Results 1 to 4 of 4

Thread: Issues with SSH auth, custom port and NAT network

  1. #1
    Join Date
    Jan 2015
    Posts
    4

    Default Issues with SSH auth, custom port and NAT network

    Hi,

    I'm opening this thread to explain problems we faced during the setup of our backup strategy.
    I hope some Amanda hacker will be able to guide us to improve it and maybe enlight us about some obscure frustrating Amanda behavior...

    Our current infrastructure:

    We have nodes (proxmox) on physical hosts and several OpenVZ container hosted on them.
    The node domain is a A entry and each container has a canonical name (CNAME) pointing on this node domain.
    Also, the firewall on the node bind custom ports to each container SSH port.

    Code:
    - node01.foo.bar (A 120.1.1.1)
      - host01.foo.bar (CNAME node01.foo.bar) - SSH port: 1234
      - host02.foo.bar (CNAME node01.foo.bar) - SSH port: 2345
      ...
    - node02.foo.bar (A 120.1.1.2)
      - host03.foo.bar (CNAME node02.foo.bar) - SSH port: 1234
      - host04.foo.bar (CNAME node02.foo.bar) - SSH port: 2345
      ...
    - Amanda is configured with the SSH auth to simplify the setup and to avoid custom port configuration specifically for Amanda
    - We have 6 nodes and +80 hosts, with quite the same folder structure to backup on them, all are configured with Ansible

    Reverse DNS resolution

    Problem:

    For SSH connection. Amanda resolve the reverse DNS domain for each host, and try to connect with the node domain + custom port instead of the host canonical domain name + custom port.
    Even if it's possible, it's quite hard to auto-configured the known_hosts for SSH with a configuration tool like Ansible,

    Solution:

    disable the strict host key check in SSH client config:
    Code:
    Host *
        StrictHostKeyChecking no
    Not nice, do I have the choice?...

    Comment:

    I don't rely get the idea described in the doc about reverse DNS resolution (wiki.zmanda.com/index.php/Selfcheck_request_failed#Failing_DNS_service), why is it less secure to use canonical name?
    I mean of course DNS are weak, but we still need a public/private key to establish the connection, so even if DNS records are corrupted, it doesn't affect the SSH security based on asymmetric keys...
    For what I understand, this security issue may affect other authentication strategies, but not with SSH...

    Custom SSH port

    Problem:

    According to the doc (wiki.zmanda.com/index.php/How_To:Set_up_transport_encryption_with_SSH#Non-Standard_SSH_Port), we should be able to configure custom SSH port with the SSH client config.

    It can't work in my case, because Amanda will always try to do his reverse DNS resolution stuff... then my SSH config will never be used.
    For example, Amanda will use node01.foo.bar instead of host01.foo.bar, so how can i do the SSH client config for each node01 hosts ?

    Also notice that, even if i was able to use a SSH config, if no client-port is specified id the dumptype, Amanda will add the option "-p 22" automatically, overriding any SSH config....

    Solution:

    Specify the client-port for each DLE... like this:
    Code:
    host01.foo.bar data /foo/bar {
        my-dumptype
        client-port 1234
    }
    host02.foo.bar data /foo/bar {
        my-dumptype
        client-port 2345
    }
    Comment:

    I can't run a "amdump <config-folder>", I have to specify each host I want to make it work.
    I get this issue only when 2 hosts have the same domain at reverse DNS resolution (like in the example above...), but it's always the case with our infrastructure.


    Issues summary

    - reverse DNS resolution is evil (at least with SSH Auth mode) and breaks many parts of what should be a flexible architecture
    - custom port configuration is weak on Amanda, can't use SSH config
    - client-port is not fully supported, we can't have diff ssh port configured and run the dump on all DLE if hosts are located on the same node (same reverse DNS resolution...)


    Is there any way to disable the Amanda reverse DNS resolution?
    It will solve most of our current problem without affecting the security...

  2. #2
    Join Date
    Nov 2005
    Location
    Canada
    Posts
    1,049

    Default

    You are right, dns validation is not required for ssh auth but there is no way to disable it.
    The attached patch should fix it, but it require a compilation.

    Can you try it?

    The '-p 22' is not added in newer release, upgrade to latest 3.3.X
    Attached Files Attached Files

  3. #3
    Join Date
    Jan 2015
    Posts
    4

    Default

    Thanks for your quick and efficient answer @martineau!

    It works like a charm, now I can have this SSH config:

    Code:
    Host host1
      HostName host1.foo.bar
      Port 1234
    Host host2
      HostName host2.foo.bar
      Port 2345
    And then, define my DLE like this:

    Code:
    host01 data /foo/bar my-dumptype
    host02 data /foo/bar my-dumptype
    Your patch fixed all issues we had, even this one "we can't have diff ssh port configured and run the dump on all DLE if hosts are located on the same node", which was also something confusing for me (and Amanda maybe), seems that running "amdump <config> <host>" for each host with a cron is not correct...

    It will be perfect if it was included inside the source code without any patch, like automatically disable the reverse DNS lookup when auth=ssh.

    I created an issue on github (github.com/zmanda/amanda/issues/63) about that, hope this suggestion can be implemented.

    Thanks again!
    Last edited by zazabe; February 3rd, 2015 at 10:00 PM.

  4. #4
    Join Date
    Nov 2005
    Location
    Canada
    Posts
    1,049

    Default

    Thanks for reporting the result of the patch.

    The patch is committed

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •