2 .\" Author: Jean-Louis Martineau <martineau@zmanda.com>
3 .\" Generator: DocBook XSL Stylesheets v1.74.0 <http://docbook.sf.net/>
5 .\" Manual: Miscellanea
6 .\" Source: Amanda 2.6.1
9 .TH "AMANDA\-AUTH" "7" "01/22/2009" "Amanda 2\&.6\&.1" "Miscellanea"
10 .\" -----------------------------------------------------------------
11 .\" * (re)Define some macros
12 .\" -----------------------------------------------------------------
13 .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
14 .\" toupper - uppercase a string (locale-aware)
15 .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
17 .tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ
19 .tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz
21 .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
22 .\" SH-xref - format a cross-reference to an SH section
23 .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
32 .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
33 .\" SH - level-one heading that works better for non-TTY output
34 .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
36 .\" put an extra blank line of space above the head in non-TTY output
43 .nr an-prevailing-indent \\n[IN]
47 .HTML-TAG ".NH \\n[an-level]"
49 .nr an-no-space-flag 1
51 \." make the size of the head bigger
56 .\" if n (TTY output), use uppercase
61 .\" if not n (not TTY), use normal case (not uppercase)
65 .\" if not n (not TTY), put a border/line under subheading
70 .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
71 .\" SS - level-two heading that works better for non-TTY output
72 .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
77 .nr an-prevailing-indent \\n[IN]
82 .nr an-no-space-flag 1
85 \." make the size of the head bigger
91 .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
92 .\" BB/BE - put background/screen (filled box) around block of text
93 .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
106 .if "\\$2"adjust-for-leading-newline" \{\
114 .nr BW \\n(.lu-\\n(.i
117 .ie "\\$2"adjust-for-leading-newline" \{\
118 \M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
121 \M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
132 .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
133 .\" BM/EM - put colored marker in margin next to block of text
134 .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
151 \M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[]
159 .\" -----------------------------------------------------------------
160 .\" * set default formatting
161 .\" -----------------------------------------------------------------
162 .\" disable hyphenation
164 .\" disable justification (adjust text to left margin only)
166 .\" -----------------------------------------------------------------
167 .\" * MAIN CONTENT STARTS HERE *
168 .\" -----------------------------------------------------------------
170 amanda-auth \- Communication/Authentication methods between \fIAmanda\fR server and client
174 offers 7 methods of communication between Amanda server (sometimes also called the tape server) and clients, each with its own authentication method\&. The desired communication method is specified by the
176 parameter in the amanda\&.conf file (\fBamanda.conf\fR(5)) commonly as a dumptype\&. Valid values to the
186 \fBssh\fR\&. Please note that
188 will be removed in the next release\&. The authentication and communication method is used during the backup process
190 (amdump(8)) as well as the recovery process
192 (amrecover(8))\&. For detailed information, please see http://wiki\&.zmanda\&.com/index\&.php/Server/Client_authentication\&.
193 .SH "COMPILATION AND GENERAL INFORMATION"
195 The communication method and thus type of authentication that will be used by the Amanda server is specified by the
197 parameter in the dumptype for each disklist entry (DLE)\&. The
199 parameter thus may be easily and globally specified in the "global" dumptype\&. If
201 is not specified, the
203 communication method is used\&. See
205 for more information on Amanda configuration and dumptypes, and
207 for more information on disklists\&.
209 On the client side, the Amanda daemon
211 validates the connection depending on the value of the
213 argument passed to it (see
214 \fIAmanda\fR(8))\&. Also, when it comes to recovery, the
216 parameter can be specified in the
217 \fBamanda-client.conf\fR(5)
218 file to specify the communication method to be used by the client to the server\&.
222 is being built from source code, desired communication and thus authentication methods (shown as "Authentication") must be specified as configure options at compilation time\&.
