp security
Amanda must be configured with
--with-bsdtcp-security
or with
--with-bsdudp-security
Otherwise, amcheck will return messages like:
Could not find security driver "bsdtcp" for host "yourhost". auth for this dle is invalid
See How to use different auth with Amanda
Changes in the disklist file
On the Amanda server the entries in the disklist need to have the auth parameter.
server.example.com {
comp-user-tar
auth "bsdtcp"
} 1
This may also be set globally in the definition of the dumptype in amanda.conf
define dumptype comp-user-tar {
...
auth "bsdtcp"
...
}
Older versions of Amanda client software (2.5.0 or earlier) have only the protocol "bsd" available. (The default protocol is "bsd".)
xinetd/inetd configuration file changes
Amandad (Amanda client process) must be configured correctly as xinetd or inetd server on each Amanda client. This configuration is necessary for backup process - amdump.
Template for /etc/xinet.d/amanda file
service amanda
{
only_from = <Amanda server>
socket_type = dgram
protocol = udp
wait = yes
user = <amanda backup user>
group = <amanda backup user group id>
groups = yes
server = <absolute path to amandad>
server_args = -auth=bsd amdump
disable = no
}
Example xinetd.d amanda client service file with backup user - amandabackup
service amanda
{
only_from = amandaserver.example.com
socket_type = dgram
protocol = udp
wait = yes
user = amandabackup
group = disk
groups = yes
server = /usr/lib/amanda/amandad
server_args = -auth=bsd amdump
disable = no
}
Amanda server (tape server) can be also configured to use "bsd" authentication for restore process - amrecover command. The server_args on the xinetd service entry on the server should include amindexd and amidxtaped. The only_from line should include all clients that can do recovery.
Example of xinetd server entry that used bsd and can do both backup as well as recovery
service amanda
{
only_from = amandaserver.example.com amandaclient.example.com
socket_type = dgram
protocol = udp
wait = yes
user = amandabackup
group = disk
groups = yes
server = /usr/lib/amanda/amandad
server_args = -auth=bsd amdump amindexd amidxtaped
disable = no
}
The bsdtcp authentication requires different xinetd/inetd service entries. The protocol will be tcp. An example bsdtcp authentication xinetd service entry for a machine that can do both backup and recovery (differences with bsd authentication entry is highlighted):
service amanda
{
only_from = amandaserver.example.com amandaclient.example.com
socket_type = stream
protocol = tcp
wait = no
user = amandabackup
group = disk
groups = yes
server = /usr/lib/amanda/amandad
server_args = -auth=bsdtcp amdump amindexd amidxtaped
disable = no
}
The bsdudp authentication requires minor modification to xinetd service entry. An example showing differences with bsd authentication entry:
service amanda
{
only_from = amandaserver.example.com amandaclient.example.com
socket_type = dgram
protocol = udp
wait = yes
user = amandabackup
group = disk
groups = yes
server = /usr/lib/amanda/amandad
server_args = -auth=bsdudp amdump amindexd amidxtaped
disable = no
}
inetd.conf example
When using inetd, the only_from variable is controlled by your hosts.allow file on the local system. The example below assumes: user=amanda and auth=bsd.
amanda dgram udp wait amanda /usr/lib/amanda/amandad amandad -auth=bsd amdump amindexd amidxtaped
When using auth=ssh, the above stuff is irrelevant and is not needed.
If you are using TCP wrappers, example inetd entry:
amanda dgram udp wait amanda /usr/sbin/tcpd /usr/lib/amanda/amandad -auth=bsd amdump amindexd amidxtaped
.amandahosts configuration file changes
The .amandahosts file is located in the home directory of the backup user (For example: /var/lib/amanda). This file should be readable and writable only by the backup user.
The format of .amandahosts is
<FQDN of the server> <backup user> <service(s)>
FQDN is fully qualified domain name. The server can contact the local machine as backup server to perform the service(s).
Example: The .amandahosts file on the Amanda client should have
amandaserver.example.com amandabackup amdump
The .amandahosts file on the Amanda server should have
amandaclient1.example.com root amindexd amidxtaped
Backup an Older amanda 2.4 client
An amanda 2.5 server (user "amandabackup") can backup a amanda 2.4 client (user "amanda"). For this the server must use a auth "bsd" for communication, though a global auth "bsdtcp" entry can be overridden in special dumptype defines for use on older clients.
Example of xinetd server entry that using auth "bsd" on an older amanda 2.4 client (using user "amanda")
service amanda
{
only_from = amandaserver.example.com
socket_type = dgram
protocol = udp
wait = yes
user = amanda
group = disk
groups = yes
server = /usr/lib/amanda/amandad
disable = no
}
The ".amandahosts" file still will need to specify that the server connection is from a "amandabackup" user.
amandaclient.example.com amandabackup amdump
