-
- Chapter 26. Using Kerberos with AMANDA
-Prev Part V. Technical Background Next
-
--------------------------------------------------------------------------------
-
-Chapter 26. Using Kerberos with AMANDA
-
-
-AMANDA Core Team
-
-Original text
-AMANDA Core Team
-
-Stefan G. Weichinger
-
-XML-conversion;Updates
-AMANDA Core Team
-<sgw@amanda.org>
-Table of Contents
-
-
- AMANDA_2.5.0_-_KERBEROS_v4_SUPPORT_NOTES
-
-
- Configuration
-
- Installation
-
- conf_file
-
-
- AMANDA_2.5.0_-_KERBEROS_v5_SUPPORT_NOTES
-
-
- Building
-
- Installation
-
- conf_file
-
- Destination_Host_Permissions_file
-
-
-
-Note
-
-Refer to http://www.amanda.org/docs/kerberos.html for the current version of
-this document.
-
- AMANDA 2.5.0 - KERBEROS v4 SUPPORT NOTES
-
-
- Configuration
-
-The configure script defaults to:
-
- # define SERVER_HOST_PRINCIPLE "amanda"
- # define SERVER_HOST_INSTANCE ""
- # define SERVER_HOST_KEY_FILE "/.amanda"
-
- # define CLIENT_HOST_PRINCIPLE "rcmd"
- # define CLIENT_HOST_INSTANCE HOSTNAME_INSTANCE
- # define CLIENT_HOST_KEY_FILE KEYFILE
-
- # define TICKET_LIFETIME 128
-
-
-You can override these with configure options if you so desire, with:
-
- --with-server-principal=ARG server host principal [amanda]
- --with-server-instance=ARG server host instance []
- --with-server-keyfile=ARG server host key file [/.amanda]
- --with-client-principal=ARG client host principal [rcmd]
- --with-client-instance=ARG client host instance
- [HOSTNAME_INSTANCE]
- --with-client-keyfile=ARG client host key file [KEYFILE]
- --with-ticket-lifetime=ARG ticket lifetime [128]
-
-
-The configure script will search under /usr/kerberos/lib, /usr/cygnus/lib, /
-usr/lib, and /opt/kerberos/lib for libkrb.a. (in that order) for the kerberos
-bits. If it finds them, kerberos support will be added in, if it doesn't, it
-won't. If the kerberos bits are found under some other hierarchy, you can
-specify this via the --with-krb4-security=DIR, where DIR is where the kerberos
-bits live. It'll look under the 'lib' directory under this hierarchy for
-libkrb.a.
-
- Installation
-
-The kerberized AMANDA service uses a different port on the client hosts. The /
-etc/services line is:
-
- kamanda 10081/udp
-
-
-And the /etc/inetd.conf line is:
-
- kamanda dgram udp wait root /usr/local/libexec/amanda/amandad amandad -
- auth=krb4
-
-
-Note that you're running this as root, rather than as your dump user. AMANDA
-will set it's uid down to the dump user at times it doesn't need to read the
-srvtab file, and give up root permissions entirely before it goes off and runs
-dump. Alternately you can change your srvtab files to be readable by user
-amanda.
-
- conf file
-
-The following dumptype options apply to krb4:
-
- auth "krb4" # use krb4 auth for this host
- # (you can mingle krb hosts & bsd .rhosts in one conf)
- kencrypt # encrypt this filesystem over the net using the krb4
- # session key. About 2x slower. Good for those root
- # partitions containing your keyfiles. Don't want to
- # give away the keys to an ethernet sniffer!
- # This is currently always enabled. There is no
- # way to disable it. This is a bug.
-
-
-
- AMANDA 2.5.0 - KERBEROS v5 SUPPORT NOTES
-
-
- Building
-
-You must specify --with-krb5-security to configure, otherwise there will be no
-attempt to look for kerberos binaries. You may specify a path that the system
-should look for the kerberos libraries, or leave it to the default.
-By default, when --with-krb5-security is specified with with no path, the
-configure script will search under /usr/kerberos/lib, /usr/cygnus/lib, /usr/
-lib, and /opt/kerberos/lib for libkrb.a. (in that order) for the kerberos bits.
-If it finds them, kerberos support will be added in, if it doesn't, it won't.