225 Authentication Configure option(s)
226 bsd \-\-with\-bsd\-security \-\-with\-amandahosts (pre\-2\&.6)
227 bsdtcp \-\-with\-bsdtcp\-security \-\-with\-amandahosts (pre\-2\&.6)
228 bsdudp \-\-with\-bsdudp\-security \-\-with\-amandahosts (pre\-2\&.6)
229 krb5 \-\-with\-krb5\-security
230 local (always included)
231 rsh \-\-with\-rsh\-security
232 ssh \-\-with\-ssh\-security
235 There are additional configure options for
239 to allow for specifying explicit UDP and TCP port ranges\&.
242 \-\-with\-udpportrange
243 \-\-with\-tcpportrange
244 \-\-with\-low\-tcpportrange
249 below for more information\&.
251 There are additional configure options for Kerberos if you so desire\&. All but the last option are for Kerberos 4\&. Defaults shown in square brackets\&.
254 \-\-with\-server\-principal=ARG server host principal [amanda]
255 \-\-with\-server\-instance=ARG server host instance []
256 \-\-with\-server\-keyfile=ARG server host key file [/\&.amanda]
257 \-\-with\-client\-principal=ARG client host principal [rcmd]
258 \-\-with\-client\-instance=ARG client host instance [HOSTNAME_INSTANCE]
259 \-\-with\-client\-keyfile=ARG client host key file [KEYFILE]
260 \-\-with\-ticket\-lifetime=ARG ticket lifetime [128]
261 \-\-with\-krb4\-security=DIR where libkrb\&.a lives [see below]
262 \-\-with\-krb5\-security=DIR where libkrb\&.a lives [see below]
265 If configuring with \-\-with\-krb4\-security and/or \-\-with\-krb5\-security, the configure script will search under /usr/kerberos/lib, /usr/cygnus/lib, /usr/lib, and /opt/kerberos/lib for the kerberos bits, libkrb\&.a, in this order\&. Kerberos support will not be added if it does not find them\&. If the kerberos bits are found under some other hierarchy, you can specify this via \-\-with\-krb5\-security=DIR and/or \-\-with\-krb4\-security=DIR, where DIR is where the kerberos bits live\&. The configure script will then look in the \'lib\' directory under this hierarchy for libkrb\&.a\&.
269 parameter selects a communication/authentication method to use between the client and the backup server\&. These methods are described each in their own section below\&.
270 .SH "BSD, BSDUDP, AND BSDTCP COMMUNICATION AND AUTHENTICATION"
272 For more detail, see http://wiki\&.zmanda\&.com/index\&.php/Configuring_bsd/bsdudp/bsdtcp_authentication\&.
278 communication methods use either UDP, TCP, or both protocols operating as a network service to authenticate and exchange data between server and clients\&.
280 In addition to compilation and general configuration (see
281 \fBCOMPILATION AND GENERAL INFORMATION\fR
282 above), the authentication method that the client is configured to receive is specified by the
284 parameter in the network service configuration for
285 \fIAmanda\fR\&. The authentication method used by an Amanda client to reach the server during recovery is the authentication method specified by the
287 parameter in the client\'s Amanda network service configuration or in its amanda\-client\&.conf file (see amanda\-client\&.conf(5))\&.
288 .SS "\&.amandahosts file"
290 Servers and clients using the bsd, bsdudp, and bsdtcp authentication methods refer to the \&.amandahosts file to control access\&. Amanda should be compiled for this access control if one of these methods will be used and is the default compilation option for Amanda 2\&.6 (use \-\-with\-amandahosts when compiling pre\-2\&.6 versions of Amanda)\&.
292 Amanda looks for the \&.amandahosts file in the Amanda user\'s home directory, commonly /var/lib/amanda\&.
294 Each authorization is on its own line in the following format
300 \fIservice\&.\&.\&.\fR
305 is ommitted, it defaults to the user running
306 \fBamandad\fR, i\&.e\&. the user listed in the
310 configuration file\&.
