-
-Chapter 17. How to use different auth with Amanda
-Prev Part III. HOWTOs Next
-
--------------------------------------------------------------------------------
-
-Chapter 17. How to use different auth with Amanda
-
-
-Jean-Louis Martineau
-
-Original text;XML-conversion;Updates
-AMANDA Core Team
-<martinea@iro.umontreal.ca>
-Table of Contents
-
-
- Introduction
-
- BSD
-
- BSDTCP
-
- BSDUDP
-
- KRB4
-
- KRB5
-
- RSH
-
- SSH
-
-
- For_amdump:
-
- For_amrecover:
-
-
-
-Note
-
-Refer to http://www.amanda.org/docs/howto-auth.html for the current version of
-this document.
-This document covers the use of the auth in Amanda 2.5.1 and higher.
-
-Introduction
-
-
- BSD
-
-You must configure amanda with --with-bsd-security and --with-amandahosts.
-The xinetd.d/amanda file on the client:
-
- service amanda
- {
- only_from = 127.0.0.1
- socket_type = dgram
- protocol = udp
- wait = yes
- user = amanda
- group = amanda
- groups = yes
- server = /path/to/amandad
- server_args = -auth=bsd amdump
- disable = no
- }
-
-The only_from line should list your tape server ip address.
-The ~amanda/.amandahosts file on the client:
-
- tapeserver.fqdn amanda amdump
-
-If you want to also enable amindexd and amidxtaped, you must change the
-server_args line in the xinetd.d/amanda file on the tape server:
-
- server_args = -auth=bsd amdump amindexd amidxtaped
-
-The only_from line should list all machine that can use amdump/amrecover. It's
-the .amandahosts that will limit which client can use amdump/amindexd/
-amidxtaped.
-The ~amanda/.amandahosts file on the tape server must have a line for each
-machi ne:
-
- clientmachine1 amanda amindexd amidxtaped
- clientmachine2 amanda amindexd amidxtaped
-
-
- BSDTCP
-
-Like bsd but you must configure amanda with --with-bsdtcp-security and --with-
-amandahosts and do 4 changes in the xinetd.d/amanda file:
-
- socket_type = stream
- protocol = tcp
- wait = no
- server_args = -auth=bsdtcp amdump
-
-
- BSDUDP
-
-Like bsd but you must configure amanda with --with-bsdudp-security and --with-
-amandahosts and do 1 change in the xinetd.d/amanda file:
-
- server_args = -auth=bsdudp amdump
-
-
- KRB4
-
-You must configure amanda with --with-krb4-security.
-
- KRB5
-
-You must configure amanda with --with-krb5-security.
-
- RSH
-
-You must configure amanda with --with-rsh-security.
-It's your system that should allow your server user to rsh to your client user.
-If your server username and client username are different, you must add the
-client_username option in all DLE for that host.
-
- client_username "client_username"
-
-If your server amandad path and client amandad path are different, you must set
-the amandad_path option in all DLE for that hosts.
-
- amandad_path "client/amandad/path"
-
-
- SSH
-
-You must configure amanda with --with-ssh-security.
-
- For amdump:
-
-You must create an ssh key for your server. In this example, the key is put in
-the id_rsa_amdump file:
-
- ssh-keygen -t rsa
- Enter file in which to save the key (/home/amanda/.ssh/id_rsa)? /home/
- amanda/.ssh/id_rsa_amdump
-
-You must set the ssh_keys option in all DLE for that host:
-
- ssh_keys "/home/amanda/.ssh/id_rsa_amdump"
-
-You mush append the /home/amanda/.ssh/id_rsa_amdump.pub file to the .ssh/
-authorized_keys file of all client host.
-For security reason, you must prepend the line with the following:
-
- from="tape_server_fqdn_name",no-port-forwarding,no-X11-forwarding,no-agent-
- forwarding,command="/path/to/amandad -auth=ssh amdump"
-
-That will limit that key to connect only from your server and only be able to
-execute amandad.
-Like rsh if your server username and client username are different, you must
-add the client_username option in all DLE for that
-host:
-
- client_username "client_username"
-
-Like rsh, if your server amandad path and client amandad path are different,
-you must set the amandad_path option in all DLE for that hosts:
-
- amandad_path "client/amandad/path"
-
-
- For amrecover:
-
-You must create an ssh key for root on all clients that can use amrecover. In
-this example, the key is put in the /root/.ssh/id_ rsa_amrecover file:
-Log in as root:
-
- ssh-keygen -t rsa
- Enter file in which to save the key (/root/.ssh/id_rsa)? /root/.ssh/
- id_rsa_amrecover
-
-You must set the ssh_keys option in the amanda_client.conf file
-
- ssh_keys "/root/.ssh/id_rsa_amrecover"
-
-You mush append all client /home/root/.ssh/id_rsa_amrecover.pub file to the /
-home/amanda/.ssh/authorized_keys of the server.
-For security reason, you must prefix all lines with the following:
-
- from="aclient_fqdn_name",no-port-forwarding,no-X11-forwarding,no-agent-
- forwarding,command="/path/to/amandad -auth=ssh amindexd amidxtaped"
-
-That will limit every client key to connect from the client and only be able to
-execute amandad.
--------------------------------------------------------------------------------
-
-Prev Up Next
-Chapter 16. How to do Amanda-server-side Home Part IV. Various Information
-gpg-encrypted backups.
-
projects / debian / amanda / blobdiff