Todd T. Fries wrote:
You should read the SECURITY-API file in the docs directory, that's the- support public key encryption type of schemes 'pgp' or 'openssl' style methods
design to handle that; the API is in the 2.5 code (that is, the main CVS branch) If you want to roll up an "openssl" and/or "pgp" security module to go with the current "bsd", "krb4", and "krb5" ones, and would like to contribute it, go for it!
- support signing the data (instead of a crc or sha1 or rmd160), one can use pgp, gpg, or openssl for this
Not sure if one could call that a "compression" scheme or what... That would be the usual kluge in the current versions of Amanda, configure it to use /usr/local/bin/compress_and_sign instead of /usr/bin/gzip, and make compress_and_sign a program that compresses and signs the archives. Then archives that you compress on the client side would be signed, and the "uncompress" operation would check the signatures.
- Would there be a way for individual users to restore their own files without compromising system security (aka currently, anyone who is allowed access toI've thought about this somewhat; it would require some serious infrastructure changes; basically
amanda via 'amrecover' can restore any file).
* the indexing would have to include better file permissions/ownership
information so amrecover could tell who owns the files on the tape
* amrecover (and any code it calls) would have to be thorougly reviewed for
setuid safety.
* You would have to have it amrestore the files into a /tmp directory
that the user can't get at, then change the modes so the user can
read it when you're done; otherwise you would have to fix amrecover,
tar, and all the {ufs,vfs,...}restore utilities to be symlink-race-proof;
and that's not likely to happen any time soon.
Then you could make amrecover setuid and off you'd go.
aka the above suggestions of encryption/signing are for storage in the
holding disk (since I have configured mine to be _the_ place data is stored,
tape drive not hooked up yet), or to tape. To do this of course the amanda
user would have to have access to the keys.
You would probalby want to give your amanda user its own PGP key, and have everyone sign the data and encrypt it to the amanda user...
