-
- Novice
- Posts: 3
- Liked: 3 times
- Joined: Sep 03, 2024 4:02 am
- Contact:
VBR & Proxmox (root?)
Hello,
I see people talking about a user with root privileges is required when you setup VBR and Proxmox, this indicates that you should (possibly?) be able to setup a different user, say veeambackup, and use that. But I have yet to be able to do that.
I haven't tested a UID0 yet, because thats just bad practice.
So, question is, is the root user absolutely necessary? Or is there another way?
I see people talking about a user with root privileges is required when you setup VBR and Proxmox, this indicates that you should (possibly?) be able to setup a different user, say veeambackup, and use that. But I have yet to be able to do that.
I haven't tested a UID0 yet, because thats just bad practice.
So, question is, is the root user absolutely necessary? Or is there another way?
-
- Veeam Software
- Posts: 422
- Liked: 88 times
- Joined: Jul 03, 2023 12:44 pm
- Full Name: Rovshan Pashayev
- Location: Czechia
- Contact:
Re: VBR & Proxmox (root?)
Hello,
Yes, root user is necessary.
Yes, root user is necessary.
Rovshan Pashayev
Analyst
Veeam Agent for Linux, Mac, AIX & Solaris
Analyst
Veeam Agent for Linux, Mac, AIX & Solaris
-
- Novice
- Posts: 3
- Liked: 3 times
- Joined: Sep 03, 2024 4:02 am
- Contact:
Re: VBR & Proxmox (root?)
Hello,
Nobody sees a security concern with using root and requiring it as SSH? Shouldn't this be implemented as another username (self-selected) and then utilizing something like sudo?
Using root hasn't been a good idea for decades?
I am a little confused by this decision.
Nobody sees a security concern with using root and requiring it as SSH? Shouldn't this be implemented as another username (self-selected) and then utilizing something like sudo?
Using root hasn't been a good idea for decades?
I am a little confused by this decision.
-
- Product Manager
- Posts: 6535
- Liked: 762 times
- Joined: May 19, 2015 1:46 pm
- Contact:
Re: VBR & Proxmox (root?)
Hi,
We, too, would prefer to use a non-root account, and we are working towards resolving this situation.
One of the reasons why it works that way is that we interact with PVE via its API. As a result, things that we can or cannot do with the host under a certain account depend on the platform API's capabilities.
Besides, a service that is capable of doing all the stuff that is required to perfrom a proper backup is by definition already mighty enough to wreak havoc if compromised (even without root privileges).
Thanks!
We, too, would prefer to use a non-root account, and we are working towards resolving this situation.
One of the reasons why it works that way is that we interact with PVE via its API. As a result, things that we can or cannot do with the host under a certain account depend on the platform API's capabilities.
Besides, a service that is capable of doing all the stuff that is required to perfrom a proper backup is by definition already mighty enough to wreak havoc if compromised (even without root privileges).
Thanks!
-
- Lurker
- Posts: 2
- Liked: 4 times
- Joined: Dec 05, 2019 9:58 am
- Full Name: Matt Hydras
- Contact:
Re: VBR & Proxmox (root?)
Hello PTide,
In fact I have meet the "problem" as rjoensen because I try to implement the same security as him.
As I can understand, the user root usage is due to some restrictions from Proxmox API more than Veeam BR solution that'is it ?
BR
Matt
In fact I have meet the "problem" as rjoensen because I try to implement the same security as him.
As I can understand, the user root usage is due to some restrictions from Proxmox API more than Veeam BR solution that'is it ?
BR
Matt
-
- Chief Product Officer
- Posts: 31712
- Liked: 7217 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
Re: VBR & Proxmox (root?)
No, it's purely due to lack of time in the extremely short release cycle we had for v1. We will add support for specifying other accounts with sudo for required operations in the future updates.
-
- Novice
- Posts: 3
- Liked: 3 times
- Joined: Sep 03, 2024 4:02 am
- Contact:
Re: VBR & Proxmox (root?)
> Besides, a service that is capable of doing all the stuff that is required to perfrom a proper backup is by definition already mighty enough to wreak havoc if compromised (even without root privileges).
This is also a concern that you have to be vigilant about, but, my concern is more related to using the "root" user. Veeam uses SSH, so you have to enable password auth if you want this to work, where you might have previously disabled password for root or password entirely for SSH.
> No, it's purely due to lack of time in the extremely short release cycle we had for v1. We will add support for specifying other accounts with sudo for required operations in the future updates.
I was hoping that this was the case and thank you for confirming it. Super happy to hear that there are intentions to make this more secure. I was worried though, because if I remember correctly, when you used ESXi, you had to also use the root user, it wasn't until you had vCenter as well where you could use a different user.
