How to enable SSH authentication in Amanda Enterprise

This article is for Amanda Enterprise (AE)

Amanda Enterprise uses “bsdtcp” as an authentication mechanism by default for all backup objects configured in the Zmanda Management Console (ZMC) on the Backup| What page.  It is possible to use the SSH authentication method with UNIX/Linux clients instead, however, if you prefer to have all data encrypted between UNIX and Linux clients and server during transport.  Please be aware that restore through ZMC back to the UNIX or Linux client is not performed with SSH but as unencrypted data via TCP.

Configuring the Amanda Server to use SSH Authentication

In order to configure all backup objects of all UNIX and Linux clients of all backup sets to use SSH, edit file /etc/zmanda/zmc/zmc_aee/zmc_user_dumptypes on the backup server and uncomment the line (remove the # sign from the beginning of the line) that reads “#zmc_ssh_auth # uncomment this line to enable SSH authentication for all *nix DLEs” in the zmc_nixglobal_base dumptype section.  This section should end up looking as below after edits:

# All ZMC non-Windows DLEs inherit from this dumptype:
define dumptype zmc_nixglobal_base {
        client_encrypt "/usr/sbin/amcryptsimple"
        client_decrypt_option "-d"
        zmc_ssh_auth # uncomment this line to enable SSH authentication for all *nix DLEs
        # adding things here will affect all non-Windows ZMC DLEs

Save the file.  This changes the authentication and transfer method from bsdtcp to SSH for secure data transfer between the Amanda server and all UNIX and Linux clients in every backup set.  If you wish to enable SSH authentication and data transfer for only certain backup sets or hosts, please see How to Perform Backups and Restores through SSH.  SSH public key authentication must be set up for the amandabackup user between the Amanda server and all clients configured to use SSH per the next section.

Configuring SSH public key authentication between the Amanda server and UNIX and Linux clients

In the amandabackup user’s SSH directory (/var/lib/amanda/.ssh), SSH keys have already been created.  Move or copy both the private and public keys created for use by amdump to standard SSH public key names in the amandabackup user’s SSH directory on the Amanda server:

cp -p /var/lib/amanda/.ssh/id_rsa_amdump /var/lib/amanda/.ssh/id_rsa
cp -p /var/lib/amanda/.ssh/ /var/lib/amanda/.ssh/

If the ssh-copy-id command is available, setting up SSH public key authentication of a remote client is as easy as running the below command as the amandabackup user where is the name of the remote client:

ssh-copy-id [email protected]

If the ssh-copy-id command is not available, the contents of the amandabackup user’s public SSH key, /var/lib/amanda/.ssh/, must be appended to the /var/lib/amanda/.ssh/authorized_keys file on the remote Zmanda Linux/Mac/Solaris Client host.  If this file does not exist already exist, it should be created and permissions set to owner permissions only (600).

Confirm that you can run a command on the remote system as the amandabackup user via SSH:

ssh [email protected] ls

The successful result will return a listing of the amandabackup user’s home directory on the client host without issuing a password.  If there is an error from SSH, the issue must be debugged until the above command is run without error nor password provided.