Re: Amanda security +Kerberos
On Tue, 8 Feb 2005, Gil Naveh wrote: Some have suggested to use sftp or ssh - bring those files to the server and then backing it up locally. However, by implementing this technique I am over loading the network - because I have to ssh or sftp all files daily instead of letting Amanda get only the changes (level 0,1 etc). But is there a way to implement ssh/sftp with Amanda? You can avoid overloading the network by not copying all files, but only the changes, using rsync (over ssh, of course). Gr{oetje,eeting}s, Geert -- Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- [EMAIL PROTECTED] In personal conversations with technical people, I call myself a hacker. But when I'm talking to journalists I just say programmer or something like that. -- Linus Torvalds
Re: Amanda security +Kerberos
I believe that the most recent amanda 2.4.4 releases have the kerberos support integrated. It is krb4 only. You of course have to set up a v4 KDC and create principals. This is not well documented, and is likely to be quite hard if you aren't already familiar with kerberos. Basically, the server gets tickets from [EMAIL PROTECTED] from a srvtab in /.amanda (it's the kerberos client), and the servers validate those tickets against a srvtab for [EMAIL PROTECTED] from /etc/srvtab.amanda, with acl checking in ~amanda/.klogin. The wire protocol sends a ticket, and does a homebrew mutual auth exchange by decrypting a timestamp, modifying it, and reencrypting it. It then uses the session key for the data. This is all a bit hackish from a crypto protocol standpoint. The 2.5 branch supports some form of Kerberos 5, which is what you should use instead. But it isn't quite ready for production use, it seems. I put KRB_OPTIONS on the configure line: KRB_LOCATION=/usr KRB_KEYFILE=/etc/srvtab.amanda KRB_PRINCIPAL=amanda KRB_OPTIONS=\ --with-krb4-security=$KRB_LOCATION \ --with-client-principal=$KRB_PRINCIPAL \ --with-client-keyfile=$KRB_KEYFILE -- Greg Troxel [EMAIL PROTECTED]
Re: Amanda security +Kerberos
On Tue, Feb 08, 2005 at 02:13:57PM -0500, Gil Naveh wrote: hi, I am a little confused regarding adding security to Amanda. In the past I posted a question regarding adding security to Amanda - We have a Solaris 9 machine which is Amanda server and a remote Solaris 9 machine which is Amanda client. We need the data that is transferring from the client to the server be secure. People have kindly answered my question but I am still confused. Some have suggested to use sftp or ssh - bring those files to the server and then backing it up locally. However, by implementing this technique I am over loading the network - because I have to ssh or sftp all files daily instead of letting Amanda get only the changes (level 0,1 etc). But is there a way to implement ssh/sftp with Amanda? perhaps you could use rsync over ssh to pull only the changes. -- Eric Dantan Rzewnicki | Systems Administrator Technical Operations Division | Radio Free Asia 2025 M Street, NW | Washington, DC 20036 | 202-530-4900 CONFIDENTIAL COMMUNICATION This e-mail message is intended only for the use of the addressee and may contain information that is privileged and confidential. Any unauthorized dissemination, distribution, or copying is strictly prohibited. If you receive this transmission in error, please contact [EMAIL PROTECTED]
RE: Amanda security +Kerberos
Thanks for the help. Unfortunately in my case, rsync won't work because I have to backup about 20 servers and I don't have the disk capacity for it. Thx, gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Eric Dantan Rzewnicki Sent: Wednesday, February 09, 2005 3:06 PM To: Gil Naveh Cc: Amanda-Users Subject: Re: Amanda security +Kerberos On Tue, Feb 08, 2005 at 02:13:57PM -0500, Gil Naveh wrote: hi, I am a little confused regarding adding security to Amanda. In the past I posted a question regarding adding security to Amanda - We have a Solaris 9 machine which is Amanda server and a remote Solaris 9 machine which is Amanda client. We need the data that is transferring from the client to the server be secure. People have kindly answered my question but I am still confused. Some have suggested to use sftp or ssh - bring those files to the server and then backing it up locally. However, by implementing this technique I am over loading the network - because I have to ssh or sftp all files daily instead of letting Amanda get only the changes (level 0,1 etc). But is there a way to implement ssh/sftp with Amanda? perhaps you could use rsync over ssh to pull only the changes. -- Eric Dantan Rzewnicki | Systems Administrator Technical Operations Division | Radio Free Asia 2025 M Street, NW | Washington, DC 20036 | 202-530-4900 CONFIDENTIAL COMMUNICATION This e-mail message is intended only for the use of the addressee and may contain information that is privileged and confidential. Any unauthorized dissemination, distribution, or copying is strictly prohibited. If you receive this transmission in error, please contact [EMAIL PROTECTED]