312 \fIservice\&.\&.\&.\fR
313 is a space\-delimited list of services the client is authorized to execute:
319 (a shortcut for the previous four services which are required on clients),
321 \fBamidxtaped\fR\&. The last two services are required on a server for clients to connect to it using
324 Example of the \&.amandahosts file on an Amanda client
327 \fBamandaserver\&.example\&.com amandabackup amdump\fR
330 Example of the \&.amandahosts file on an Amanda server
333 \fBamandaclient1\&.example\&.com root amindexd amidxtaped\fR
335 .SS "bsd communication and authentication"
337 The authentication is done using \&.amandahosts file in the Amanda user\'s home directory\&. The protocol between Amanda server and client is UDP\&. The number of disk list entries (DLEs)\-\-number of Amanda clients\-\-is limited by the UDP packet size\&. This authentication protocol will use a different port for each data stream (see PORT USAGE below)
338 .SS "bsdudp communication and authentication"
340 The authentication is done using \&.amandahosts files in the Amanda user\'s home directory\&. It uses UDP protocol between Amanda server and client for data and hence the number of DLEs is limited by the UDP packet size\&. It uses one TCP port to establish the connection and multiplexes all data streams using one port on the server (see PORT USAGE below)\&.
341 .SS "bsdtcp communication and authentication"
343 The authentication is done using \&.amandahosts files in the backup user\'s (for example: amandabackup) home directory\&. It uses TCP protocol between Amanda server and client\&. On the client, two reserved ports are used\&. On the server, all data streams are multiplexed to one port (see PORT USAGE below)\&.
344 .SS "USING INETD SERVER"
346 Template for Amanda client inetd service entry
349 \fI service_name\fR \fIsocket_type\fR \fIprotocol\fR \fIwait/nowait\fR \fIamanda_backup_user\fR \fIabsolute_path_to_amandad\fR amandad \fIserver_args\fR
352 Client example of using
354 authorization for inetd server given Amanda user is "amandabackup":
357 \fB amanda dgram udp wait amandabackup /path/to/amandad amandad \-auth=bsd amdump\fR
360 The same could be used for
362 if specifying \-auth=bsdudp instead of \-auth=bsd\&.
364 Client example of using
366 authorization for inetd server given Amanda user is "amandabackup":
369 \fB amanda stream tcp nowait amanda /path/to/amandad amandad \-auth=bsdtcp amdump\fR
375 would typically be added at the end of the line as
377 server arguments for an Amanda server\&.
379 Server example of using
381 authorization for inetd server given Amanda user is "amandabackup":
384 \fB amanda stream tcp nowait amanda /path/to/amandad amandad \-auth=bsdtcp amdump amindexd amidxtaped\fR
387 For Amanda version 2\&.5\&.0 and earlier, remember that neither
391 are supported and the Amanda daemon
393 accepts no arguments\&. Because of the latter,
395 as of Amanda version 2\&.5\&.1 is not compatible with 2\&.5\&.0 and earlier servers\&. Thus, servers that are 2\&.5\&.0 or earlier must, in addition to the
401 Amanda services as their own network services, amandaidx and amidxtape, respectively (see below)\&.
403 There are no compatibility issues if server and clients are all 2\&.5\&.0 or earlier\&. If your server is 2\&.5\&.1 or later, you can still have clients that are 2\&.5\&.0 and earlier although you must then use
405 communication/authentication with these clients and must also run
409 Amanda services on the server as their own network services, amandaidx and amidxtape, respectively (see below)\&. If you have a server that is 2\&.5\&.0 and earlier, clients of a later version on which you wish to run
413 instead and, again, the server must be running the amandaidx and amidxtape network services\&.
