Dear Kevin, et al.,
My bug in which Amanda created its dump-holding directory with
permissions that made it impossible for it to write on that directory
--- it's fixed. The fix was to change the ownership of one or more of
the files in /home/amanda. I'm not sure which file ownerships made
the difference.
Anyway, only because the Amanda maintainers might be interested, I'm
attaching my Amanda installation script (install.sh). Search for the
string "### Bug:" and you will see the difference that made the
difference. It's curious as all get-out, and I'm wondering whether I
ran into some security fix in the version of Linux that I'm
running. (2.6.16, in this case).
Anyway, happy days, I have dumps now. And they do indeed pass through
the ssh connection. I commend you guys. auth="ssh" is a significant
enhancement to Amanda.
-- Steve
Steven R. Newcomb, Consultant
Coolheads Consulting
Co-editor, Topic Maps International Standard (ISO/IEC 13250)
Co-editor, draft Topic Maps -- Reference Model (ISO/IEC 13250-5)
[EMAIL PROTECTED]
http://www.coolheads.com
direct: +1 540 951 9773
main: +1 540 951 9774
fax: +1 540 951 9775
208 Highview Drive
Blacksburg, Virginia 24060 USA
(Confidential to all US government personnel to whom this private
letter is not addressed and who are reading it in the absence of a
specific search warrant: You are violating the law and you are
co-conspiring to subvert the Constitution that you are sworn to
defend. You can either refuse to commit this crime, or you can expect
to suffer criminal sanctions in the future, when the current
administration of the United States of America has been replaced by
one that respects the rule of law. I do not envy you for having to
make this difficult choice, but I urge you to make it wisely.)
#!/bin/bash
if [ ! "$USER" = "root" ]; then
echo "user is not root, aborting."
exit 1
fi
if [ ! `pwd` = "/home/amanda/amandasrc" ]; then
echo "you must first cd to /home/amanda/amandasrc"
exit 1
fi
TRUE=0
FALSE=1
if [ `hostname` = "dimanche" ]; then
isServer=$TRUE
else
isServer=$FALSE
fi
set -x
if [ ! -e /home/amanda ]; then
echo "There must be a user \"amanda\" who is a member of groups \"disk\" and \"tape\", and whose home is /home/amanda"
exit 1
fi
usermod -G amanda,disk,tape amanda
if [ -d /home/amanda/DailySet1 ]; then
rm -rf /home/amanda/DailySet1
fi
if [ "$isServer" = "$TRUE" ]; then
if [ ! -d /home/amanda/INDEX ]; then
mkdir -p /home/amanda/INDEX
fi
if [ ! -d /home/amanda/INFO ]; then
mkdir -p /home/amanda/INFO
fi
if [ ! -d /home/amanda/LOG ]; then
mkdir -p /home/amanda/LOG
fi
fi
if [ ! -e /tmp/amanda ]; then
mkdir /tmp/amanda
fi
chown -R amanda.disk /tmp/amanda
if [ -e /home/amanda/coolheads ]; then
rm -rf /home/amanda/coolheads
fi
mkdir /home/amanda/coolheads
ln -s /home/amanda/amandasrc/coolheads/.amandahosts /home/amanda/.amandahosts
ln -s /home/amanda/amandasrc/coolheads/.amandahosts /home/amanda/coolheads/.amandahosts
ln -s /home/amanda/amandasrc/coolheads/amanda.conf /home/amanda/amanda.conf
ln -s /home/amanda/amandasrc/coolheads/amanda.conf /home/amanda/coolheads/amanda.conf
ln -s /home/amanda/amandasrc/coolheads/amanda-client.conf /home/amanda/amanda-client.conf
ln -s /home/amanda/amandasrc/coolheads/amanda-client.conf /home/amanda/coolheads/amanda-client.conf
ln -s /home/amanda/amandasrc/coolheads/tapelist /home/amanda/tapelist
ln -s /home/amanda/amandasrc/coolheads/tapelist /home/amanda/coolheads/tapelist
ln -s /home/amanda/amandasrc/coolheads/disklist /home/amanda/disklist
ln -s /home/amanda/amandasrc/coolheads/disklist /home/amanda/coolheads/disklist
ln -s /home/amanda/amandasrc/coolheads/chg-multi.conf /home/amanda/coolheads/chg-multi.conf
whereWeWere=`pwd`
cd /home/amanda/amandasrc/coolheads
for i in *-excludes ; do
ln -s /home/amanda/amandasrc/coolheads/${i} /home/amanda/coolheads/${i}
done
if [ ! -e /home/amanda/share ]; then
mkdir /home/amanda/share
fi
if [ ! -e /home/amanda/man ]; then
mkdir /home/amanda/man
fi
if [ -e /home/amanda/lib ]; then
rm -rf /home/amanda/lib
fi
if [ -e /home/amanda/libexec ]; then
rm -rf /home/amanda/libexec
fi
if [ -e /home/amanda/man ]; then
rm -rf /home/amanda/man
fi
if [ -e /home/amanda/sbin ]; then
rm -rf /home/amanda/sbin
fi
if [ -e /home/amanda/share ]; then
rm -rf /home/amanda/share
fi
if [ -e /home/amanda/amandasrc/amanda-2.5.1 ]; then
rm -rf /home/amanda/amandasrc/amanda-2.5.1
fi
cd /home/amanda/amandasrc
tar xzf amanda-2.5.1.tar.gz
cd /home/amanda/amandasrc/amanda-2.5.1
commonConfigArgs=\
" --prefix=/home/amanda \
--exec-prefix=/home/amanda \
--sysconfdir=/home/amanda \
--datadir=/home/amanda/share \
--sysconfdir=/home \
--sharedstatedir=/home/amanda/com \
--localstatedir=/home/amanda/var \
--libdir=/home/amanda/lib \
--includedir=/home/amanda/include \
--oldincludedir=/home/amanda/include \
--mandir=/home/amanda/man \
--infodir=/home/amanda/info
--with-user=amanda \
--with-group=disk \
--with-ssh-security"
set - $commonConfigArgs
if [ "$isServer" = "$TRUE" ]; then
echo ./configure $@
./configure $@
else
echo ./configure $@ --without-server
./configure $@ --without-server
fi
make
make install
if [ "$isServer" = "$TRUE" ]; then
if [ ! -e /nobackup/AMANDASPOOL ]; then
mkdir /nobackup/AMANDASPOOL
fi
chown -R root.disk /nobackup/AMANDASPOOL
fi
if [ ! -d /home/amanda/var ]; then
mkdir /home/amanda/var
fi
if [ ! -d /home/amanda/var/gnutar_list ]; then
mkdir /home/amanda/var/gnutar_list
fi
if [ ! -e /home/amanda/var/amandates ]; then
touch /home/amanda/var/amandates
fi
if [ ! -f /home/amanda/amandasrc/coolheads/tapelist ]; then
touch /home/amanda/amandasrc/coolheads/tapelist
fi
### Bug: if the below line is:
### chown -R root.disk /home/amanda
### then, when Amanda creates the
### the holding disk (/nobackup/AMANDASPOOL/200609...)
### directory for the dump, it's created with root
### ownership and mode 700 permissions, and Amanda
### can't write on it. I have no idea why this happens.
### The Amanda code says it's creating this directory
### with 770 permissions. --SRN
chown -R amanda.disk /home/amanda
chown root.disk /home/amanda/libexec/runtar
chown root.disk /home/amanda/libexec/dumper
chown root.disk /home/amanda/libexec/planner
chown root.disk /home/amanda/sbin/amcheck
chmod -R 6770 /home/amanda/libexec/* /home/amanda/sbin/*
if [ -d /home/amanda/DailySet1 ]; then
rm -rf /home/amanda/DailySet1
fi
cat - <<EOF
SSH
You must configure amanda with --with-ssh-security.
create user 'amanda'
For amdump:
You must create user amanda on all machines, including the server.
You must put the server's amanda's id_rsa.pub, as amended with options,
on *all* machine's amanda's ~/.ssh/authorized_keys. Here's an example:
from="dimanche.coolheads.com",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,command="/home/amanda/libexec/amandad -auth=ssh amdump" ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAxKMbLwLfI6iwGYzkv75UpRqj2LvOV6uvRYJghvN7t8vUzrxzGmIPEiuFwKRAO8jsfrvLDaBJU4S18eN7FpybcEyhT1yctfSY6TxKL3QHR6pluUl7kh2eJ1C9Cr26AU5Hfp3/FYTWM33SVcgDIuyzrbUTtKZubuQGRkn6r6Ns8POI5d+b6jwPGkqa85qVzK7xA1dQFv0HyrHaVO15FTG8/Zv1kMHQyVa8fKxFQGdAjRdaQD2nG18jeyzuFcgX9RCA+zPef1ceHj2Xh6W25YCQuxYzC73pcdbedZMoVSbT25AcY09+Rg/z0MQqZhf86xiRvFwbpI2aYCy7gmXtub+8kQ== [EMAIL PROTECTED]
You must create an ssh key for your server. In this example, the key is put in
the id_rsa_amdump file:
ssh-keygen -t rsa
Enter file in which to save the key (/home/amanda/.ssh/id_rsa)? /home/
amanda/.ssh/id_rsa_amdump
You must set the ssh_keys option in all DLE for that host:
ssh_keys "/home/amanda/.ssh/id_rsa_amdump"
You mush append the /home/amanda/.ssh/id_rsa_amdump.pub file to the .ssh/
authorized_keys file of all client host.
For security reason, you must prepend the line with the following:
from="tape_server_fqdn_name",no-port-forwarding,no-X11-forwarding,no-agent-
forwarding,command="/path/to/amandad -auth=ssh amdump"
That will limit that key to connect only from your server and only be able to
execute amandad.
Like rsh if your server username and client username are different, you must
add the client_username option in all DLE for that
host:
client_username "client_username"
Like rsh, if your server amandad path and client amandad path are different,
you must set the amandad_path option in all DLE for that hosts:
amandad_path "client/amandad/path"
For amrecover:
You must create an ssh key for root on all clients that can use amrecover. In
this example, the key is put in the /root/.ssh/id_ rsa_amrecover file:
Log in as root:
ssh-keygen -t rsa
Enter file in which to save the key (/root/.ssh/id_rsa)? /root/.ssh/
id_rsa_amrecover
You must set the ssh_keys option in the amanda_client.conf file
ssh_keys "/root/.ssh/id_rsa_amrecover"
You mush append all client /home/root/.ssh/id_rsa_amrecover.pub file to the /
home/amanda/.ssh/authorized_keys of the server.
For security reason, you must prefix all lines with the following:
from="aclient_fqdn_name",no-port-forwarding,no-X11-forwarding,no-agent-
forwarding,command="/path/to/amandad -auth=ssh amindexd amidxtaped"
That will limit every client key to connect from the client and only be able to
execute amandad.
-------------------------------------------------------------------------------
Prev Up Next
Chapter 16. How to do Amanda-server-side Home Part IV. Various Information
gpg-encrypted backups.
