Backing Up Other Systems

So just backing up "localhost" isn't enough for you? Amanda has you covered!

Contents

Background

Amanda is old for open-source software. In Amanda's infancy, spam was still canned meat, malware was a sequined T-shirt, hair was huge, and folks blithely used 'rsh' and 'telnet' across the Internet. Oh, and the US still considered crypto software to be a "munition". Amanda's client/server authentication thus consisted of a username and some basic checks of DNS records. Not so hot in these days of cryptographic side-channel attacks and trojan'd network hardware!

Sadly, most of the guides and default configurations for Amanda still use these ancient authentication mechanisms - bsd, bsdudp, and bsdtcp. For the record, just don't ever use bsd or bsdudp: they are based on UDP, which is difficult to debug, and they are invariably misconfigured. If your network is well-secured, you can get away with bsdtcp, but this page won't show you how to do it.

This page will use SSH authentication, which is a little bit troublesome to set up, but works quite well once it's running.

Configuration

Authentication is configured in the dumptypes, so we'll add a new dumptype for this remote system. Add the following to your amanda.conf(5):

define dumptype simple-gnutar-remote {
    auth "ssh"
    ssh_keys "/etc/amanda/MyConfig/ssh-key"
    compress none
    program "GNUTAR"
} 

over in the disklist, we'll be backing up a host named "euclid.amanda.org". Your second system's name is different, so substitute it here.

euclid.amanda.org /etc simple-gnutar-remote

SSH Setup

You've now told Amanda to SSH to euclid.amanda.org, and to use the ssh keys in /etc/amanda/MyConfig/ssh-key. We should create those keys, and with no passphrase, as Amanda does not know how to enter a passphrase.

amanda@knuth ~ $ ssh-keygen -f /etc/amanda/MyConfig/ssh-key
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /etc/amanda/MyConfig/ssh-key.
Your public key has been saved in /etc/amanda/MyConfig/ssh-key.pub.
...

There are two more steps. First, we need to make sure that SSH does not try to ask Amanda to verify euclid's host key. That's easy enough (be careful to use the fully-qualified hostname here):

amanda@knuth ~ $ ssh [email protected]
The authenticity of host 'euclid.amanda.org (2001:470:1f11:826::1)' can't be established.
RSA key fingerprint is e6:a6:0a:8d:ca:6e:43:54:da:cb:1f:de:73:4e:39:5f.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'euclid.amanda.org,2001:470:1f11:826::1' (RSA) to the list of known hosts.
Password: 

(just hit control-c at the password prompt) Second, we need to get the public key over to euclid. As amanda on euclid (noting that this is copying the .pub file!):

amanda@euclid ~ $ scp knuth:/etc/amanda/MyConfig/ssh-key.pub /tmp
Password: 
ssh-key.pub        100%  394     0.4KB/s   00:00

(if 'amanda' doesn't have a password, surely you can find another way to get the file there!) And add that file to authorized_keys.

amanda@euclid ~ $ cat /tmp/ssh-key.pub >> ~/.ssh/authorized_keys

Test this by SSH'ing from knuth:

amanda@knuth ~ $ ssh -i /etc/amanda/MyConfig/ssh-key euclid
Last login: Sat Jan  1 12:32:27 CST 2011 from euclid.amanda.org on ssh
amanda@euclid ~ $ 

Check and Run

Just like before, run an amcheck(8) and, if things look good, run an amdump(8) directly or wait for the next scheduled run.

More Information

The amanda-auth(7) manpage has details on all of the authentication methods available. The Communication How Tos will probably also be useful. If you're using the bsd* authentications, then Troubleshooting is probably a page you will consult often.

Last updated