X-Git-Url: https://git.gag.com/?a=blobdiff_plain;f=man%2Fxml-source%2Famanda-auth.7.xml;h=44b8730d37301efdfc7ff0ed0737c539f20a7b89;hb=b116e9366c7b2ea2c2eb53b0a13df4090e176235;hp=0fb1715b7ce3ed5da3a4a256785d1dd14679e0e8;hpb=2627875b7d18858bc1f9f7652811e4d8c15a23eb;p=debian%2Famanda
diff --git a/man/xml-source/amanda-auth.7.xml b/man/xml-source/amanda-auth.7.xml
index 0fb1715..44b8730 100644
--- a/man/xml-source/amanda-auth.7.xml
+++ b/man/xml-source/amanda-auth.7.xml
@@ -3,7 +3,7 @@
"http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"
[
-
+
%global_entities;
]>
@@ -18,7 +18,7 @@
amanda-auth
- Communication/Authentication methods between &A; server and client
+ Communication/Authentication methods between Amanda server and client
&author.jlm;
@@ -29,15 +29,15 @@
DESCRIPTION
- &A; offers 7 methods of communication between Amanda server (sometimes also called the tape server) and clients, each with its own authentication method. The desired communication method is specified by the auth parameter in the amanda.conf file (&amconf;) commonly as a dumptype. Valid values to the auth parameter are bsd, bsdudp, bsdtcp, krb4, krb5, local, rsh, and ssh. Please note that krb4 will be removed in the next release. The authentication and communication method is used during the backup process &amdump; (amdump(8)) as well as the recovery process &amrecover; (amrecover(8)). For detailed information, please see http://wiki.zmanda.com/index.php/Server/Client_authentication.
+Amanda offers 7 methods of communication between Amanda server (sometimes also called the tape server) and clients, each with its own authentication method. The desired communication method is specified by the auth parameter in the amanda.conf file (&amconf;) commonly as a dumptype. Valid values to the auth parameter are bsd, bsdudp, bsdtcp, krb5, local, rsh, and ssh. The authentication and communication method is used during the backup process &amdump; (amdump(8)) as well as the recovery process &amrecover; (amrecover(8)).COMPILATION AND GENERAL INFORMATIONThe communication method and thus type of authentication that will be used by the Amanda server is specified by the auth parameter in the dumptype for each disklist entry (DLE). The auth parameter thus may be easily and globally specified in the "global" dumptype. If auth is not specified, the bsd communication method is used. See &amconf; for more information on Amanda configuration and dumptypes, and &disklist; for more information on disklists.
-On the client side, the Amanda daemon &amandad; validates the connection depending on the value of the auth argument passed to it (see &A;(8)). Also, when it comes to recovery, the auth parameter can be specified in the &amclientconf; file to specify the communication method to be used by the client to the server.
+On the client side, the Amanda daemon &amandad; validates the connection depending on the value of the auth argument passed to it (see Amanda(8)). Also, when it comes to recovery, the auth parameter can be specified in the &amclientconf; file to specify the communication method to be used by the client to the server.
- When &A; is being built from source code, desired communication and thus authentication methods (shown as "Authentication") must be specified as configure options at compilation time.
+ When Amanda is being built from source code, desired communication and thus authentication methods (shown as "Authentication") must be specified as configure options at compilation time.
Authentication Configure option(s)
bsd --with-bsd-security --with-amandahosts (pre-2.6)
@@ -71,23 +71,57 @@ Authentication Configure option(s)
--with-client-instance=ARG client host instance [HOSTNAME_INSTANCE]
--with-client-keyfile=ARG client host key file [KEYFILE]
--with-ticket-lifetime=ARG ticket lifetime [128]
- --with-krb4-security=DIR where libkrb.a lives [see below]
--with-krb5-security=DIR where libkrb.a lives [see below]
-If configuring with --with-krb4-security and/or --with-krb5-security, the configure script will search under /usr/kerberos/lib, /usr/cygnus/lib, /usr/lib, and /opt/kerberos/lib for the kerberos bits, libkrb.a, in this order. Kerberos support will not be added if it does not find them. If the kerberos bits are found under some other hierarchy, you can specify this via --with-krb5-security=DIR and/or --with-krb4-security=DIR, where DIR is where the kerberos bits live. The configure script will then look in the 'lib' directory under this hierarchy for libkrb.a.
+If configuring with --with-krb5-security, the configure script will search under /usr/kerberos/lib, /usr/cygnus/lib, /usr/lib, and /opt/kerberos/lib for the kerberos bits, libkrb.a, in this order. Kerberos support will not be added if it does not find them. If the kerberos bits are found under some other hierarchy, you can specify this via --with-krb5-security=DIR where DIR is where the kerberos bits live. The configure script will then look in the 'lib' directory under this hierarchy for libkrb.a.The auth parameter selects a communication/authentication method to use between the client and the backup server. These methods are described each in their own section below.