Cheers,
Ragnar
This is also a concern that you have to be vigilant about, but, my concern is more related to using the "root" user. Veeam uses SSH, so you have to enable password auth if you want this to work, where you might have previously disabled password for root or password entirely for SSH.
> No, it's purely due to lack of time in the extremely short release cycle we had for v1. We will add support for specifying other accounts with sudo for required operations in the future updates.
I was hoping that this was the case and thank you for confirming it. Super happy to hear that there are intentions to make this more secure. I was worried though, because if I remember correctly, when you used ESXi, you had to also use the root user, it wasn't until you had vCenter as well where you could use a different user.
Cheers,
Ragnar
-
- Chief Product Officer
- Posts: 31712
- Liked: 7217 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
Re: VBR & Proxmox (root?)
For direct ESX connection we supported the desired approach literally since v1. So the capability to interact with Linux servers like that has been in the product forever. The only problem is that the current version of our platform extensibility SDK used to add support for all new hypervisors is unable to handle such advanced Linux credential types yet, but only basic credentials.
-
- Lurker
- Posts: 2
- Liked: 4 times
- Joined: Dec 05, 2019 9:58 am
- Full Name: Matt Hydras
- Contact:
Re: VBR & Proxmox (root?)
Hello
For a v1 and for the timing of this update, all the Veeam teams could be proud about the job which have been done
-
- Novice
- Posts: 7
- Liked: never
- Joined: Oct 28, 2021 2:30 pm
- Contact:
Re: VBR & Proxmox (root?)
Is there an ETA for anything but basic auth? Like this year or next? I could live with root using a cert for auth but as it is we'll probably rollout the agent.
Don't get me wrong, I fully understand the short release and am grateful Veeam is supporting proxmox.
-
- Chief Product Officer
- Posts: 31712
- Liked: 7217 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
Re: VBR & Proxmox (root?)
We were hoping to include this into the immediate minor update before the end of this year, but ran into some issues on the Proxmox side where some API endpoints require root specifically to interact with. We have submitted a feature request to Proxmox developers asking to solve this. @PTide could you share the Proxmox R&D forum thread please? As added pressure from end users might help.
-
- Product Manager
- Posts: 6535
- Liked: 762 times
- Joined: May 19, 2015 1:46 pm
- Contact:
Re: VBR & Proxmox (root?)
Hi,
So, here is the item on the bug tracker that is aimed to address this exact issue of having to use root for certain actions in Proxmox VE API.
And here are some links:
root or not root
api limitations to root pam
disable root account
Thanks!
So, here is the item on the bug tracker that is aimed to address this exact issue of having to use root for certain actions in Proxmox VE API.
And here are some links:
root or not root
api limitations to root pam
disable root account
Thanks!
-
- Chief Product Officer
- Posts: 31712
- Liked: 7217 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
Re: VBR & Proxmox (root?)
Looking at the bug creation date and the age of those topics this does not look too promising...
-
- Product Manager
- Posts: 6535
- Liked: 762 times
- Joined: May 19, 2015 1:46 pm
- Contact:
Re: VBR & Proxmox (root?)
Proxmox developers have replied that a patch series had been proposed, but the implementation was not finished. Since the developer who was responsible for this particular feature has left the company, nobody else has picked up work on the series yet. I am in contact with the Proxmox devs regarding this item.
-
- Novice
- Posts: 7
- Liked: never
- Joined: Oct 28, 2021 2:30 pm
- Contact:
Re: VBR & Proxmox (root?)
Thanks for the replies, any chance we can get private key authentication to work for root @ proxmox? This would relax the situation immensely.
-
- Veeam Software
- Posts: 422
- Liked: 88 times
- Joined: Jul 03, 2023 12:44 pm
- Full Name: Rovshan Pashayev
- Location: Czechia
- Contact:
Re: VBR & Proxmox (root?)
Hello,
Private key authentication is planned to be supported in future releases (however, not in the next one).
There are also some limitations on the Proxmox API side that have yet to deal with. We are in contact with Proxmox R&D, so eventually we will sort this out,
Thanks!
Private key authentication is planned to be supported in future releases (however, not in the next one).
There are also some limitations on the Proxmox API side that have yet to deal with. We are in contact with Proxmox R&D, so eventually we will sort this out,
Thanks!
Rovshan Pashayev
Analyst
Veeam Agent for Linux, Mac, AIX & Solaris
Analyst
Veeam Agent for Linux, Mac, AIX & Solaris
Who is online
Users browsing this forum: No registered users and 1 guest