Amanda-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: amanda over ssh

2006-09-20 18:00:32
Subject: Re: amanda over ssh
From: Steve Newcomb <srn AT coolheads DOT com>
To: "Lee, Raymond" <Raymond.Lee AT qwest DOT com>
Date: 20 Sep 2006 17:38:13 -0400 
Thanks for this helpful stuff, Lee.  

I don't think my problem is with ssh itself.  Everything you suggest
is consistent with what I have done, except I didn't bother with enabling
the client to log into the server.  Do I need to do that even if I don't
want the client to have access to amrecover, etc?

"Lee, Raymond" <Raymond.Lee AT qwest DOT com> writes:

> Steve,
> 
> I had to go through this a few times to get it right myself.  The
> howto-auth.txt was correct, but I thought some of it was a little
> confusing regarding what goes where on the server and what goes where on
> the client.  Here's what I did (change the /path/to/amanda/home,
> /usr/local/libexec/amandad, /path/to/config/dir, user names, and
> hostnames to match your environment):
> 
> ON THE AMANDA SERVER:
> 1. As the amanda user: ssh-keygen -t rsa -N "" -f
> /path/to/amanda/home/.ssh/id_rsa_amdump
> 2. Add the following to /path/to/config/dir/amanda.conf (I added it to
> the "global" dumptype)
>         auth "ssh"
>         ssh_keys "/path/to/amanda/home/.ssh/id_rsa_amdump"
> 3. As the amanda user, ssh amanda AT client.fqdn DOT com to add the host key 
> to
> /path/to/amanda/home/.ssh/known_hosts
> (This part was key for me since I cofigured amanda --with-fqdn=yes.  I
> had the client's hostname without the fqdn in my known_hosts before
> this, and amcheck was failing.)
> 
> 
> ON THE AMANDA CLIENT:
> 1. As root: ssh-keygen -t rsa -N "" -f /.ssh/id_rsa_amrecover
> 2. Append /.ssh/id_rsa_amrecover.pub from the Amanda client to
> /path/to/amanda/home/.ssh/authorized_keys on the Amanda server and
> prepend each line with:
>  
> from="client.fqdn.com",no-port-forwarding,no-X11-forwarding,no-agent-for
> warding,command="/usr/local/libexec/amandad -auth=ssh amindexd
> amidxtaped"
> 3. Append /path/to/amanda/home/.ssh/id_rsa_amdump.pub from the Amanda
> server to /path/to/amanda/home/.ssh/authorized_keys on the Amanda client
> and prepend each line with:
>  
> from="amanda_server.fqdn.com",no-port-forwarding,no-X11-forwarding,no-ag
> ent-forwarding,command="/usr/local/libexec/amandad -auth=ssh amdump"
> 4. Add this to /path/to/config/dir/amanda-client.conf on the client
>         auth "ssh"
>         ssh_keys "/.ssh/id_rsa_amrecover"
> 5. As root on the client, ssh root@amanda_server.fqdn.com to add the
> host key to /.ssh/known_hosts
> 
> 
> Here's what your directories and files should look like (be careful of
> the linebreaks that your email program might add):
> 
> 
> SERVER:
> (amanda@amanda_server)$ ls /path/to/amanda/home/.ssh
> authorized_keys    id_rsa_amdump      id_rsa_amdump.pub  known_hosts
> 
> (amanda@amanda_server)$ cat /path/to/amanda/home/.ssh/authorized_keys
> #
> # Amanda server's amdump ssh key from ~amanda/.ssh/id_rsa_amdump.pub
> #
> from="amanda_server.fqdn.com",no-port-forwarding,no-X11-forwarding,no-ag
> ent-forwarding,command="/usr/local/libexec/amandad -auth=ssh amdump"
> ssh-rsa BLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHB
> amanda@amanda_server
> #
> # Amanda clients' amrecover ssh keys from /.ssh/id_rsa_amrecover.pub
> #
> from="client1.fqdn.com",no-port-forwarding,no-X11-forwarding,no-agent-fo
> rwarding,command="/usr/local/libexec/amandad -auth=ssh amindexd
> amidxtaped" ssh-rsa BLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHB
> root@client1
> from="client2.fqdn.com",no-port-forwarding,no-X11-forwarding,no-agent-fo
> rwarding,command="/usr/local/libexec/amandad -auth=ssh amindexd
> amidxtaped" ssh-rsa BLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHB
> root@client2
> 
> (amanda@amanda_server)$ cat /path/to/amanda/home/.ssh/known_hosts
> amanda_server.fqdn.com,10.1.2.3 ssh-rsa
> BLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAH
> amanda_client.fqdn.com,10.4.5.6 ssh-rsa
> BLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAH
> 
> 
> 
> CLIENT:
> (root@amanda_client)$ ls /.ssh
> id_rsa_amrecover    id_rsa_amrecover.pub     known_hosts
> 
> (root@amanda_client)$ cat known_hosts
> amanda_server.fqdn.com,10.1.2.3 ssh-rsa
> BLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAH
> 
> (root@amanda_client)$ ls /path/to/amanda/home/.ssh
> authorized_keys
> 
> (root@amanda_client)$ cat /path/to/amanda/home/.ssh/authorized_keys
> from="amanda_server.fqdn.com",no-port-forwarding,no-X11-forwarding,no-ag
> ent-forwarding,command="/usr/local/libexec/amandad -auth=ssh amdump"
> ssh-rsa BLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAH
> amanda@amanda_server
> 
> 
> 
> Hope this helps.
> 
> Ray
> 
> 
> -----Original Message-----
> From: owner-amanda-users AT amanda DOT org