415 Example of amindexd and amidxtaped Amanda daemon services configured as their own network services for a 2\&.5\&.0 or earlier server or a newer server having 2\&.5\&.0 or earlier clients
418 \fB amandaidx stream tcp nowait amanda /usr/local/libexec/amanda/current/amindexd amindexd\fR
419 \fB amidxtape stream tcp nowait amanda /usr/local/libexec/amanda/current/amidxtaped amidxtaped\fR
421 .SS "USING XINETD SERVER"
423 Template for Amanda client xinetd service file
428 only_from = \fIAmanda server\fR
429 socket_type = \fIsocket type\fR
430 protocol = \fIprotocol\fR
432 user = \fIamanda backup user\fR
433 group = \fIamanda backup user group id\fR
435 server = \fIabsolute path to amandad\fR
436 server_args = \fIamandad server arguments\fR
443 parameter can be used with xinetd but is usually in addition to the primary form of access control via the \&.amandahosts file\&.
445 Client example of using
447 authorization for xinetd server and for Amanda user "amandabackup":
452 only_from = amandaserver\&.example\&.com
459 server = /path/to/amandad
460 server_args = \-auth=bsd amdump
465 The same could be used for
467 if specifying \-auth=bsdudp instead of \-auth=bsd\&.
469 Client example of using
471 authorization for xinetd server and for Amanda user "amandabackup":
476 only_from = amandaserver\&.example\&.com amandaclient\&.example\&.com
483 server = /path/to/amandad
484 server_args = \-auth=bsdtcp amdump
492 would typically be added as additional
495 for an Amanda server\&.
497 For Amanda version 2\&.5\&.0 and earlier, remember that neither
501 are supported and the Amanda daemon
503 accepts no arguments\&. Because of the latter,
505 as of Amanda version 2\&.5\&.1 is not compatible with 2\&.5\&.0 and earlier servers\&. Thus, servers that are 2\&.5\&.0 or earlier must, in addition to the
511 Amanda services as their own network services, amandaidx and amidxtape, respectively (see below)\&.
513 There are no compatibility issues if server and clients are all 2\&.5\&.0 or earlier\&. If your server is 2\&.5\&.1 or later, you can still have clients that are 2\&.5\&.0 and earlier although you must then use
515 communication/authentication with these clients and must also run
519 Amanda services on the server as their own network services, amandaidx and amidxtape, respectively (see below)\&. If you have a server that is 2\&.5\&.0 and earlier, clients of a later version on which you wish to run
523 instead and, again, the server must be running the amandaidx and amidxtape network services\&.
525 Example of amindexd and amidxtaped Amanda daemon services configured as their own network services for a 2\&.5\&.0 or earlier server or a newer server having 2\&.5\&.0 or earlier clients
535 server = /usr/local/libexec/amanda/amindexd
546 server = /usr/local/libexec/amanda/amidxtaped
552 List of TCP/UDP ports used by network service communication methods for Amanda server and client\&.
557 RPpAP = Reserved Port per Amanda Process
558 UPpDLE = Unreserved Port per DLE
559 [\&.\&.] = Configure options that can be used at compile time to define port ranges
561 Authentication Protocol Amanda server Amanda client
562 bsd udp 1 RPpAP [\-\-with\-udpportrange] 10080
563 tcp 1 UP [\-\-with\-tcpportrange] 3 UPpDLE [\-\-with\-tcpportrange]
564 bsdudp udp 1 RPpAP [\-\-with\-udpportrange] 10080
565 tcp 1 UP [\-with\-tcpportrange] 1 UPpDLE [\-\-with\-tcpportrange]
566 bsdtcp tcp 1 RPpAP [\-\-with\-low\-tcpportrange] 10080
569 Amanda server also uses two ports (dumper process) to communicate with the chunker/taper processes\&. These ports are in the range set by \-\-with\-tcpportrange\&.
571 You can override the default port ranges that Amanda was compiled with in each configuration using the
572 \fIreserved\-udp\-port\fR,
573 \fIreserved\-tcp\-port\fR, and
574 \fIunreserved\-tcp\-port\fR
575 parameters in amanda\&.conf and amanda\-client\&.conf configuration files (see
578 \fBamanda-client.conf\fR(5))\&.
