Standalone backup agents for Linux, Mac, AIX & Solaris workloads on-premises or in the public cloud
Post Reply
DonZoomik
Service Provider
Posts: 372
Liked: 120 times
Joined: Nov 25, 2016 1:56 pm
Full Name: Mihkel Soomere
Contact:

SSH required from Agent to repository when using Backup and Replication server?

Post by DonZoomik »

According to documentation Agent needs SSH to connect to repository, even when managed through BnR server:
https://helpcenter.veeam.com/docs/backu ... l?ver=95u4
https://helpcenter.veeam.com/docs/agent ... tml?ver=30
Is this correct? What credentials would Agent use? The only thing that comes to mind is that BnR server would provide SSH password/key to Agent and that sounds bad as there are are pretty high privileges involved.
nielsengelen
Product Manager
Posts: 5797
Liked: 1215 times
Joined: Jul 15, 2013 11:09 am
Full Name: Niels Engelen
Contact:

Re: SSH required from Agent to repository when using Backup and Replication server?

Post by nielsengelen »

There is a section on security around the communication available as well in our user guide. For Linux we support password & key methods with non-root accounts as well (see this section).
Personal blog: https://foonet.be
GitHub: https://github.com/nielsengelen
DonZoomik
Service Provider
Posts: 372
Liked: 120 times
Joined: Nov 25, 2016 1:56 pm
Full Name: Mihkel Soomere
Contact:

Re: SSH required from Agent to repository when using Backup and Replication server?

Post by DonZoomik »

First link is about Agent <-> BnR server communications and and second about permissions within Agent computer.
I'm asking about Agent -> Repository connections.
nielsengelen
Product Manager
Posts: 5797
Liked: 1215 times
Joined: Jul 15, 2013 11:09 am
Full Name: Niels Engelen
Contact:

Re: SSH required from Agent to repository when using Backup and Replication server?

Post by nielsengelen »

Port 22 is used to communicate between VBR & the agent to deploy it.

If the backup repository is a Linux box, then port 22 is also required to the repo as stated in the user guide.
If it is Windows then it's 49152 to 65535.

For both, we also utilize 2500 to 3000 as default range of ports used as data transmission channels.
Personal blog: https://foonet.be
GitHub: https://github.com/nielsengelen
DonZoomik
Service Provider
Posts: 372
Liked: 120 times
Joined: Nov 25, 2016 1:56 pm
Full Name: Mihkel Soomere
Contact:

Re: SSH required from Agent to repository when using Backup and Replication server?

Post by DonZoomik »

If the backup repository is a Linux box, then port 22 is also required to the repo as stated in the user guide.
But what credentials would agent use, and for what? I don't see any option in Agent to enter repository credentials separately. If BnR provided the repository's credentials to the Agent that'd be pretty bad as repository account requires pretty much root-level privileges (or at least still full RW access to any backups if limited like this post170788.html#p170788 ).
DonZoomik
Service Provider
Posts: 372
Liked: 120 times
Joined: Nov 25, 2016 1:56 pm
Full Name: Mihkel Soomere
Contact:

Re: SSH required from Agent to repository when using Backup and Replication server?

Post by DonZoomik »

Anyone?
PTide
Product Manager
Posts: 6551
Liked: 765 times
Joined: May 19, 2015 1:46 pm
Contact:

Re: SSH required from Agent to repository when using Backup and Replication server?

Post by PTide »

Hello,

Must be a mistake - Agents do not need to connect to port 22 on linux repos.

We will correct the User Guide shortly

Thank you for noticing!
DonZoomik
Service Provider
Posts: 372
Liked: 120 times
Joined: Nov 25, 2016 1:56 pm
Full Name: Mihkel Soomere
Contact:

Re: SSH required from Agent to repository when using Backup and Replication server?

Post by DonZoomik »

You might want to then check agent to Windows repository ports as well, as it lists RPC port range as a requirement. This once again requires authentication with credentials that Agent should not have.
But thanks for feedback.
DGrinev
Veteran
Posts: 1943
Liked: 247 times
Joined: Dec 01, 2016 3:49 pm
Full Name: Dmitry Grinev
Location: St.Petersburg
Contact:

Re: SSH required from Agent to repository when using Backup and Replication server?