EOF
# [EMAIL PROTECTED]:~/AMANDA/amanda-2.5.1# ./configure --help
# `configure' configures this package to adapt to many kinds of systems.
#
# Usage: ./configure [OPTION]... [VAR=VALUE]...
#
# To assign environment variables (e.g., CC, CFLAGS...), specify them as
# VAR=VALUE. See below for descriptions of some of the useful variables.
#
# Defaults for the options are specified in brackets.
#
# Configuration:
# -h, --help display this help and exit
# --help=short display options specific to this package
# --help=recursive display the short help of all the included packages
# -V, --version display version information and exit
# -q, --quiet, --silent do not print `checking...' messages
# --cache-file=FILE cache test results in FILE [disabled]
# -C, --config-cache alias for `--cache-file=config.cache'
# -n, --no-create do not create output files
# --srcdir=DIR find the sources in DIR [configure dir or `..']
#
# Installation directories:
# --prefix=PREFIX install architecture-independent files in PREFIX
# [/usr/local]
# --exec-prefix=EPREFIX install architecture-dependent files in EPREFIX
# [PREFIX]
#
# By default, `make install' will install all the files in
# `/usr/local/bin', `/usr/local/lib' etc. You can specify
# an installation prefix other than `/usr/local' using `--prefix',
# for instance `--prefix=$HOME'.
#
# For better control, use the options below.
#
# Fine tuning of the installation directories:
# --bindir=DIR user executables [EPREFIX/bin]
# --sbindir=DIR system admin executables [EPREFIX/sbin]
# --libexecdir=DIR program executables [EPREFIX/libexec]
# --datadir=DIR read-only architecture-independent data [PREFIX/share]
# --sysconfdir=DIR read-only single-machine data [PREFIX/etc]
# --sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com]
# --localstatedir=DIR modifiable single-machine data [PREFIX/var]
# --libdir=DIR object code libraries [EPREFIX/lib]
# --includedir=DIR C header files [PREFIX/include]
# --oldincludedir=DIR C header files for non-gcc [/usr/include]
# --infodir=DIR info documentation [PREFIX/info]
# --mandir=DIR man documentation [PREFIX/man]
#
# Program names:
# --program-prefix=PREFIX prepend PREFIX to installed program names
# --program-suffix=SUFFIX append SUFFIX to installed program names
# --program-transform-name=PROGRAM run sed PROGRAM on installed program names
#
# System types:
# --build=BUILD configure for building on BUILD [guessed]
# --host=HOST cross-compile to build programs to run on HOST [BUILD]
# --target=TARGET configure for building compilers for TARGET [HOST]
#
# Optional Features:
# --disable-FEATURE do not include FEATURE (same as --enable-FEATURE=no)
# --enable-FEATURE[=ARG] include FEATURE [ARG=yes]
# --disable-dependency-tracking speeds up one-time build
# --enable-dependency-tracking do not reject slow dependency extractors
# --disable-largefile omit support for large files
# --enable-shared[=PKGS]
# build shared libraries [default=yes]
# --enable-static[=PKGS]
# build static libraries [default=yes]
# --enable-fast-install[=PKGS]
# optimize for fast installation [default=yes]
# --disable-libtool-lock avoid locking (might break parallel builds)
#
# Optional Packages:
# --with-PACKAGE[=ARG] use PACKAGE [ARG=yes]
# --without-PACKAGE do not use PACKAGE (same as --with-PACKAGE=no)
# --with-cflags=CFLAGS arguments to the c compiler (-Wall, -g, etc)
# --with-includes=DIR site header files for readline, etc in DIR
# --with-libraries=DIR site library directories for readline, etc in DIR
# --with-dumperdir=DIR where we install the dumpers [EPREFIX/dumper]
# --with-configdir=DIR runtime config files in DIR [sysconfdir/amanda]
# --with-indexdir deprecated, use indexdir in amanda.conf
# --with-dbdir deprecated, use infofile in amanda.conf
# --with-logdir deprecated, use logfile in amanda.conf
# --with-suffixes install binaries with version string appended to name
# --with-client-only deprecated, use --without-server
# --with-server-only deprecated, use --without-client
# --without-client do not build client stuff
# --without-server do not build server stuff (set --without-restore)
# --without-restore do not build amrestore nor amidxtaped
# --without-amrecover do not build amrecover
# --with-index-server=HOST default amanda index server [`uname -n`]
# --without-force-uid do not force the uid to --with-user
# --with-user=USER