579 .SH "KERBEROS COMMUNICATION AND AUTHENTICATION"
581 For more detail, see http://wiki\&.zmanda\&.com/index\&.php/Kerberos_authentication\&.
583 Amanda supports Kerberos 4 and 5 communication methods between Amanda server and client\&. Please note, however, that support for Kerberos 4 will be removed in the next release\&.
585 General information including compilation are given above (see
586 \fBCOMPILATION AND GENERAL INFORMATION\fR
587 above)\&. Below sections give specific Kerberos 4 and 5 information\&.
590 Please note that support for Kerberos 4 will be removed in the next release\&.
592 Kerberos 4 uses UDP protocol and the number of DLEs is limited by UDP packet size\&.
594 The kerberized AMANDA service uses a different port on the client hosts\&. The /etc/services line is:
598 And the /etc/inetd\&.conf line is:
601 kamanda dgram udp wait root /usr/local/libexec/amanda/amandad amandad \-auth=krb4
604 Note that you\'re running this as root, rather than as your dump user\&. AMANDA will set its uid down to the dump user at times it doesn\'t need to read the srvtab file, and give up root permissions entirely before it goes off and runs dump\&. Alternately you can change your srvtab files to be readable by user amanda\&.
606 The following dumptype options apply to krb4:
609 auth "krb4" # use krb4 auth for this host
610 # (you can mingle krb hosts and bsd \&.rhosts in one conf)
611 kencrypt # encrypt this filesystem over the net using the krb4
612 # session key\&. About 2x slower\&. Good for those root
613 # partitions containing your keyfiles\&. Don\'t want to
614 # give away the keys to an ethernet sniffer!
615 # This is currently always enabled\&. There is no
616 # way to disable it\&. This is a bug\&.
620 Kerberos 5 uses TCP and the server uses only one TCP port and data streams are multiplexed to this port\&.
623 The \fBkrb5\fR driver script defaults to:
626 * The lifetime of our tickets in minutes\&.
628 #define AMANDA_TKT_LIFETIME (12*60)
631 * The name of the service in /etc/services\&.
633 #define AMANDA_KRB5_SERVICE_NAME "k5amanda"
635 You can currently only override these by editing the source code\&.
637 The kerberized AMANDA service uses a different port on the client hosts\&. The /etc/services line is:
641 And the /etc/inetd\&.conf line is:
644 k5amanda stream tcp nowait root /usr/local/libexec/amanda/amandad amandad \-auth=krb5
647 Note that you\'re running this as root, rather than as your dump user\&. AMANDA will set its UID down to the dump user at times it doesn\'t need to read the keytab file, and give up root permissions entirely before it goes off and runs dump\&. Alternately you can change your keytab files to be readable by user amanda\&. You should understand the security implications of this before changing the permissions on the keytab\&.
649 The following dumptype options apply to
653 auth "krb5" # use krb5 auth for this host
654 # (you can mingle krb hosts and bsd \&.rhosts in one conf)
657 The principal and keytab files that Amanda uses must be set in the amanda\&.conf file for kerberos 5 dumps to work\&. You can hardcode this in the source code if you really want to (common\-src/krb5\-security\&.c)
667 krb5keytab "/etc/krb5\&.keytab\-amanda"
668 krb5principal "amanda/saidin\&.omniscient\&.com"
671 The principal in the second option must be contained in the first\&. The keytab should be readable by the amanda user (and definitely not world readable!) and is (obviously) on the server\&. In MIT\'s kadmin, the following:
674 addprinc \-randkey amanda/saidin\&.omniscient\&.com
675 ktadd \-k /etc/krb5\&.keytab\-amanda amanda/saidin\&.omniscient\&.com
678 will do the trick\&. You will obviously want to change the principal name to reflect something appropriate for the conventions at your site\&.
