
Amanda 2.2 - KERBEROS v4 SUPPORT NOTES

0. GETTING THE SOURCE FILES

The Kerberos-related Amanda source code is available in a separate,
export restricted, package.  US sites can follow the instructions in
KERBEROS.HOW-TO-GET on ftp.cs.umd.edu in the amanda directory.

1. COMPILATION

Read the comments in options.h-vanilla for how to configure the kerberos
version:

/*
 * KRB4_SECURITY selects MIT Kerberos version 4 style security, which is
 * significantly better than BSD_SECURITY, providing for mutual
 * authentication and (optionally) encryption of backup data over the
 * network.  Both BSD_SECURITY and KRB4_SECURITY may be defined at the same
 * time: the type of security to be used can be selected on a per-client-host
 * basis (in the disklist file).
 */
#undef KRB4_SECURITY

#ifdef KRB4_SECURITY
/*
 * If you turn on KRB4_SECURITY, you must set all these options below.
 *
 * You can set the principle, instance, and keyfile to use seperately for
 * both the client and server.
 *
 * The instance can either be a string constant, or `HOSTNAME_INSTANCE' if
 * you want the local hostname used as the instance (ala krb_get_phost).
 *
 * The keyfile name can be either a string constant, or `KEYFILE' to use the
 * default keyfile defined in <krb.h>.
 */
#  define SERVER_HOST_PRINCIPLE "amanda"
#  define SERVER_HOST_INSTANCE  "amanda"
#  define SERVER_HOST_KEY_FILE  "/.amanda"

#  define CLIENT_HOST_PRINCIPLE "rcmd"
#  define CLIENT_HOST_INSTANCE  HOSTNAME_INSTANCE
#  define CLIENT_HOST_KEY_FILE  KEYFILE

#  define TICKET_LIFETIME       128

/*
 * Add Kerberos include directories and libraries to the compiler command
 * line.  Customize these for your site.
 */
#  define MK_KRB4INC -I/local/athena/include
#  define MK_KRB4LIB -L/local/athena/lib -lkrb -ldes

#endif /* KRB4_SECURITY */

2. INSTALLATION

The kerberized Amanda service uses a different port on the client hosts.
The /etc/services line is:

    kamanda      10081/udp

And the /etc/inetd.conf line is:

    kamanda dgram udp wait bin /usr/local/libexec/amanda/amandad amandad -krb4


3. CONF FILE

With KRB4_SECURITY defined, there are two new dumptype options:

	krb4-auth	use krb4 auth for this host 
			(you can mingle krb hosts & bsd .rhosts in one conf)
	kencrypt	encrypt this filesystem over the net using the krb4
			session key.  About 2x slower.  Good for those root
			partitions containing your keyfiles.  Don't want to
			give away the keys to an ethernet sniffer!