+
+Usernames
+
+When Amanda is built, a username is specified with the
+ option. Most Amanda processes run under
+this user's identity, to minimize security risks. In binary
+distributions, this username is usually one of 'amanda',
+'amandabackup', or 'backup'. The examples below use 'amandabackup'
+since it is unambiguous. You may need to adjust accordingly for your
+system.
+
+
+
+Authenticated Peer Hostnames
+
+Amanda's authentication mechanisms provide an authenticated hostname of
+the system on the other end of the connection, which is used to restrict
+access to only particular hosts. The degree of "authentication" performed
+on this hostname varies with the authentication mechanism, and is discussed
+below.
+
+
+
BSD, BSDUDP, AND BSDTCP COMMUNICATION AND AUTHENTICATION
-For more detail, see http://wiki.zmanda.com/index.php/Configuring_bsd/bsdudp/bsdtcp_authentication.
+For additional information including example configurations, see http://wiki.zmanda.com/index.php/Configuring_bsd/bsdudp/bsdtcp_authentication.The bsd, bsdudp, and bsdtcp communication methods use either UDP, TCP, or both protocols operating as a network service to authenticate and exchange data between server and clients.
- In addition to compilation and general configuration (see COMPILATION AND GENERAL INFORMATION above), the authentication method that the client is configured to receive is specified by the auth parameter in the network service configuration for &A;. The authentication method used by an Amanda client to reach the server during recovery is the authentication method specified by the auth parameter in the client's Amanda network service configuration or in its amanda-client.conf file (see amanda-client.conf(5)).
-
+ The authentication proceeds as follows: for a new, incoming connection,
+ Amanda verifies that the source port is in the reserved range (less than
+ 1024), which for UNIX hosts suggests that the remote user has root
+ privileges. Amanda then verifies that the reverse DNS for the remote
+ address matches the forward DNS; that is, that the address maps to a
+ hostname which maps back to the same address. Finally, the remote system
+ must provide a username that matches the username in .amandahosts.
+
+ In addition to compilation and general configuration (see COMPILATION AND GENERAL INFORMATION above), the authentication method that the client is configured to receive is specified by the auth parameter in the network service configuration for Amanda. The authentication method used by an Amanda client to reach the server during recovery is the authentication method specified by the auth parameter in the client's Amanda network service configuration or in its amanda-client.conf file (see amanda-client.conf(5)).
+
+ By default, Amanda use the "amanda" service name and associated port set in /etc/services. It can be changed by setting the dumptype client-port option to a different port number or a different service name.
+ All examples are for the service name "amanda" that uses the default port 10080.
+
+
.amandahosts file Servers and clients using the bsd, bsdudp, and bsdtcp authentication methods refer to the .amandahosts file to control access. Amanda should be compiled for this access control if one of these methods will be used and is the default compilation option for Amanda 2.6 (use --with-amandahosts when compiling pre-2.6 versions of Amanda).
@@ -111,7 +145,9 @@ configuration file.
amindexd, and
amidxtaped. The last two services are required on a server for clients to connect to it using amrecover.
- Example of the .amandahosts file on an Amanda client
+If service is omitted, it defaults to noop selfcheck sendsize sendbackup (which is equivalent to amdump).
+
+ Example of the .amandahosts file on an Amanda client, where 'amandabackup' is the Amanda dumpuser.
amandaserver.example.com amandabackup amdump
@@ -155,14 +191,14 @@ configuration file.Client example of using bsdtcp authorization for inetd server given Amanda user is "amandabackup":
- amanda stream tcp nowait amanda /path/to/amandad amandad -auth=bsdtcp amdump
+ amanda stream tcp nowait amandabackup /path/to/amandad amandad -auth=bsdtcp amdumpamindexd and amidxtaped would typically be added at the end of the line as &amandad; server arguments for an Amanda server.Server example of using bsdtcp authorization for inetd server given Amanda user is "amandabackup":
- amanda stream tcp nowait amanda /path/to/amandad amandad -auth=bsdtcp amdump amindexd amidxtaped
+ amanda stream tcp nowait amandabackup /path/to/amandad amandad -auth=bsdtcp amdump amindexd amidxtapedFor Amanda version 2.5.0 and earlier, remember that neither bsdudp nor bsdtcp are supported and the Amanda daemon &amandad; accepts no arguments. Because of the latter, &amrecover; as of Amanda version 2.5.1 is not compatible with 2.5.0 and earlier servers. Thus, servers that are 2.5.0 or earlier must, in addition to the amanda service, run amindexd and amidxtaped Amanda services as their own network services, amandaidx and amidxtape, respectively (see below).