> [mailto:owner-amanda-users AT amanda DOT org] On Behalf Of Steve Newcomb
> Sent: Wednesday, September 20, 2006 12:23 PM
> To: amanda-users AT amanda DOT org
> Subject: amanda over ssh
> 
> 
> We've been using Amanda continuously since 1999.  Amanda has minimized
> our backup effort and headaches and it has saved us from serious data
> losses on several occasions.  Brava!
> 
> I was delighted to see that 2.5.1 now supports ssh, and if I could
> just get it to work, it would be a godsend to us.  I have done
> everything that docs/howto-auth.txt specifies for the use of SSH.
> Unfortunately, the best result I can get from amcheck is:
> 
>   Amanda Backup Client Hosts Check
>   --------------------------------
>   WARNING: manche.coolheads.com: selfcheck request failed: EOF on read
> >From manche.coolheads.com
>   Client check: 1 host checked in 0.299 seconds, 1 problem found
> 
>   (brought to you by Amanda 2.5.1)
> 
> So I think I'm connecting to the client OK, because it responds
> promptly.  And, if I delete the 
> 
>       auth "ssh"
> 
> line from my dumptype, the response, after a 30-second delay, is:
> 
>   Amanda Backup Client Hosts Check
>   --------------------------------
>   WARNING: manche.coolheads.com: selfcheck request failed: timeout
> waiting for ACK
>   Client check: 1 host checked in 30.010 seconds, 1 problem found
> 
>   (brought to you by Amanda 2.5.1)
> 
> So I think the ssh is probably working OK.  When using amdump, the
> dumps and reports from clients to servers are supposed to go through
> the same ssh connection that the server establishes to the client,
> right?  If not, how is it supposed to work?  The reason I need to use
> ssh is that it's the ONLY way I can get to one of the machines.  (The
> way I have been backing it up is with a lot of attention and effort,
> using tar.  Yuck.)
> 
> Client and server are both running Linux 2.6.16-2-686.
> 
> I configured/compiled Amanda on both the server and the client with the
> following options:
> 
> ./configure --prefix=/usr/amanda --sysconfdir=/etc
> --localstatedir=/var/amanda --with-user=amanda --with-group=disk
> --with-ssh-security 
> 
> Anybody have a clue?  Anything I should try?
> 
> -- Steve
> 
> Steven R. Newcomb, Consultant
> Coolheads Consulting
> 
> Co-editor, Topic Maps International Standard (ISO/IEC 13250)
> Co-editor, draft Topic Maps -- Reference Model (ISO/IEC 13250-5)
> 
> srn AT coolheads DOT com
> http://www.coolheads.com
> 
> direct: +1 540 951 9773
> main:   +1 540 951 9774
> fax:    +1 540 951 9775
> 
> 208 Highview Drive
> Blacksburg, Virginia 24060 USA
> 
> 
> (Confidential to all US government personnel to whom this private
> letter is not addressed and who are reading it in the absence of a
> specific search warrant: You are violating the law and you are
> co-conspiring to subvert the Constitution that you are sworn to
> defend.  You can either refuse to commit this crime, or you can expect
> to suffer criminal sanctions in the future, when the current
> administration of the United States of America has been replaced by
> one that respects the rule of law.  I do not envy you for having to
> make this difficult choice, but I urge you to make it wisely.)
> 
> 
> 
> This communication is the property of Qwest and may contain confidential or
> privileged information. Unauthorized use of this communication is strictly 
> prohibited and may be unlawful.  If you have received this communication 
> in error, please immediately notify the sender by reply e-mail and destroy 
> all copies of the communication and any attachments.
> 
> 
> 

-- 

-- Steve

Steven R. Newcomb, Consultant
Coolheads Consulting

Co-editor, Topic Maps International Standard (ISO/IEC 13250)
Co-editor, draft Topic Maps -- Reference Model (ISO/IEC 13250-5)

srn AT coolheads DOT com
http://www.coolheads.com

direct: +1 540 951 9773
main:   +1 540 951 9774
fax:    +1 540 951 9775

208 Highview Drive
Blacksburg, Virginia 24060 USA


(Confidential to all US government personnel to whom this private
letter is not addressed and who are reading it in the absence of a
specific search warrant: You are violating the law and you are
co-conspiring to subvert the Constitution that you are sworn to
defend.  You can either refuse to commit this crime, or you can expect
to suffer criminal sanctions in the future, when the current
administration of the United States of America has been replaced by
one that respects the rule of law.  I do not envy you for having to
make this difficult choice, but I urge you to make it wisely.)
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: amanda over ssh, Steve Newcomb
Next by Date:  Re: Release of amanda-2.5.1, Steve Newcomb
Previous by Thread:  Re: amanda over ssh, Steve Newcomb
Next by Thread:  WARNING: got empty schedule from planner, Tim Butler
Indexes:  [Date] [Thread] [Top] [All Lists]