Client SSH Error

[Wookie]

Hi guys,

I'm having some trouble getting amanda to work with network clients using SSH as the authentication method. The server will back up locally just fine but after adding a remote host to the disklist I keep getting this error from amcheck:

"WARNING: amanda-client.localdomain: selfcheck request failed: EOF on read from amanda-client.localdomain
Client check: 2 hosts checked in 5.307 seconds. 1 problem found."

To set it all up I followed the guides on the amanda wiki for setting up amanda to backup remote hosts, and when I SSH to the client from the server using "ssh -i /etc/amanda/MyConfig/ssh-key [email][email protected][/email]omain" (as specified in the wiki) it works fine and I get a shell. I have a feeling this issue is something to do with amanda pointing to the wrong user but I have that specified in amanda.conf.

I'm running amanda-server 3.3.6 on Ubuntu Server 12.04 and amanda-client 3.3.6 on Ubuntu Desktop 12.04.

The the dumptypes I am using in amanda.conf are:

define dumptype global {
comment "Global settings"
index yes
record yes
}

define dumptype remote {
comment "global ssh settings"
auth "ssh"
ssh_keys "/etc/amanda/MyConfig/ssh-key"
client_username "client"
}

define dumptype user-tar {
global
root-tar
comment "user partitions dumpded with tar"
}

define dumptype user-tar-remote {
user-tar
remote
comment "User partitions dumped with tar for network client"
}

the disklist entry is:

amanda-client.localdomain /home/client/Documents user-tar-remote

If anyone knows what I have done wrong or can point out something I've missed it would be greatly appreciated,
Thanks!

[martineau]

Look for the ssh command in the amcheck.*.debug file and run it from the command line.
What's in the amandad debug file on the client?

[Wookie]

Hi thanks for the reply

In the amcheck debug file it has this as the command:

exec: /usr/bin/ssh -x -o BatchMode=yes -o PreferredAuthentications=publickey -l client -i /etc/amanda/MyConfig/ssh-key amanda-client.localdomain /usr/libexec/amanda/amandad -auth=ssh

(fyi: "amanda-client.localdomain" is the FQDN for the client and the username is "client", both the server and the client are VM's running on a local domain)

Here is the contents of the amandad debug file on the client.