@@ -172,8 +208,8 @@ configuration file.Example of amindexd and amidxtaped Amanda daemon services configured as their own network services for a 2.5.0 or earlier server or a newer server having 2.5.0 or earlier clients
- amandaidx stream tcp nowait amanda /usr/local/libexec/amanda/current/amindexd amindexd
- amidxtape stream tcp nowait amanda /usr/local/libexec/amanda/current/amidxtaped amidxtaped
+ amandaidx stream tcp nowait amandabackup /usr/local/libexec/amanda/current/amindexd amindexd
+ amidxtape stream tcp nowait amandabackup /usr/local/libexec/amanda/current/amidxtaped amidxtaped
@@ -289,53 +325,30 @@ bsdtcp tcp 1 RPpAP [--with-low-tcpportrange] 10080
Amanda server also uses two ports (dumper process) to communicate with the chunker/taper processes. These ports are in the range set by --with-tcpportrange.You can override the default port ranges that Amanda was compiled with in each configuration using the reserved-udp-port, reserved-tcp-port, and unreserved-tcp-port parameters in amanda.conf and amanda-client.conf configuration files (see &amconf; and &amclientconf;).
-
-
-KERBEROS COMMUNICATION AND AUTHENTICATION
-For more detail, see http://wiki.zmanda.com/index.php/Kerberos_authentication.
-
-Amanda supports Kerberos 4 and 5 communication methods between Amanda server and client. Please note, however, that support for Kerberos 4 will be removed in the next release.
-
-General information including compilation are given above (see COMPILATION AND GENERAL INFORMATION above). Below sections give specific Kerberos 4 and 5 information.
-
-KERBEROS v4
-Please note that support for Kerberos 4 will be removed in the next release.
-Kerberos 4 uses UDP protocol and the number of DLEs is limited by UDP packet size.
+Authenticated Peer Hostnames with BSD Authentications
-The kerberized AMANDA service uses a different port on the client hosts. The /etc/services line is:
-
- kamanda 10081/udp
+The BSD authentication mechanisms only verify that the remote
+host's DNS is configured correctly and that the remote user has access to
+reserved ports. As such, the peer hostname should only be trusted to the
+extent that the local DNS service is trusted.
-And the /etc/inetd.conf line is:
+
-
- kamanda dgram udp wait root /usr/local/libexec/amanda/amandad amandad -auth=krb4
-
-
+
-Note that you're running this as root, rather than as your dump user. AMANDA will set its uid down to the dump user at times it doesn't need to read the srvtab file, and give up root permissions entirely before it goes off and runs dump. Alternately you can change your srvtab files to be readable by user amanda.
+KERBEROS COMMUNICATION AND AUTHENTICATION
+For more detail, see http://wiki.zmanda.com/index.php/Kerberos_authentication.
-The following dumptype options apply to krb4:
+Amanda supports Kerberos 5 communication methods between Amanda server and client.
-
-auth "krb4" # use krb4 auth for this host
- # (you can mingle krb hosts and bsd .rhosts in one conf)
-kencrypt # encrypt this filesystem over the net using the krb4
- # session key. About 2x slower. Good for those root
- # partitions containing your keyfiles. Don't want to
- # give away the keys to an ethernet sniffer!
- # This is currently always enabled. There is no
- # way to disable it. This is a bug.
-
-
-
+General information including compilation are given above (see COMPILATION AND GENERAL INFORMATION above).
-KERBEROS v5Kerberos 5 uses TCP and the server uses only one TCP port and data streams are multiplexed to this port.
The krb5 driver script defaults to:
+
/*
* The lifetime of our tickets in minutes.
*/
@@ -345,12 +358,15 @@ The krb5 driver script defaults to:
* The name of the service in /etc/services.
*/
#define AMANDA_KRB5_SERVICE_NAME "k5amanda"
+
You can currently only override these by editing the source code.
The kerberized AMANDA service uses a different port on the client hosts. The /etc/services line is:
+
k5amanda 10082/tcp
+And the /etc/inetd.conf line is:
@@ -418,12 +434,25 @@ The kerberized AMANDA service uses a different port on the client hosts. The /et
Rather than using a .k5amandahosts or .k5login file, the easiest way is to use a principal named after the destination user, (such as amanda@TEST.COM in our example) and not have either a .k5amandahosts or .k5login file in the destination user's home directory.There is no attempt to verify the realm in this case (only a concern if you have cross-realm authentication setup).
+
+Authenticated Peer Hostnames with Kerberos Authentication
+
+When accepting a new incoming connection, the Kerberos authentication
+mechanism performs a similar check to that done by the BSD authentications:
+the forward and reverse DNS entries for the remote host must match. As
+such, while Kerberos authentication can cryptographically ensure that the
+remote system is recognized (since it has a ticket), its assurances about
+the remote host's identity are weaker and depend on the integrity of the
+DNS.
