Enabling SSH authentication in AE 4.x and 5.x

This article explains the steps to enable SSH authentication for Linux clients in the 4.x and 5.x versions.

Amanda Enterprise uses "bsdtcp" as the default authentication mechanism for all backup objects. However it is possible to use the SSH authentication method with Linux clients, if you prefer to have data encrypted between server and client during transport.

Please be aware that the restores done from ZMC to the Linux client are not performed with SSH but as unencrypted data via TCP. 

Configuring Zmanda server to use SSH authentication

In order to enable SSH authentication for Linux clients, certain configuration changes are required on both the server and the clients. 

Client side configuration

The first step to enable SSH authentication is to set a password for the 'amandabackup'  user on the Linux client

passwd amandabackup

In some distributions, the location of amanda utilities such as 'amandad' will be under /usr/libexec/amanda instead of /usr/lib64/amanda.

You can verify this using the find command

find /usr -iname amandad

If the path is under /usr/libexec, we need to create a soft link using the command below.

ln -s /usr/libexec/amanda /usr/lib64/amanda

Server side configuration

All changes on the Zmanda server should be done as the 'amandabackup' user. Use this command to switch the user.

su amandabackup

In order to configure all Linux clients to use SSH, we need to edit the  zmc_user_dumptypes file. This file is located at /etc/zmanda/aee5/zmc_user_dumptypes in 5.x versions and /etc/zmanda/aee4/zmc_user_dumptypes in 4.x versions.

Open this file and uncomment the line starting with "zmc_ssh_auth"  shown in the code block below

define dumptype zmc_nixglobal_base {
        zmc_global_base
        client_encrypt "/usr/sbin/amcryptsimple"
        client_decrypt_option "-d"
      # zmc_ssh_auth # uncomment this line to enable SSH authentication for all *nix DLEs
        # adding things here will affect all non-Windows ZMC DLEs
}

The file should look like this after the edits

Configuring SSH public key authentication between the Zmanda server and  Linux clients

The SSH keys will be present in the amandabackup user's home directory /var/lib/amanda.  Copy both the private and public keys created for use by amdump to standard SSH public key names using the commands below.

cp -p /var/lib/amanda/.ssh/id_rsa_amdump /var/lib/amanda/.ssh/id_rsa

cp -p /var/lib/amanda/.ssh/id_rsa_amdump.pub /var/lib/amanda/.ssh/id_rsa.pub

Then use the ssh-copy-id command to copy the keys to the Linux client.

ssh-copy-id -i ~/.ssh/id_rsa.pub amandabackup@ip_address_of_client

Once the keys are copied, confirm that you can run a command on the remote system as the amandabackup user via SSH

ssh amandabackup@ip_address_of_client 'ls'

The successful result will return a listing of the amandabackup user's home directory on the  client host without issuing a password.

Performing Host check to validate the changes

Login to ZMC and check if you are able to do a successful hostcheck on all the Linux sources.

If you are facing any issues, please reach out to Zmanda support at support@zmanda.com