How to Enable SSH Authentication in Amanda Enterprise 3.6?

This article will explain the enabling of SSH Authentication in Amanda Enterprise.

This article is for Amanda Enterprise (AE).

Amanda Enterprise uses "bsdtcp" as an authentication mechanism by default for all backup objects configured in the Zmanda Management Console (ZMC) on the Sources page. It is possible to use the SSH authentication method with UNIX/Linux clients instead of bsdtcp. However, if you prefer to have all data encrypted between UNIX and Linux clients and server during transport, please be aware that the restore through ZMC back to the UNIX or Linux client is not performed with SSH but as unencrypted data via TCP.

Configuring the Amanda Server to Use SSH Authentication

In order to configure all backup objects of all UNIX and Linux clients of all backup sets to use SSH, edit the file:

/etc/zmanda/zmc/zmc_aee/zmc_user_dumptypes on the backup server and uncomment the line (remove the # sign from the beginning of the line) that reads "#zmc_ssh_auth . Uncomment this line to enable SSH authentication for all *nix DLEs" in the zmc_nixglobal_base dumptype section. This section should end up looking like below after edits:

# All ZMC non-Windows DLEs inherit from this dumptype: define dumptype 
zmc_nixglobal_base {
zmc_global_base client_encrypt "/usr/sbin/amcryptsimple"
client_decrypt_option "-d"
zmc_ssh_auth # uncomment this line to enable SSH authentication for all *nix DLEs
# adding things here will affect all non-Windows ZMC DLEs
}

Save the file. This changes the authentication and transfer method from bsdtcp to SSH for secure data transfer between the Amanda server and all UNIX and Linux clients in every backup set. SSH public key authentication must be set up for the amandabackup user between the Amanda server and all clients configured to use SSH as per the next section.

Configuring SSH public key authentication between the Amanda server and UNIX and Linux clients

In the amandabackup user's SSH directory (/var/lib/amanda/.ssh), SSH keys have already been created. Move or copy both the private and public keys created for use by amdump to standard SSH public key names in the amandabackup user's SSH directory on the Amanda server:

cp -p /var/lib/amanda/.ssh/id_rsa_amdump /var/lib/amanda/.ssh/id_rsa
cp -p /var/lib/amanda/.ssh/id_rsa_amdump.pub /var/lib/amanda/.ssh/id_rsa.pub

If the ssh-copy-id command is available, setting up SSH public key authentication of a remote client is as easy as running the below command as the amandabackup user where ultra2.zmanda.com is the name of the remote client:

ssh-copy-id -i ~/.ssh/id_rsa.pub amandabackup@ultra2.zmanda.com

If the ssh-copy-id command is not available, the contents of the amandabackup user's public SSH key, /var/lib/amanda/ .ssh/id_rsa. pub, must be appended to the /var/lib/amanda/ . ssh/authorized_keys file on the remote Zmanda Linux/Mac/Solaris Client host. If this file does not already exist, it should be created, and permissions set to owner permissions only (600).

Confirm that you can run a command on the remote system as the amandabackup user via SSH:

ssh amandabackup@ultra2.zmanda.com Is

The successful result will return a listing of the amandabackup user's home directory on the ultra2.zmanda.com client host without issuing a password. If there is an error from SSH, the issue must be debugged until the above command can run without error nor password provided.