+
+
LOCAL COMMUNICATIONThe Amanda server communicates with the client internally versus over the network, ie. the client is also the server.This is the only method that requires no authentication as it is clearly not needed.
+The authenticated peer hostname for this authentication is always "localhost".RSH COMMUNICATION AND AUTHENTICATION
@@ -437,19 +466,26 @@ For more detail, see http://wiki.zmanda.com/index.php/Configuring_rsh_authentica
General information including compilation is given above (see COMPILATION AND GENERAL INFORMATION above).
-In addition to specifying the auth field in dumptype definition, it might be required to specify client_username and &amandad; fields. If the backup user name is different on the Amanda client, the user name is specified as client_username. If the location of the Amanda daemon &amandad; is different on the Amanda client, the location is specified as amandad_path field value.
+In addition to specifying the auth field in dumptype definition, it might be required to specify client-username and &amandad; fields. If the backup user name is different on the Amanda client, the user name is specified as client-username. If the location of the Amanda daemon &amandad; is different on the Amanda client, the location is specified as amandad-path field value.
For example:
define dumptype rsh_example {
...
auth "rsh"
- client_username "amandabackup"
- amandad_path "/usr/lib/exec/amandad"
+ client-username "amandabackup"
+ amandad-path "/usr/lib/exec/amandad"
...
}
+
+Authenticated Peer Hostnames with RSH Authentication
+
+The RSH authentication mechanism does not provide an authenticated peer hostname.
+
+
+
SSH COMMUNICATION AND AUTHENTICATION
@@ -467,18 +503,18 @@ To use SSH, you need to set up SSH keys either by storing the passphrase in clea
When you use a public key on the client to do data encryption (see http://wiki.zmanda.com/index.php/How_To:Set_up_data_encryption), you can lock away the private key in a secure place. Both, transport and storage will be encrypted with such a setup. See http://wiki.zmanda.com/index.php/Encryption for an overview of encryption options.
-Enable SSH authentication and set the ssh_keys option in all DLEs for that host by adding the following to the DLE itself or to the corresponding dumptype in amanda.conf:
+Enable SSH authentication and set the ssh-keys option in all DLEs for that host by adding the following to the DLE itself or to the corresponding dumptype in amanda.conf:
auth "ssh"
- ssh_keys "/home/amandabackup/.ssh/id_rsa_amdump"
+ ssh-keys "/home/amandabackup/.ssh/id_rsa_amdump"
-ssh_keys is the path to the private key on the client. If the username to which Amanda should connect is different from the default, then you should also add
+ssh-keys is the path to the private key on the client. If the username to which Amanda should connect is different from the default, then you should also add
- client_username "otherusername"
+ client-username "otherusername"
If your server &amandad; path and client &amandad; path are different, you should also add
- amandad_path "/client/amandad/path"
+ amandad-path "/client/amandad/path"
For a marginal increase in security, prepend the keys used for AMANDA in the clients' authorized_keys file with the following:
@@ -498,13 +534,13 @@ If your server &amandad; path and client &amandad; path are different, you shoul
You can omit the from=.. option if you have too many clients to list, although this has obvious security implications.
-Set ssh_keys and any other necessary options in /etc/amanda/amanda_client.conf:
+Set ssh-keys and any other necessary options in /etc/amanda/amanda_client.conf:
auth "ssh"
- ssh_keys "/root/.ssh/id_rsa_amrecover"
- client_username "amanda"
- amandad_path "/server/amandad/path"
+ ssh-keys "/root/.ssh/id_rsa_amrecover"
+ client-username "amanda"
+ amandad-path "/server/amandad/path"
@@ -519,17 +555,30 @@ If your server &amandad; path and client &amandad; path are different, you shoul
As Amanda will not answer this question itself, you must manually make every connection (server to client and client to server) that you expect Amanda to make. Note that you must use the same username that Amanda will use (that is, ssh client and ssh client.domain.com are distinct).
-
-SEE ALSO
-
-&amconf;,
-&amclientconf;,
-&disklist;,
-&amdump;(8),
-&amrecover;(8)
-
-
+Authenticated Peer Hostnames with SSH Authentication
+
+When accepting an incoming conneciton, the SSH daemon gives Amanda
+information about the remote system in the $SSH_CONNECTION environment
+variable. Amanda parses this information to determine the remote
+address, and then performs a similar check to that done by the BSD
+authentications: the forward and reverse DNS entries for the remote
+host must match. As such, while SSH authentication can
+cryptographically ensure that the remote system is recognized (since it
+had a recognized secret key), its assurances about the remote host's
+identity are weaker and depend on the integrity of the DNS.
+
+
+
+
+
+
+
+
+
+
+
+