680 You must also configure each client to allow the amanda principal in for dumps\&.
682 There are several ways to go about authorizing a server to connect to a client\&.
684 The normal way is via a \&.k5amandausers file or a \&.k5login file in the client user\'s home directory\&. The determination of which file to use is based on the way you ran configure on AMANDA\&. By default, AMANDA will use \&.k5amandahosts, but if you configured with \-\-without\-amandahosts, AMANDA will use \&.k5login\&. (similar to the default for \&.rhosts/\&.amandahosts\-style security)\&. The \&.k5login file syntax is a superset of the default
686 \&.k5login\&. The routines to check it are implemented in amanda rather than using krb5_kuserok because the connections are actually gssapi based\&.
688 This \&.k5amandahosts/\&.k5login is a hybrid of the \&.amandahosts and a \&.k5login file\&. You can just list principal names, as in a \&.k5login file and the principal will be permitted in from any host\&. If you do NOT specify a realm, then there is no attempt to validate the realm (this is only really a concern if you have cross\-realm authentication set up with another realm or something else that allows you multiple realms in your kdc\&. If you do specify a realm, only that principal@realm will be permitted to connect\&.
690 You may prepend this with a hostname and whitespace, and only that principal (with optional realm as above) will be permitted to access from that hostname\&.
692 Here are examples of valid entries in the \&.k5amandahosts:
696 service/amanda@TEST\&.COM
697 dumpmaster\&.test\&.com service/amanda
698 dumpmaster\&.test\&.com service/amanda@TEST\&.COM
701 Rather than using a \&.k5amandahosts or \&.k5login file, the easiest way is to use a principal named after the destination user, (such as amanda@TEST\&.COM in our example) and not have either a \&.k5amandahosts or \&.k5login file in the destination user\'s home directory\&.
703 There is no attempt to verify the realm in this case (only a concern if you have cross\-realm authentication setup)\&.
704 .SH "LOCAL COMMUNICATION"
706 The Amanda server communicates with the client internally versus over the network, ie\&. the client is also the server\&.
708 This is the only method that requires no authentication as it is clearly not needed\&.
709 .SH "RSH COMMUNICATION AND AUTHENTICATION"
711 For more detail, see http://wiki\&.zmanda\&.com/index\&.php/Configuring_rsh_authentication\&.
713 The Amanda server communicates with its client as the Amanda user via the RSH protocol\&.
715 Please note that RSH protocol itself is insecure and should be used with caution especially on any servers and clients with public IPs\&.
717 Each Amanda client communicates with the server using one TCP port and all data streams from the client are multiplexed over one port\&. The number of Amanda clients is limited by the number of reserved ports available on the Amanda server\&. Some versions of RSH do not use reserved ports and, thus, this restriction is not valid\&.
719 General information including compilation is given above (see
720 \fBCOMPILATION AND GENERAL INFORMATION\fR
723 In addition to specifying the
725 field in dumptype definition, it might be required to specify
726 \fIclient_username\fR
729 fields\&. If the backup user name is different on the Amanda client, the user name is specified as
730 \fBclient_username\fR\&. If the location of the Amanda daemon
732 is different on the Amanda client, the location is specified as
738 define dumptype rsh_example {
741 client_username "amandabackup"
742 amandad_path "/usr/lib/exec/amandad"
746 .SH "SSH COMMUNICATION AND AUTHENTICATION"
748 For more detail, see http://wiki\&.zmanda\&.com/index\&.php/How_To:Set_up_transport_encryption_with_SSH\&.
750 Amanda client sends data to the server using SSH\&. SSH keys have to be set up so that Amanda server can communicate with its clients using SSH\&.
752 General information including compilation is given above (see \fBCOMPILATION AND GENERAL INFORMATION\fR above)\&.
754 SSH provides transport encryption and authentication\&. To set up an SSH authentication session, Amanda will run the equivalent of the following to start the backup process\&.
