Re: Amanda security +Kerberos

I believe that the most recent amanda 2.4.4 releases have the kerberos
support integrated.  It is krb4 only.  You of course have to set up a
v4 KDC and create principals.  This is not well documented, and is
likely to be quite hard if you aren't already familiar with kerberos.
Basically, the server gets tickets from amanda.amanda@REALM from a
srvtab in /.amanda (it's the kerberos client), and the servers
validate those tickets against a srvtab for amanda.host@REALM from
/etc/srvtab.amanda, with acl checking in ~amanda/.klogin.

The wire protocol sends a ticket, and does a homebrew mutual auth
exchange by decrypting a timestamp, modifying it, and reencrypting
it.  It then uses the session key for the data.  This is all a bit
hackish from a crypto protocol standpoint.

The 2.5 branch supports some form of Kerberos 5, which is what you
should use instead.   But it isn't quite ready for production use, it seems.


I put KRB_OPTIONS on the configure line:

KRB_LOCATION="/usr"
KRB_KEYFILE="/etc/srvtab.amanda"
KRB_PRINCIPAL="amanda"
KRB_OPTIONS="\
--with-krb4-security=$KRB_LOCATION \
--with-client-principal=$KRB_PRINCIPAL \
--with-client-keyfile=$KRB_KEYFILE"


-- 
        Greg Troxel <gdt AT ir.bbn DOT com>

<Prev in Thread]	Current Thread	[Next in Thread>
Amanda security +Kerberos, Gil Naveh Re: Amanda security +Kerberos, Eric Dantan Rzewnicki RE: Amanda security +Kerberos, Gil Naveh Re: Amanda security +Kerberos, Geert Uytterhoeven Re: Amanda security +Kerberos, Greg Troxel <=

Previous by Date:	Re: amdump: timeout, Gene Heskett
Next by Date:	Re: Amanda planner failure, Joshua Baker-LePain
Previous by Thread:	Re: Amanda security +Kerberos, Geert Uytterhoeven
Next by Thread:	amrecover + build in security protocols, Gil Naveh
Indexes:	[Date] [Thread] [Top] [All Lists]