2 Chapter 28. Using Kerberos with Amanda
3 Prev Part V. Technical Background Next
5 -------------------------------------------------------------------------------
7 Chapter 28. Using Kerberos with Amanda
17 XML-conversion;Updates
23 Amanda_2.5.0_-_KERBEROS_v4_SUPPORT_NOTES
33 Amanda_2.5.0_-_KERBEROS_v5_SUPPORT_NOTES
42 Destination_Host_Permissions_file
46 Amanda 2.5.0 - KERBEROS v4 SUPPORT NOTES
51 The configure script defaults to:
53 # define SERVER_HOST_PRINCIPLE "amanda"
54 # define SERVER_HOST_INSTANCE ""
55 # define SERVER_HOST_KEY_FILE "/.amanda"
57 # define CLIENT_HOST_PRINCIPLE "rcmd"
58 # define CLIENT_HOST_INSTANCE HOSTNAME_INSTANCE
59 # define CLIENT_HOST_KEY_FILE KEYFILE
61 # define TICKET_LIFETIME 128
64 You can override these with configure options if you so desire, with:
66 --with-server-principal=ARG server host principal [amanda]
67 --with-server-instance=ARG server host instance []
68 --with-server-keyfile=ARG server host key file [/.amanda]
69 --with-client-principal=ARG client host principal [rcmd]
70 --with-client-instance=ARG client host instance
72 --with-client-keyfile=ARG client host key file [KEYFILE]
73 --with-ticket-lifetime=ARG ticket lifetime [128]
76 The configure script will search under /usr/kerberos/lib, /usr/cygnus/lib, /
77 usr/lib, and /opt/kerberos/lib for libkrb.a. (in that order) for the kerberos
78 bits. If it finds them, kerberos support will be added in, if it doesn't, it
79 won't. If the kerberos bits are found under some other hierarchy, you can
80 specify this via the --with-krb4-security=DIR, where DIR is where the kerberos
81 bits live. It'll look under the 'lib' directory under this hierarchy for
86 The kerberized Amanda service uses a different port on the client hosts. The /
92 And the /etc/inetd.conf line is:
94 kamanda dgram udp wait root /usr/local/libexec/amanda/amandad amandad -
98 Note that you're running this as root, rather than as your dump user. Amanda
99 will set it's uid down to the dump user at times it doesn't need to read the
100 srvtab file, and give up root permissions entirely before it goes off and runs
101 dump. Alternately you can change your srvtab files to be readable by user
106 The following dumptype options apply to krb4:
108 auth "krb4" # use krb4 auth for this host
109 # (you can mingle krb hosts & bsd .rhosts in one conf)
110 kencrypt # encrypt this filesystem over the net using the krb4
111 # session key. About 2x slower. Good for those root
112 # partitions containing your keyfiles. Don't want to
113 # give away the keys to an ethernet sniffer!
114 # This is currently always enabled. There is no
115 # way to disable it. This is a bug.
119 Amanda 2.5.0 - KERBEROS v5 SUPPORT NOTES
124 You must specify --with-krb5-security to configure, otherwise there will be no
125 attempt to look for kerberos binaries. You may specify a path that the system
126 should look for the kerberos libraries, or leave it to the default.
127 By default, when --with-krb5-security is specified with with no path, the
128 configure script will search under /usr/kerberos/lib, /usr/cygnus/lib, /usr/
129 lib, and /opt/kerberos/lib for libkrb.a. (in that order) for the kerberos bits.
130 If it finds them, kerberos support will be added in, if it doesn't, it won't.
131 If the kerberos bits are found under some other hierarchy, you can specify this
132 via the --with-krb5-security=DIR, where DIR is where the kerberos bits live.
133 It'll look under the 'lib' directory under this hierarchy for libkrb.a.
134 The krb5 driver script defaults to:
137 * The lifetime of our tickets in minutes.
139 #define Amanda_TKT_LIFETIME (12*60)
142 * The name of the service in /etc/services.
144 #define Amanda_KRB5_SERVICE_NAME "k5amanda"
147 You can currently only override these by editing the source.
148 The principal and keytab file that the amanda uses are genearlly set in the
149 amanda.conf file (see below). You can hardcode this in the source if you really
150 want to and that's described in common-src/krb5-security.c
154 The kerberized Amanda service uses a different port on the client hosts. The /
155 etc/services line is:
160 And the /etc/inetd.conf line is:
162 k5amanda stream tcp nowait root /usr/local/libexec/amanda/amandad amandad -
166 Note that you're running this as root, rather than as your dump user. Amanda
167 will set it's uid down to the dump user at times it doesn't need to read the
168 keytab file, and give up root permissions entirely before it goes off and runs
169 dump. Alternately you can change your keytab files to be readable by user
170 amanda. You should understand the security implications of this before changing
171 the permissions on the keytab.
175 The following dumptype options apply to krb5:
177 auth "krb5" # use krb5 auth for this host
178 # (you can mingle krb hosts & bsd .rhosts in one conf)
181 The following two configuration directives are required in the amanda.conf file
182 for kerberos 5 dumps to work:
190 krb5keytab "/etc/krb5.keytab-amanda"
191 krb5principal "amanda/saidin.omniscient.com"
194 The principal in the second option must be contained in the first. The keytab
195 should be readable by the amanda user. (and definitely not world readable!)
196 This is (obviously) on the server. In MIT's kadmin, the following:
198 addprinc -randkey amanda/saidin.omniscient.com
199 ktadd -k /etc/krb5.keytab-amanda amanda/saidin.omniscient.com
202 will do the trick. You will obviously want to change the principal name to
203 reflect something appropriate for the conventions at your site.
204 You must also configure each client to allow the amanda principal in for dumps.
205 This is described in section 4.
207 Destination Host Permissions file
209 There are several ways to go about authorizing a server to connect to a client.
210 The normal way is via a .k5amandausers file or a .k5login file in the client
211 user's home directory. The determination of which file to use is based on the
212 way you ran configure on Amanda. By default, Amanda will use .k5amandahosts,
213 but if you configured with --without-amandahosts, Amanda will use .k5login.
214 (similar to the default for .rhosts/.amandahosts-style security). The .k5login
215 file syntax is a superset of the default krb5 .k5login. The routines to check
216 it are implemented in amanda rather than using krb5_kuserok because the
217 connections are actually gssapi based.
218 This .k5amandahosts/.k5login is a hybrid of the .amandahosts and a .k5login
219 file. You can just list principal names, as in a .k5login file and the
220 principal will be permitted in from any host. If you do NOT specify a realm,
221 then there is no attempt to validate the realm (this is only really a concern
222 if you have cross-realm authentication set up with another realm or something
223 else that allows you multiple realms in your kdc. If you do specify a realm,
224 only that principal@realm will be permitted to connect.
225 You may prepend this with a hostname and whitespace, and only that principal
226 (with optional realm as above) will be permitted to access from that hostname.
227 Here are examples of valid entries in the .k5amandahosts:
230 service/amanda@TEST.COM
231 dumpmaster.test.com service/amanda
232 dumpmaster.test.com service/amanda@TEST.COM
235 Rather than using a .k5amandahosts or .k5login file, the easiest way is to use
236 a principal named after the destination user, (such as amanda@TEST.COM in our
237 example) and not have either a .k5amandahosts or .k5login file in the
238 destination user's home directory.
242 There is no attempt to verify the realm in this case (only a concern if you
243 have cross-realm authentication setup).
247 Refer to http://www.amanda.org/docs/kerberos.html for the current version of
249 -------------------------------------------------------------------------------
252 Chapter 27. Virtual Tape API Home Part VI. Historical files