I believe that the most recent amanda 2.4.4 releases have the kerberos
support integrated. It is krb4 only. You of course have to set up a
v4 KDC and create principals. This is not well documented, and is
likely to be quite hard if you aren't already familiar with kerberos.
Basically, the server gets tickets from amanda.amanda@REALM from a
srvtab in /.amanda (it's the kerberos client), and the servers
validate those tickets against a srvtab for amanda.host@REALM from
/etc/srvtab.amanda, with acl checking in ~amanda/.klogin.
The wire protocol sends a ticket, and does a homebrew mutual auth
exchange by decrypting a timestamp, modifying it, and reencrypting
it. It then uses the session key for the data. This is all a bit
hackish from a crypto protocol standpoint.
The 2.5 branch supports some form of Kerberos 5, which is what you
should use instead. But it isn't quite ready for production use, it seems.
I put KRB_OPTIONS on the configure line:
KRB_LOCATION="/usr"
KRB_KEYFILE="/etc/srvtab.amanda"
KRB_PRINCIPAL="amanda"
KRB_OPTIONS="\
--with-krb4-security=$KRB_LOCATION \
--with-client-principal=$KRB_PRINCIPAL \
--with-client-keyfile=$KRB_KEYFILE"
--
Greg Troxel <gdt AT ir.bbn DOT com>
|