Post by DGrinev »

In the situation, with Backup Agent for Windows, you should provide credentials when choosing backup repository as a target.
You can grant access permissions to a backup repository within UI. See Access Permissions article in the User Guide.

Thanks!
DonZoomik
Service Provider
Posts: 372
Liked: 120 times
Joined: Nov 25, 2016 1:56 pm
Full Name: Mihkel Soomere
Contact:

Re: SSH required from Agent to repository when using Backup and Replication server?

Post by DonZoomik »

Agent connects to BnR server with BnR server's Windows credentials. Repository access limiting is only performed logically within BnR server with credentials that are local to BnR server (let's not consider domain membership for now).
If repository is on another server then agent doesn't have credentials to Repository server (only BnR). While you could use unauthenticated RPC, it's unusual and a bad idea (https://www.stigviewer.com/stig/windows ... ng/V-73541). RPC would also imply TCP135 (RPC endpoint mapper) to be required as dynamic RPC is well... dynamic and ports could change on every service restart. This would also require rpcclient that would include smbtools. So I guess it's a copy-paste error as well.
kaffeine
Enthusiast
Posts: 39
Liked: 17 times
Joined: Jun 04, 2018 8:03 am
Full Name: Espresso Doppio
Location: Austria
Contact:

Re: SSH required from Agent to repository when using Backup and Replication server?

Post by kaffeine »

Hello,

regarding this topic, according to the Veeam Agent for Microsoft Windows 5.0 User Guide, the Port 22 on the Linux Repo should be opened to the Windows Veeam Agents:

Image

Is this a typo or indeed by design? If the later, it would be against the best practice of hardened linux repos with SSH disabled, wouldn't it?

Regards


PS - I've noticed now that this thread lies within the Linux Agent sub forum, not the Windows Agent one. Could some Mod please move this post? Sorry for the trouble and thanks in advance
kaffeine
Enthusiast
Posts: 39
Liked: 17 times
Joined: Jun 04, 2018 8:03 am
Full Name: Espresso Doppio
Location: Austria
Contact:

Re: SSH required from Agent to repository when using Backup and Replication server?

Post by kaffeine »

Update: we left the port 22 between the Veeam Agent Computer and the Linux hardened repo, and the backup jobs go through without error. So I suppose the official guide (from where the screenshot above was taken of) is incorrect?

Regards
PTide
Product Manager
Posts: 6551
Liked: 765 times
Joined: May 19, 2015 1:46 pm
Contact:

Re: SSH required from Agent to repository when using Backup and Replication server?

Post by PTide » 1 person likes this post

Hi,

Yes, it is incorrect and will be fixed shortly.

On of the reasons why hardened repository is called so is that it does not require an SSH to operate at all (provided that the initial setup which occurs via SSH was successful), regardless of whether it is Windows agent or Linux agent.

You can even shutdown SSH completely on the hardende repo side and thinks should work as before (and you've already tried that as far as I can see).

Thanks!
sunman123
Lurker
Posts: 2
Liked: never
Joined: Sep 28, 2022 4:11 pm
Contact:

Re: SSH required from Agent to repository when using Backup and Replication server?

Post by sunman123 »

We have a hardened linux repository that was working fine (added via SSH user with sudo and with sudo removed aftewards). Backups were going fine for a week then we decided to disable SSHD and remove the linux firewall rule for SSHD. All backups are failing now to the SOBR with the following:

Task failed. Error: Failed to save the backup metadata file: no extent is selected.

Is SSH definitely not required for the repo after initial setup?

(Note this is for VMware VM backups, not agent based backups)
PTide
Product Manager
Posts: 6551
Liked: 765 times
Joined: May 19, 2015 1:46 pm
Contact:

Re: SSH required from Agent to repository when using Backup and Replication server?

Post by PTide »

Hi,

Have you opened a support case already? We will have to review the logs anyway.

And yes, hardened repo is supposed to work without running SSH (that's the purpose). However, SSH connection is necessary when upgrading to v12.

Thanks!
Post Reply

Who is online

Users browsing this forum: No registered users and 13 guests