-If the kerberos bits are found under some other hierarchy, you can specify this
-via the --with-krb5-security=DIR, where DIR is where the kerberos bits live.
-It'll look under the 'lib' directory under this hierarchy for libkrb.a.
-The krb5 driver script defaults to:
-
- /*
- * The lifetime of our tickets in minutes.
- */
- #define AMANDA_TKT_LIFETIME (12*60)
-
- /*
- * The name of the service in /etc/services.
- */
- #define AMANDA_KRB5_SERVICE_NAME "k5amanda"
-
-
-You can currently only override these by editing the source.
-The principal and keytab file that the amanda uses are genearlly set in the
-amanda.conf file (see below). You can hardcode this in the source if you really
-want to and that's described in common-src/krb5-security.c
-
- Installation
-
-The kerberized AMANDA service uses a different port on the client hosts. The /
-etc/services line is:
-
- k5amanda 10082/tcp
-
-
-And the /etc/inetd.conf line is:
-
- k5amanda stream tcp nowait root /usr/local/libexec/amanda/amandad amandad -
- auth=krb5
-
-
-Note that you're running this as root, rather than as your dump user. AMANDA
-will set it's uid down to the dump user at times it doesn't need to read the
-keytab file, and give up root permissions entirely before it goes off and runs
-dump. Alternately you can change your keytab files to be readable by user
-amanda. You should understand the security implications of this before changing
-the permissions on the keytab.
-
- conf file
-
-The following dumptype options apply to krb5:
-
- auth "krb5" # use krb5 auth for this host
- # (you can mingle krb hosts & bsd .rhosts in one conf)
-
-
-The following two configuration directives are required in the amanda.conf file
-for kerberos 5 dumps to work:
-
- krb5keytab
- krb5principal
-
-
-For example:
-
- krb5keytab "/etc/krb5.keytab-amanda"
- krb5principal "amanda/saidin.omniscient.com"
-
-
-The principal in the second option must be contained in the first. The keytab
-should be readable by the amanda user. (and definitely not world readable!)
-This is (obviously) on the server. In MIT's kadmin, the following:
-
- addprinc -randkey amanda/saidin.omniscient.com
- ktadd -k /etc/krb5.keytab-amanda amanda/saidin.omniscient.com
-
-
-will do the trick. You will obviously want to change the principal name to
-reflect something appropriate for the conventions at your site.
-You must also configure each client to allow the amanda principal in for dumps.
-This is described in section 4.
-
- Destination Host Permissions file
-
-There are several ways to go about authorizing a server to connect to a client.
-The normal way is via a .k5amandausers file or a .k5login file in the client
-user's home directory. The determination of which file to use is based on the
-way you ran configure on AMANDA. By default, AMANDA will use .k5amandahosts,
-but if you configured with --without-amandahosts, AMANDA will use .k5login.
-(similar to the default for .rhosts/.amandahosts-style security). The .k5login
-file syntax is a superset of the default krb5 .k5login. The routines to check
-it are implemented in amanda rather than using krb5_kuserok because the
-connections are actually gssapi based.
-This .k5amandahosts/.k5login is a hybrid of the .amandahosts and a .k5login
-file. You can just list principal names, as in a .k5login file and the
-principal will be permitted in from any host. If you do NOT specify a realm,
-then there is no attempt to validate the realm (this is only really a concern
-if you have cross-realm authentication set up with another realm or something
-else that allows you multiple realms in your kdc. If you do specify a realm,
-only that principal@realm will be permitted to connect.
-You may prepend this with a hostname and whitespace, and only that principal
-(with optional realm as above) will be permitted to access from that hostname.
-Here are examples of valid entries in the .k5amandahosts:
-
- service/amanda
- service/amanda@TEST.COM
- dumpmaster.test.com service/amanda
- dumpmaster.test.com service/amanda@TEST.COM
-
-
-Rather than using a .k5amandahosts or .k5login file, the easiest way is to use
-a principal named after the destination user, (such as amanda@TEST.COM in our
-example) and not have either a .k5amandahosts or .k5login file in the
-destination user's home directory.
-
-Note
-
-There is no attempt to verify the realm in this case (only a concern if you
-have cross-realm authentication setup).
--------------------------------------------------------------------------------
-
-Prev Up Next
-Chapter 25. Virtual Tape API Home Part VI. Historical files
-