Amanda-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: amanda over ssh

2006-09-20 15:31:18
Subject: RE: amanda over ssh
From: "Lee, Raymond" <Raymond.Lee AT qwest DOT com>
To: "Steve Newcomb" <srn AT coolheads DOT com>, <amanda-users AT amanda DOT org>
Date: Wed, 20 Sep 2006 13:45:15 -0500 
Steve,

I had to go through this a few times to get it right myself.  The
howto-auth.txt was correct, but I thought some of it was a little
confusing regarding what goes where on the server and what goes where on
the client.  Here's what I did (change the /path/to/amanda/home,
/usr/local/libexec/amandad, /path/to/config/dir, user names, and
hostnames to match your environment):

ON THE AMANDA SERVER:
1. As the amanda user: ssh-keygen -t rsa -N "" -f
/path/to/amanda/home/.ssh/id_rsa_amdump
2. Add the following to /path/to/config/dir/amanda.conf (I added it to
the "global" dumptype)
        auth "ssh"
        ssh_keys "/path/to/amanda/home/.ssh/id_rsa_amdump"
3. As the amanda user, ssh amanda AT client.fqdn DOT com to add the host key to
/path/to/amanda/home/.ssh/known_hosts
(This part was key for me since I cofigured amanda --with-fqdn=yes.  I
had the client's hostname without the fqdn in my known_hosts before
this, and amcheck was failing.)


ON THE AMANDA CLIENT:
1. As root: ssh-keygen -t rsa -N "" -f /.ssh/id_rsa_amrecover
2. Append /.ssh/id_rsa_amrecover.pub from the Amanda client to
/path/to/amanda/home/.ssh/authorized_keys on the Amanda server and
prepend each line with:
 
from="client.fqdn.com",no-port-forwarding,no-X11-forwarding,no-agent-for
warding,command="/usr/local/libexec/amandad -auth=ssh amindexd
amidxtaped"
3. Append /path/to/amanda/home/.ssh/id_rsa_amdump.pub from the Amanda
server to /path/to/amanda/home/.ssh/authorized_keys on the Amanda client
and prepend each line with:
 
from="amanda_server.fqdn.com",no-port-forwarding,no-X11-forwarding,no-ag
ent-forwarding,command="/usr/local/libexec/amandad -auth=ssh amdump"
4. Add this to /path/to/config/dir/amanda-client.conf on the client
        auth "ssh"
        ssh_keys "/.ssh/id_rsa_amrecover"
5. As root on the client, ssh root@amanda_server.fqdn.com to add the
host key to /.ssh/known_hosts


Here's what your directories and files should look like (be careful of
the linebreaks that your email program might add):


SERVER:
(amanda@amanda_server)$ ls /path/to/amanda/home/.ssh
authorized_keys    id_rsa_amdump      id_rsa_amdump.pub  known_hosts

(amanda@amanda_server)$ cat /path/to/amanda/home/.ssh/authorized_keys
#
# Amanda server's amdump ssh key from ~amanda/.ssh/id_rsa_amdump.pub
#
from="amanda_server.fqdn.com",no-port-forwarding,no-X11-forwarding,no-ag
ent-forwarding,command="/usr/local/libexec/amandad -auth=ssh amdump"
ssh-rsa BLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHB
amanda@amanda_server
#
# Amanda clients' amrecover ssh keys from /.ssh/id_rsa_amrecover.pub
#
from="client1.fqdn.com",no-port-forwarding,no-X11-forwarding,no-agent-fo
rwarding,command="/usr/local/libexec/amandad -auth=ssh amindexd
amidxtaped" ssh-rsa BLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHB
root@client1
from="client2.fqdn.com",no-port-forwarding,no-X11-forwarding,no-agent-fo
rwarding,command="/usr/local/libexec/amandad -auth=ssh amindexd
amidxtaped" ssh-rsa BLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHB
root@client2

(amanda@amanda_server)$ cat /path/to/amanda/home/.ssh/known_hosts
amanda_server.fqdn.com,10.1.2.3 ssh-rsa
BLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAH
amanda_client.fqdn.com,10.4.5.6 ssh-rsa
BLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAH



