Steve,
I had to go through this a few times to get it right myself. The
howto-auth.txt was correct, but I thought some of it was a little
confusing regarding what goes where on the server and what goes where on
the client. Here's what I did (change the /path/to/amanda/home,
/usr/local/libexec/amandad, /path/to/config/dir, user names, and
hostnames to match your environment):
ON THE AMANDA SERVER:
1. As the amanda user: ssh-keygen -t rsa -N "" -f
/path/to/amanda/home/.ssh/id_rsa_amdump
2. Add the following to /path/to/config/dir/amanda.conf (I added it to
the "global" dumptype)
auth "ssh"
ssh_keys "/path/to/amanda/home/.ssh/id_rsa_amdump"
3. As the amanda user, ssh amanda AT client.fqdn DOT com to add the host key to
/path/to/amanda/home/.ssh/known_hosts
(This part was key for me since I cofigured amanda --with-fqdn=yes. I
had the client's hostname without the fqdn in my known_hosts before
this, and amcheck was failing.)
ON THE AMANDA CLIENT:
1. As root: ssh-keygen -t rsa -N "" -f /.ssh/id_rsa_amrecover
2. Append /.ssh/id_rsa_amrecover.pub from the Amanda client to
/path/to/amanda/home/.ssh/authorized_keys on the Amanda server and
prepend each line with:
from="client.fqdn.com",no-port-forwarding,no-X11-forwarding,no-agent-for
warding,command="/usr/local/libexec/amandad -auth=ssh amindexd
amidxtaped"
3. Append /path/to/amanda/home/.ssh/id_rsa_amdump.pub from the Amanda
server to /path/to/amanda/home/.ssh/authorized_keys on the Amanda client
and prepend each line with:
from="amanda_server.fqdn.com",no-port-forwarding,no-X11-forwarding,no-ag
ent-forwarding,command="/usr/local/libexec/amandad -auth=ssh amdump"
4. Add this to /path/to/config/dir/amanda-client.conf on the client
auth "ssh"
ssh_keys "/.ssh/id_rsa_amrecover"
5. As root on the client, ssh root@amanda_server.fqdn.com to add the
host key to /.ssh/known_hosts
Here's what your directories and files should look like (be careful of
the linebreaks that your email program might add):
SERVER:
(amanda@amanda_server)$ ls /path/to/amanda/home/.ssh
authorized_keys id_rsa_amdump id_rsa_amdump.pub known_hosts
(amanda@amanda_server)$ cat /path/to/amanda/home/.ssh/authorized_keys
#
# Amanda server's amdump ssh key from ~amanda/.ssh/id_rsa_amdump.pub
#
from="amanda_server.fqdn.com",no-port-forwarding,no-X11-forwarding,no-ag
ent-forwarding,command="/usr/local/libexec/amandad -auth=ssh amdump"
ssh-rsa BLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHB
amanda@amanda_server
#
# Amanda clients' amrecover ssh keys from /.ssh/id_rsa_amrecover.pub
#
from="client1.fqdn.com",no-port-forwarding,no-X11-forwarding,no-agent-fo
rwarding,command="/usr/local/libexec/amandad -auth=ssh amindexd
amidxtaped" ssh-rsa BLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHB
root@client1
from="client2.fqdn.com",no-port-forwarding,no-X11-forwarding,no-agent-fo
rwarding,command="/usr/local/libexec/amandad -auth=ssh amindexd
amidxtaped" ssh-rsa BLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHB
root@client2
(amanda@amanda_server)$ cat /path/to/amanda/home/.ssh/known_hosts
amanda_server.fqdn.com,10.1.2.3 ssh-rsa
BLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAH
amanda_client.fqdn.com,10.4.5.6 ssh-rsa
BLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAH
CLIENT:
(root@amanda_client)$ ls /.ssh
id_rsa_amrecover id_rsa_amrecover.pub known_hosts
(root@amanda_client)$ cat known_hosts
amanda_server.fqdn.com,10.1.2.3 ssh-rsa
BLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAH
(root@amanda_client)$ ls /path/to/amanda/home/.ssh
authorized_keys
(root@amanda_client)$ cat /path/to/amanda/home/.ssh/authorized_keys
from="amanda_server.fqdn.com",no-port-forwarding,no-X11-forwarding,no-ag
ent-forwarding,command="/usr/local/libexec/amandad -auth=ssh amdump"
ssh-rsa BLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAH
amanda@amanda_server
Hope this helps.
Ray
-----Original Message-----
From: owner-amanda-users AT amanda DOT org
[mailto:owner-amanda-users AT amanda DOT org] On Behalf Of Steve Newcomb
Sent: Wednesday, September 20, 2006 12:23 PM
To: amanda-users AT amanda DOT org
Subject: amanda over ssh
We've been using Amanda continuously since 1999. Amanda has minimized
our backup effort and headaches and it has saved us from serious data
losses on several occasions. Brava!
I was delighted to see that 2.5.1 now supports ssh, and if I could
just get it to work, it would be a godsend to us. I have done
everything that docs/howto-auth.txt specifies for the use of SSH.
Unfortunately, the best result I can get from amcheck is:
Amanda Backup Client Hosts Check
--------------------------------
WARNING: manche.coolheads.com: selfcheck request failed: EOF on read
from manche.coolheads.com
Client check: 1 host checked in 0.299 seconds, 1 problem found
(brought to you by Amanda 2.5.1)
So I think I'm connecting to the client OK, because it responds
promptly. And, if I delete the
auth "ssh"
line from my dumptype, the response, after a 30-second delay, is:
Amanda Backup Client Hosts Check
--------------------------------
WARNING: manche.coolheads.com: selfcheck request failed: timeout
waiting for ACK
Client check: 1 host checked in 30.010 seconds, 1 problem found
(brought to you by Amanda 2.5.1)
So I think the ssh is probably working OK. When using amdump, the
dumps and reports from clients to servers are supposed to go through
the same ssh connection that the server establishes to the client,
right? If not, how is it supposed to work? The reason I need to use
ssh is that it's the ONLY way I can get to one of the machines. (The
way I have been backing it up is with a lot of attention and effort,
using tar. Yuck.)
Client and server are both running Linux 2.6.16-2-686.
I configured/compiled Amanda on both the server and the client with the
following options:
./configure --prefix=/usr/amanda --sysconfdir=/etc
--localstatedir=/var/amanda --with-user=amanda --with-group=disk
--with-ssh-security
Anybody have a clue? Anything I should try?
-- Steve
Steven R. Newcomb, Consultant
Coolheads Consulting
Co-editor, Topic Maps International Standard (ISO/IEC 13250)
Co-editor, draft Topic Maps -- Reference Model (ISO/IEC 13250-5)
srn AT coolheads DOT com
http://www.coolheads.com
direct: +1 540 951 9773
main: +1 540 951 9774
fax: +1 540 951 9775
208 Highview Drive
Blacksburg, Virginia 24060 USA
(Confidential to all US government personnel to whom this private
letter is not addressed and who are reading it in the absence of a
specific search warrant: You are violating the law and you are
co-conspiring to subvert the Constitution that you are sworn to
defend. You can either refuse to commit this crime, or you can expect
to suffer criminal sanctions in the future, when the current
administration of the United States of America has been replaced by
one that respects the rule of law. I do not envy you for having to
make this difficult choice, but I urge you to make it wisely.)
This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly
prohibited and may be unlawful. If you have received this communication
in error, please immediately notify the sender by reply e-mail and destroy
all copies of the communication and any attachments.
|