-
- Service Provider
- Posts: 372
- Liked: 120 times
- Joined: Nov 25, 2016 1:56 pm
- Full Name: Mihkel Soomere
- Contact:
SSH required from Agent to repository when using Backup and Replication server?
According to documentation Agent needs SSH to connect to repository, even when managed through BnR server:
https://helpcenter.veeam.com/docs/backu ... l?ver=95u4
https://helpcenter.veeam.com/docs/agent ... tml?ver=30
Is this correct? What credentials would Agent use? The only thing that comes to mind is that BnR server would provide SSH password/key to Agent and that sounds bad as there are are pretty high privileges involved.
https://helpcenter.veeam.com/docs/backu ... l?ver=95u4
https://helpcenter.veeam.com/docs/agent ... tml?ver=30
Is this correct? What credentials would Agent use? The only thing that comes to mind is that BnR server would provide SSH password/key to Agent and that sounds bad as there are are pretty high privileges involved.
-
- Product Manager
- Posts: 5797
- Liked: 1215 times
- Joined: Jul 15, 2013 11:09 am
- Full Name: Niels Engelen
- Contact:
Re: SSH required from Agent to repository when using Backup and Replication server?
There is a section on security around the communication available as well in our user guide. For Linux we support password & key methods with non-root accounts as well (see this section).
Personal blog: https://foonet.be
GitHub: https://github.com/nielsengelen
GitHub: https://github.com/nielsengelen
-
- Service Provider
- Posts: 372
- Liked: 120 times
- Joined: Nov 25, 2016 1:56 pm
- Full Name: Mihkel Soomere
- Contact:
Re: SSH required from Agent to repository when using Backup and Replication server?
First link is about Agent <-> BnR server communications and and second about permissions within Agent computer.
I'm asking about Agent -> Repository connections.
I'm asking about Agent -> Repository connections.
-
- Product Manager
- Posts: 5797
- Liked: 1215 times
- Joined: Jul 15, 2013 11:09 am
- Full Name: Niels Engelen
- Contact:
Re: SSH required from Agent to repository when using Backup and Replication server?
Port 22 is used to communicate between VBR & the agent to deploy it.
If the backup repository is a Linux box, then port 22 is also required to the repo as stated in the user guide.
If it is Windows then it's 49152 to 65535.
For both, we also utilize 2500 to 3000 as default range of ports used as data transmission channels.
If the backup repository is a Linux box, then port 22 is also required to the repo as stated in the user guide.
If it is Windows then it's 49152 to 65535.
For both, we also utilize 2500 to 3000 as default range of ports used as data transmission channels.
Personal blog: https://foonet.be
GitHub: https://github.com/nielsengelen
GitHub: https://github.com/nielsengelen
-
- Service Provider
- Posts: 372
- Liked: 120 times
- Joined: Nov 25, 2016 1:56 pm
- Full Name: Mihkel Soomere
- Contact:
Re: SSH required from Agent to repository when using Backup and Replication server?
But what credentials would agent use, and for what? I don't see any option in Agent to enter repository credentials separately. If BnR provided the repository's credentials to the Agent that'd be pretty bad as repository account requires pretty much root-level privileges (or at least still full RW access to any backups if limited like this post170788.html#p170788 ).If the backup repository is a Linux box, then port 22 is also required to the repo as stated in the user guide.
-
- Service Provider
- Posts: 372
- Liked: 120 times
- Joined: Nov 25, 2016 1:56 pm
- Full Name: Mihkel Soomere
- Contact:
-
- Product Manager
- Posts: 6551
- Liked: 765 times
- Joined: May 19, 2015 1:46 pm
- Contact:
Re: SSH required from Agent to repository when using Backup and Replication server?
Hello,
Must be a mistake - Agents do not need to connect to port 22 on linux repos.
We will correct the User Guide shortly
Thank you for noticing!
Must be a mistake - Agents do not need to connect to port 22 on linux repos.
We will correct the User Guide shortly
Thank you for noticing!
-
- Service Provider
- Posts: 372
- Liked: 120 times
- Joined: Nov 25, 2016 1:56 pm
- Full Name: Mihkel Soomere
- Contact:
Re: SSH required from Agent to repository when using Backup and Replication server?
You might want to then check agent to Windows repository ports as well, as it lists RPC port range as a requirement. This once again requires authentication with credentials that Agent should not have.
But thanks for feedback.
But thanks for feedback.
-
- Veteran
- Posts: 1943
- Liked: 247 times
- Joined: Dec 01, 2016 3:49 pm
- Full Name: Dmitry Grinev
- Location: St.Petersburg
- Contact:
Re: SSH required from Agent to repository when using Backup and Replication server?
In the situation, with Backup Agent for Windows, you should provide credentials when choosing backup repository as a target.
You can grant access permissions to a backup repository within UI. See Access Permissions article in the User Guide.
Thanks!
You can grant access permissions to a backup repository within UI. See Access Permissions article in the User Guide.
Thanks!
-
- Service Provider
- Posts: 372
- Liked: 120 times
- Joined: Nov 25, 2016 1:56 pm
- Full Name: Mihkel Soomere
- Contact:
Re: SSH required from Agent to repository when using Backup and Replication server?