force execution to USER on client systems [required]
# --with-group=GROUP group allowed to execute setuid-root programs [required]
# --with-owner=USER force ownership of files to USER [default == --with-user value]
# --with-rundump use rundump (setuid-root) to invoke dump
# --with-config=CONFIG default configuration [DailySet1]
# --with-tape-server=HOST default restoring tape server is HOST [same as --with-index-server]
# --with-tape-device=ARG restoring tape server HOST's no rewinding tape drive
# --with-ftape-rawdevice=ARG raw device on tape server HOST's if using Linux ftape >=3.04d
# --with-rew-tape deprecated, use --with-tape-device
# --with-norew-tape=ARG deprecated, use --with-tape-device
# --with-changer-device=ARG default tape changer device [/dev/ch0 if it exists]
# --with-fqdn use FQDN's to backup multiple networks
# --with-broken-fsf only enable if tape fsf calls fail mid-file
# --without-reuseaddr Don't closed network connections to be reused until full timeout period.
# --with-gnutar[=PROG] use PROG as GNU tar executable [default: looks for one]
# --with-smbclient[=PROG] use PROG as Samba's smbclient executable [default: looks for one]
# --with-samba-user was deprecated
# --with-gnutar-listdir=DIR gnutar directory lists go in DIR [localstatedir/amanda/gnutar-lists]
# --with-gnutar-listed-incremental was deprecated, use --with-gnutar-listdir
# --without-bsd-security do not use BSD rsh/rlogin style security
# --without-amandahosts use .rhosts instead of .amandahosts
# --with-dbmalloc=DIR Location of dbmalloc libs and headers
# --with-krb4-security=DIR Location of Kerberos software [/usr/kerberos /usr/cygnus /usr /opt/kerberos]
# --with-rsh-security use rsh as a transport
# --with-ssh-security use ssh as a transport
# --with-bsdtcp-security use tcp as a transport
# --with-bsdudp-security use tcp as a transport
# --with-server-principal=ARG server host principal ["amanda"]
# --with-server-instance=ARG server host instance ["amanda"]
# --with-server-keyfile=ARG server host key file ["/.amanda"]
# --with-client-principal=ARG client host principal ["rcmd"]
# --with-client-instance=ARG client host instance [HOSTNAME_INSTANCE]
# --with-client-keyfile=ARG client host key file [KEYFILE]
# --with-ticket-lifetime=ARG ticket lifetime [128]
# --with-krb5-security=DIR Location of Kerberos V software [/usr/kerberos /usr/cygnus /usr /opt/kerberos]
# --with-low-tcpportrange=low,high bind reserved TCP server sockets to ports within this range unlimited (mainly for amrecover)
# --with-tcpportrange=low,high bind unreserved TCP server sockets to ports within this range [unlimited]
# --with-udpportrange=low,high bind reserved UDP server sockets to ports within this range [unlimited]
# --with-maxtapeblocksize=kb Maximum size of a tape block
# --with-db={text,db,dbm,gdbm,ndbm} use the selected database format [text]
# --with-mmap force use of mmap instead of shared memory support
# --with-buffered-dump buffer the dumping sockets on the server for speed
# --with-assertions compile assertions into code
# --with-tmpdir=/temp/dir area Amanda can use for temp files [/tmp/amanda]
# --with[out]-debugging[=/debug/dir] [do not] record runtime debugging information in specified directory [--with-tmpdir]
# --with-debug-days=NN number of days to keep debugging files [default=4]
# --with-testing[=suffix] use alternate service names
# --with-dump-honor-nodump if dump supports -h, use it for level0s too
# --with-gnu-ld assume the C compiler uses GNU ld [default=no]
# --with-pic try to use only PIC/non-PIC objects [default=use
# both]
# --with-tags[=TAGS]
# include additional configurations [automatic]
# --without-built-manpages Do not build manpages from XML source.
#
# Some influential environment variables:
# CC C compiler command
# CFLAGS C compiler flags
# LDFLAGS linker flags, e.g. -L<lib dir> if you have libraries in a
# nonstandard directory <lib dir>
# CPPFLAGS C/C++ preprocessor flags, e.g. -I<include dir> if you have
# headers in a nonstandard directory <include dir>
# CPP C preprocessor
# CXX C++ compiler command
# CXXFLAGS C++ compiler flags
# CXXCPP C++ preprocessor
# F77 Fortran 77 compiler command
# FFLAGS Fortran 77 compiler flags
#
# Use these variables to override the choices made by `configure' or to help
# it to find libraries and programs with nonstandard names/locations.
#
#