Wed Jul 16 01:47:25 2014: thd-0x2516400: amandad: pid 6010 ruid 63998 euid 63998 version 3.3.6: start at Wed Jul 16 01:47:25 2014
Wed Jul 16 01:47:25 2014: thd-0x2516400: amandad: security_getdriver(name=bsdtcp) returns 0x7fd00b066980
Wed Jul 16 01:47:25 2014: thd-0x2516400: amandad: version 3.3.6
Wed Jul 16 01:47:25 2014: thd-0x2516400: amandad: build: VERSION="Amanda-3.3.6"
Wed Jul 16 01:47:25 2014: thd-0x2516400: amandad: BUILT_DATE="Tue Jul 8 14:13:30 PDT 2014" BUILT_MACH=""
Wed Jul 16 01:47:25 2014: thd-0x2516400: amandad: BUILT_REV="5807" BUILT_BRANCH="tags"
Wed Jul 16 01:47:25 2014: thd-0x2516400: amandad: CC="x86_64-linux-gnu-gcc"
Wed Jul 16 01:47:25 2014: thd-0x2516400: amandad: paths: bindir="/usr/bin" sbindir="/usr/sbin"
Wed Jul 16 01:47:25 2014: thd-0x2516400: amandad: libexecdir="/usr/libexec"
Wed Jul 16 01:47:25 2014: thd-0x2516400: amandad: amlibexecdir="/usr/libexec/amanda" mandir="/usr/share/man"
Wed Jul 16 01:47:25 2014: thd-0x2516400: amandad: AMANDA_TMPDIR="/tmp/amanda"
Wed Jul 16 01:47:25 2014: thd-0x2516400: amandad: AMANDA_DBGDIR="/var/log/amanda" CONFIG_DIR="/etc/amanda"
Wed Jul 16 01:47:25 2014: thd-0x2516400: amandad: DEV_PREFIX="/dev/" RDEV_PREFIX="/dev/" DUMP="/sbin/dump"
Wed Jul 16 01:47:25 2014: thd-0x2516400: amandad: RESTORE="/sbin/restore" VDUMP=UNDEF VRESTORE=UNDEF
Wed Jul 16 01:47:25 2014: thd-0x2516400: amandad: XFSDUMP="/sbin/xfsdump" XFSRESTORE="/sbin/xfsrestore"
Wed Jul 16 01:47:25 2014: thd-0x2516400: amandad: VXDUMP=UNDEF VXRESTORE=UNDEF
Wed Jul 16 01:47:25 2014: thd-0x2516400: amandad: SAMBA_CLIENT="/usr/bin/smbclient" GNUTAR="/bin/tar"
Wed Jul 16 01:47:25 2014: thd-0x2516400: amandad: COMPRESS_PATH="/bin/gzip" UNCOMPRESS_PATH="/bin/gzip"
Wed Jul 16 01:47:25 2014: thd-0x2516400: amandad: LPRCMD=UNDEF MAILER=UNDEF
Wed Jul 16 01:47:25 2014: thd-0x2516400: amandad: listed_incr_dir="/var/lib/amanda/gnutar-lists"
Wed Jul 16 01:47:25 2014: thd-0x2516400: amandad: defs: DEFAULT_SERVER="localhost" DEFAULT_CONFIG="DailySet1"
Wed Jul 16 01:47:25 2014: thd-0x2516400: amandad: DEFAULT_TAPE_SERVER="localhost" DEFAULT_TAPE_DEVICE=""
Wed Jul 16 01:47:25 2014: thd-0x2516400: amandad: NEED_STRSTR AMFLOCK_POSIX AMFLOCK_FLOCK AMFLOCK_LOCKF
Wed Jul 16 01:47:25 2014: thd-0x2516400: amandad: AMFLOCK_LNLOCK SETPGRP_VOID ASSERTIONS AMANDA_DEBUG_DAYS=4
Wed Jul 16 01:47:25 2014: thd-0x2516400: amandad: BSD_SECURITY USE_AMANDAHOSTS CLIENT_LOGIN="amandabackup"
Wed Jul 16 01:47:25 2014: thd-0x2516400: amandad: CHECK_USERID HAVE_GZIP COMPRESS_SUFFIX=".gz"
Wed Jul 16 01:47:25 2014: thd-0x2516400: amandad: COMPRESS_FAST_OPT="--fast" COMPRESS_BEST_OPT="--best"
Wed Jul 16 01:47:25 2014: thd-0x2516400: amandad: UNCOMPRESS_OPT="-dc"
Wed Jul 16 01:47:25 2014: thd-0x2516400: amandad: CONFIGURE_ARGS=" 'MAKEFLAGS=-j1 ' 'CFLAGS=-pipe ' 'MAILER=/usr/bin/mail' '--enable-as-needed' '--host=x86_64-linux-gnu' '--build=x86_64-linux-gnu' '--prefix=/usr' '--bindir=/usr/bin' '--mandir=/usr/share/man' '--libexecdir=/usr/libexec' '--enable-shared' '--sysconfdir=/etc' '--localstatedir=/var' '--with-amdatadir=/var/lib/amanda' '--with-gnutar-listdir=/var/lib/amanda/gnutar-lists' '--with-index-server=localhost' '--with-tape-server=localhost' '--with-user=amandabackup' '--with-group=disk' '--with-fqdn' '--with-bsd-security' '--with-bsdtcp-security' '--with-bsdudp-security' '--with-amandahosts' '--with-smbclient=/usr/bin/smbclient' '--with-debugging=/var/log/amanda' '--with-ssh-security' '--with-assertions' '--enable-s3-device' '--disable-installperms' 'build_alias=x86_64-linux-gnu' 'host_alias=x86_64-linux-gnu' 'LDFLAGS=-Wl,-Bsymbolic-functions -Wl,-z,relro' 'CPPFLAGS=-D_FORTIFY_SOURCE=2'"
Wed Jul 16 01:47:25 2014: thd-0x2516400: amandad: security_handleinit(handle=0x25212e0, driver=0x7fd00b066980 (BSDTCP))
Wed Jul 16 01:47:25 2014: thd-0x2516400: amandad: security_streaminit(stream=0x2521490, driver=0x7fd00b066980 (BSDTCP))
Wed Jul 16 01:47:25 2014: thd-0x2516400: amandad: authenticated peer name is 'localhost'
Wed Jul 16 01:47:25 2014: thd-0x2516400: amandad: accept recv REQ pkt:
<<<<<
SERVICE amindexd
OPTIONS features=ffffffff9efefbffffffffff3f;auth=bsdtcp;
>>>>>
Wed Jul 16 01:47:25 2014: thd-0x2516400: amandad: amindexd: invalid service
Wed Jul 16 01:47:25 2014: thd-0x2516400: amandad: sending NAK pkt:
<<<<<
ERROR amindexd: invalid service, add 'amindexd' as argument to amandad
>>>>>
Wed Jul 16 01:47:25 2014: thd-0x2516400: amandad: tcpm_send_token: data is still flowing
Wed Jul 16 01:47:25 2014: thd-0x2516400: amandad: security_close(handle=0x25212e0, driver=0x7fd00b066980 (BSDTCP))
Wed Jul 16 01:47:25 2014: thd-0x2516400: amandad: security_stream_close(0x2521490)
Wed Jul 16 01:47:25 2014: thd-0x2516400: amandad: pid 6010 finish time Wed Jul 16 01:47:25 2014

Looks like amindexd is the problem, but not sure what to do with it exactly. Any ideas?

[martineau]

To enhance security, you must put the amandad argument in the authorized_keys file.
This ssh_keys must be used only to run amandad

Look at [url]http://wiki.zmanda.com/index.php/How_To:Set_up_transport_encryption_with_SSH[/url], the following text:

For client connections to the server, reverse the process -- put the public key (the same key or a new one -- your choice) on the clients, and the public key in the server's ~/.ssh/authorized_keys file. Prefix the authorized_keys line with:

from="amanda_client.your.domain.com",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,command="/absolute/path/to/amandad -auth=ssh amindexd amidxtaped"

You can omit the from=.. option if you have too many clients to list, although this has obvious security implications.

[Wookie]

Thanks again for the reply, sorry this one is so late I have been on holiday.

After adding that to my authorized_keys file I am still getting the EOF error from amcheck. My authorized_keys file contains:

ssh-rsa **RSA KEY** [email protected] from="amanda-server2.localdomain",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,command="/usr/libexec/amanda/amandad -auth=ssh amdump

The ssh command displayed in the debug work perfectly outside of amanda, so it should work when running amanda? Is the problem not the SSH authentication?

[martineau]

Do amandad is executed? Check in system log and/or if the amandad debug file is created.

[kanita]

Wow, lots of great info in there [url=http://www.pass4-sure.biz]http://pass4-sure.biz/[/url] . Thanks for taking your time to do that.