756 \fB /path/to/ssh \-l \fR\fB\fIuser_name\fR\fR\fB client\&.zmanda\&.com $libexecdir/amandad\fR
758 To use SSH, you need to set up SSH keys either by storing the passphrase in cleartext, using ssh\-agent, or using no passphrase at all\&. All of these options have security implications which should be carefully considered before adoption\&.
760 When you use a public key on the client to do data encryption (see http://wiki\&.zmanda\&.com/index\&.php/How_To:Set_up_data_encryption), you can lock away the private key in a secure place\&. Both, transport and storage will be encrypted with such a setup\&. See http://wiki\&.zmanda\&.com/index\&.php/Encryption for an overview of encryption options\&.
762 Enable SSH authentication and set the ssh_keys option in all DLEs for that host by adding the following to the DLE itself or to the corresponding dumptype in amanda\&.conf:
765 ssh_keys "/home/amandabackup/\&.ssh/id_rsa_amdump"
767 \fIssh_keys\fR is the path to the private key on the client\&. If the username to which Amanda should connect is different from the default, then you should also add
769 client_username "otherusername"
771 If your server \fBamandad\fR path and client \fBamandad\fR path are different, you should also add
773 amandad_path "/client/amandad/path"
775 For a marginal increase in security, prepend the keys used for AMANDA in the clients\' authorized_keys file with the following:
778 from="amanda_server\&.your\&.domain\&.com",no\-port\-forwarding,no\-X11\-forwarding,no\-agent\-forwarding,command="/absolute/path/to/amandad \-auth=ssh amdump"
781 This will limit that key to connect only from Amanda server and only be able to execute
784 In the same way, prepend the key used for AMANDA in the server\'s authorized_keys file with:
787 from="amanda_client\&.your\&.domain\&.com",no\-port\-forwarding,no\-X11\-forwarding,no\-agent\-forwarding,command="/absolute/path/to/amandad \-auth=ssh amindexd amidxtaped"
790 You can omit the from=\&.\&. option if you have too many clients to list, although this has obvious security implications\&.
792 Set ssh_keys and any other necessary options in /etc/amanda/amanda_client\&.conf:
796 ssh_keys "/root/\&.ssh/id_rsa_amrecover"
797 client_username "amanda"
798 amandad_path "/server/amandad/path"
801 Besides user keys, SSH uses host keys to uniquely identify each host, to prevent one host from impersonating another\&. Unfortunately, the only easy way to set up these host keys is to make a connection and tell SSH that you trust the identity:
804 $ ssh client1\&.zmanda\&.com
805 The authenticity of host \'client1\&.zmanda\&.com (192\&.168\&.10\&.1)\' can\'t be established\&.
806 RSA key fingerprint is 26:4e:df:a2:be:c8:cb:20:1c:68:8b:cc:c0:3b:8e:9d\&.
807 Are you sure you want to continue connecting (yes/no)?yes
810 As Amanda will not answer this question itself, you must manually make every connection (server to client and client to server) that you expect Amanda to make\&. Note that you must use the same username that Amanda will use (that is, ssh client and ssh client\&.domain\&.com are distinct)\&.
814 \fBamanda.conf\fR(5),
815 \fBamanda-client.conf\fR(5),
819 : http://wiki.zmanda.com
822 \fBJean\-Louis Martineau\fR <\&martineau@zmanda\&.com\&>
824 Zmanda, Inc\&. (\FChttp://www\&.zmanda\&.com\F[])
827 \fBDustin J\&. Mitchell\fR <\&dustin@zmanda\&.com\&>
829 Zmanda, Inc\&. (\FChttp://www\&.zmanda\&.com\F[])
832 \fBPaul Yeatman\fR <\&pyeatman@zmanda\&.com\&>
834 Zmanda, Inc\&. (\FChttp://www\&.zmanda\&.com\F[])