CLIENT:
(root@amanda_client)$ ls /.ssh
id_rsa_amrecover    id_rsa_amrecover.pub     known_hosts

(root@amanda_client)$ cat known_hosts
amanda_server.fqdn.com,10.1.2.3 ssh-rsa
BLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAH

(root@amanda_client)$ ls /path/to/amanda/home/.ssh
authorized_keys

(root@amanda_client)$ cat /path/to/amanda/home/.ssh/authorized_keys
from="amanda_server.fqdn.com",no-port-forwarding,no-X11-forwarding,no-ag
ent-forwarding,command="/usr/local/libexec/amandad -auth=ssh amdump"
ssh-rsa BLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAH
amanda@amanda_server



Hope this helps.

Ray


-----Original Message-----
From: owner-amanda-users AT amanda DOT org
[mailto:owner-amanda-users AT amanda DOT org] On Behalf Of Steve Newcomb
Sent: Wednesday, September 20, 2006 12:23 PM
To: amanda-users AT amanda DOT org
Subject: amanda over ssh


We've been using Amanda continuously since 1999.  Amanda has minimized
our backup effort and headaches and it has saved us from serious data
losses on several occasions.  Brava!

I was delighted to see that 2.5.1 now supports ssh, and if I could
just get it to work, it would be a godsend to us.  I have done
everything that docs/howto-auth.txt specifies for the use of SSH.
Unfortunately, the best result I can get from amcheck is:

  Amanda Backup Client Hosts Check
  --------------------------------
  WARNING: manche.coolheads.com: selfcheck request failed: EOF on read
from manche.coolheads.com
  Client check: 1 host checked in 0.299 seconds, 1 problem found

  (brought to you by Amanda 2.5.1)

So I think I'm connecting to the client OK, because it responds
promptly.  And, if I delete the 

      auth "ssh"

line from my dumptype, the response, after a 30-second delay, is:

  Amanda Backup Client Hosts Check
  --------------------------------
  WARNING: manche.coolheads.com: selfcheck request failed: timeout
waiting for ACK
  Client check: 1 host checked in 30.010 seconds, 1 problem found

  (brought to you by Amanda 2.5.1)

So I think the ssh is probably working OK.  When using amdump, the
dumps and reports from clients to servers are supposed to go through
the same ssh connection that the server establishes to the client,
right?  If not, how is it supposed to work?  The reason I need to use
ssh is that it's the ONLY way I can get to one of the machines.  (The
way I have been backing it up is with a lot of attention and effort,
using tar.  Yuck.)

Client and server are both running Linux 2.6.16-2-686.

I configured/compiled Amanda on both the server and the client with the
following options:

./configure --prefix=/usr/amanda --sysconfdir=/etc
--localstatedir=/var/amanda --with-user=amanda --with-group=disk
--with-ssh-security 

Anybody have a clue?  Anything I should try?

-- Steve

Steven R. Newcomb, Consultant
Coolheads Consulting

Co-editor, Topic Maps International Standard (ISO/IEC 13250)
Co-editor, draft Topic Maps -- Reference Model (ISO/IEC 13250-5)

srn AT coolheads DOT com
http://www.coolheads.com

direct: +1 540 951 9773
main:   +1 540 951 9774
fax:    +1 540 951 9775

208 Highview Drive
Blacksburg, Virginia 24060 USA


(Confidential to all US government personnel to whom this private
letter is not addressed and who are reading it in the absence of a
specific search warrant: You are violating the law and you are
co-conspiring to subvert the Constitution that you are sworn to
defend.  You can either refuse to commit this crime, or you can expect
to suffer criminal sanctions in the future, when the current
administration of the United States of America has been replaced by
one that respects the rule of law.  I do not envy you for having to
make this difficult choice, but I urge you to make it wisely.)



This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly 
prohibited and may be unlawful.  If you have received this communication 
in error, please immediately notify the sender by reply e-mail and destroy 
all copies of the communication and any attachments.
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: amanda over ssh, Kevin Till
Next by Date:  Re: amanda over ssh, Fabio Corazza
Previous by Thread:  Re: amanda over ssh, Kevin Till
Next by Thread:  Re: amanda over ssh, Fabio Corazza
Indexes:  [Date] [Thread] [Top] [All Lists]