Agent connects to BnR server with BnR server's Windows credentials. Repository access limiting is only performed logically within BnR server with credentials that are local to BnR server (let's not consider domain membership for now).
If repository is on another server then agent doesn't have credentials to Repository server (only BnR). While you could use unauthenticated RPC, it's unusual and a bad idea (https://www.stigviewer.com/stig/windows ... ng/V-73541). RPC would also imply TCP135 (RPC endpoint mapper) to be required as dynamic RPC is well... dynamic and ports could change on every service restart. This would also require rpcclient that would include smbtools. So I guess it's a copy-paste error as well.
If repository is on another server then agent doesn't have credentials to Repository server (only BnR). While you could use unauthenticated RPC, it's unusual and a bad idea (https://www.stigviewer.com/stig/windows ... ng/V-73541). RPC would also imply TCP135 (RPC endpoint mapper) to be required as dynamic RPC is well... dynamic and ports could change on every service restart. This would also require rpcclient that would include smbtools. So I guess it's a copy-paste error as well.
-
- Enthusiast
- Posts: 39
- Liked: 17 times
- Joined: Jun 04, 2018 8:03 am
- Full Name: Espresso Doppio
- Location: Austria
- Contact:
Re: SSH required from Agent to repository when using Backup and Replication server?
Hello,
regarding this topic, according to the Veeam Agent for Microsoft Windows 5.0 User Guide, the Port 22 on the Linux Repo should be opened to the Windows Veeam Agents:
Is this a typo or indeed by design? If the later, it would be against the best practice of hardened linux repos with SSH disabled, wouldn't it?
Regards
PS - I've noticed now that this thread lies within the Linux Agent sub forum, not the Windows Agent one. Could some Mod please move this post? Sorry for the trouble and thanks in advance
regarding this topic, according to the Veeam Agent for Microsoft Windows 5.0 User Guide, the Port 22 on the Linux Repo should be opened to the Windows Veeam Agents:
Is this a typo or indeed by design? If the later, it would be against the best practice of hardened linux repos with SSH disabled, wouldn't it?
Regards
PS - I've noticed now that this thread lies within the Linux Agent sub forum, not the Windows Agent one. Could some Mod please move this post? Sorry for the trouble and thanks in advance
-
- Enthusiast
- Posts: 39
- Liked: 17 times
- Joined: Jun 04, 2018 8:03 am
- Full Name: Espresso Doppio
- Location: Austria
- Contact:
Re: SSH required from Agent to repository when using Backup and Replication server?
Update: we left the port 22 between the Veeam Agent Computer and the Linux hardened repo, and the backup jobs go through without error. So I suppose the official guide (from where the screenshot above was taken of) is incorrect?
Regards
Regards
-
- Product Manager
- Posts: 6551
- Liked: 765 times
- Joined: May 19, 2015 1:46 pm
- Contact:
Re: SSH required from Agent to repository when using Backup and Replication server?
Hi,
Yes, it is incorrect and will be fixed shortly.
On of the reasons why hardened repository is called so is that it does not require an SSH to operate at all (provided that the initial setup which occurs via SSH was successful), regardless of whether it is Windows agent or Linux agent.
You can even shutdown SSH completely on the hardende repo side and thinks should work as before (and you've already tried that as far as I can see).
Thanks!
Yes, it is incorrect and will be fixed shortly.
On of the reasons why hardened repository is called so is that it does not require an SSH to operate at all (provided that the initial setup which occurs via SSH was successful), regardless of whether it is Windows agent or Linux agent.
You can even shutdown SSH completely on the hardende repo side and thinks should work as before (and you've already tried that as far as I can see).
Thanks!
-
- Lurker
- Posts: 2
- Liked: never
- Joined: Sep 28, 2022 4:11 pm
- Contact:
Re: SSH required from Agent to repository when using Backup and Replication server?
We have a hardened linux repository that was working fine (added via SSH user with sudo and with sudo removed aftewards). Backups were going fine for a week then we decided to disable SSHD and remove the linux firewall rule for SSHD. All backups are failing now to the SOBR with the following:
Task failed. Error: Failed to save the backup metadata file: no extent is selected.
Is SSH definitely not required for the repo after initial setup?
(Note this is for VMware VM backups, not agent based backups)
Task failed. Error: Failed to save the backup metadata file: no extent is selected.
Is SSH definitely not required for the repo after initial setup?
(Note this is for VMware VM backups, not agent based backups)
-
- Product Manager
- Posts: 6551
- Liked: 765 times
- Joined: May 19, 2015 1:46 pm
- Contact:
Re: SSH required from Agent to repository when using Backup and Replication server?
Hi,
Have you opened a support case already? We will have to review the logs anyway.
And yes, hardened repo is supposed to work without running SSH (that's the purpose). However, SSH connection is necessary when upgrading to v12.
Thanks!
Have you opened a support case already? We will have to review the logs anyway.
And yes, hardened repo is supposed to work without running SSH (that's the purpose). However, SSH connection is necessary when upgrading to v12.
Thanks!
Who is online
Users browsing this forum: No registered users and 13 guests