Amanda 2.4.0 - KERBEROS v4 SUPPORT NOTES Note that kerberos 5 isn't supported. [yet] NOTE: encrypted dumps are rumored not to work in the 2.4.0b4 beta release of amanda. Hopefully they'll be fixed by the 2.4.0 full release. 0. GETTING THE SOURCE FILES The Kerberos-related Amanda source code is available in a separate, export restricted, package. US sites can follow the instructions in KERBEROS.HOW-TO-GET on ftp.amanda.org in the /pub/amanda directory. 1. CONFIGURATION The configure script defaults to: # define SERVER_HOST_PRINCIPLE "amanda" # define SERVER_HOST_INSTANCE "" # define SERVER_HOST_KEY_FILE "/.amanda" # define CLIENT_HOST_PRINCIPLE "rcmd" # define CLIENT_HOST_INSTANCE HOSTNAME_INSTANCE # define CLIENT_HOST_KEY_FILE KEYFILE # define TICKET_LIFETIME 128 you can override these with configure options if you so desire, with: --with-server-principal=ARG server host principal [amanda] --with-server-instance=ARG server host instance [] --with-server-keyfile=ARG server host key file [/.amanda] --with-client-principal=ARG client host principal [rcmd] --with-client-instance=ARG client host instance [HOSTNAME_INSTANCE] --with-client-keyfile=ARG client host key file [KEYFILE] --with-ticket-lifetime=ARG ticket lifetime [128] The configure script will automatically include kerberos if you followed the directions in step 0. It'll search under /usr/kerberos/lib, /usr/cygnus/lib, /usr/lib, and /opt/kerberos/lib for libkrb.a. (in that order) for the kerberos bits. If it finds them, kerberos support will be added in, if it doesn't, it won't. If the kerberos bits are found under some other hierarchy, you can specify this via the --with-krb4=DIR, where DIR is where the kerberos bits live. It'll look under the 'lib' directory under this hierarchy for libkrb.a. 2. INSTALLATION The kerberized Amanda service uses a different port on the client hosts. The /etc/services line is: kamanda 10081/udp And the /etc/inetd.conf line is: kamanda dgram udp wait root /usr/local/libexec/amanda/amandad amandad -krb4 Note that you're running this as root, rather than as your dump user. Amanda will set it's uid down to the dump user at times it doesn't need to read the srvtab file, and give up root permissions entirely before it goes off and runs dump. Alternately you can change your srvtab files to be readable by user amanda. 3. CONF FILE With KRB4_SECURITY defined, there are two new dumptype options: krb4-auth use krb4 auth for this host (you can mingle krb hosts & bsd .rhosts in one conf) kencrypt encrypt this filesystem over the net using the krb4 session key. About 2x slower. Good for those root partitions containing your keyfiles. Don't want to give away the keys to an ethernet sniffer!