-
- Novice
- Posts: 3
- Liked: never
- Joined: Apr 12, 2023 8:45 pm
- Full Name: Jody Gosnell
- Contact:
Veeam B&R and RHEL8
Hi All,
We are seeing an issue with B&R not having the ability to perform a "rescan" or an agent install on RHEL8 devices that have been hardened in accordance with DISA STIGs. Apparently the Rebex SSH library that Veeam uses for communication does not support any CTR ciphers, even though Veeam expressly recommends CTR ciphers on this page:
https://helpcenter.veeam.com/docs/backu ... mendations
I have an open case (#05948185) but it doesn't sound like there is much of an option other than either temporarily enabling CBC or GCM ciphers or using an agent managed backup. Neither are good options. I am just curious if anyone else has ran into this and if you have any other fixes or workarounds we could try without reversing a STIG rule. I am sure there are others that have to harden their devices the same way.
We are seeing an issue with B&R not having the ability to perform a "rescan" or an agent install on RHEL8 devices that have been hardened in accordance with DISA STIGs. Apparently the Rebex SSH library that Veeam uses for communication does not support any CTR ciphers, even though Veeam expressly recommends CTR ciphers on this page:
https://helpcenter.veeam.com/docs/backu ... mendations
I have an open case (#05948185) but it doesn't sound like there is much of an option other than either temporarily enabling CBC or GCM ciphers or using an agent managed backup. Neither are good options. I am just curious if anyone else has ran into this and if you have any other fixes or workarounds we could try without reversing a STIG rule. I am sure there are others that have to harden their devices the same way.
-
- Product Manager
- Posts: 14830
- Liked: 3079 times
- Joined: Sep 01, 2014 11:46 am
- Full Name: Hannes Kasparick
- Location: Austria
- Contact:
Re: Veeam B&R and RHEL8
Hello,
and welcome to the forums.
Just to be sure... you configured exactly these cyphers in /etc/crypto-policies/back-ends/opensshserver.config ?
I just tried that out and the "test password" works. But the rescan fails. Same as you see (I also tried switching to the Renci library). I will talk to support.
Best regards,
Hannes
and welcome to the forums.
Just to be sure... you configured exactly these cyphers in /etc/crypto-policies/back-ends/opensshserver.config ?
Code: Select all
-oCiphers=aes256-ctr,aes192-ctr,aes128-ctr
Best regards,
Hannes
-
- Novice
- Posts: 3
- Liked: never
- Joined: Apr 12, 2023 8:45 pm
- Full Name: Jody Gosnell
- Contact:
Re: Veeam B&R and RHEL8
Yes, based on the DISA STIG for RH machines, only CTR ciphers are allowed.
-
- Novice
- Posts: 3
- Liked: never
- Joined: Apr 12, 2023 8:45 pm
- Full Name: Jody Gosnell
- Contact:
Re: Veeam B&R and RHEL8
Were you able to get any additional information from support staff? Will the libraries be updated soon to include CTR ciphers?HannesK wrote: ↑Apr 13, 2023 11:22 am Hello,
and welcome to the forums.
Just to be sure... you configured exactly these cyphers in /etc/crypto-policies/back-ends/opensshserver.config ?
I just tried that out and the "test password" works. But the rescan fails. Same as you see (I also tried switching to the Renci library). I will talk to support.Code: Select all
-oCiphers=aes256-ctr,aes192-ctr,aes128-ctr
Best regards,
Hannes
-
- Product Manager
- Posts: 14830
- Liked: 3079 times
- Joined: Sep 01, 2014 11:46 am
- Full Name: Hannes Kasparick
- Location: Austria
- Contact:
Re: Veeam B&R and RHEL8
Hello,
Red Hat told us, that they would work to upgrade the STIGs to add GCM ciphers. But it's hard to estimate how long that will take. I also talked to Canonical on the same topic. STIGs say that "FIPS 140-2 approved ciphers" are allowed. In the checks, they only look for CTR. But GCM ciphers are also FIPS approved (that's the Ubuntu document, but it should be the same on RHEL).
From Veeam side, we have two libraries (well three, but the third is legacy)
1. CTR ciphers are not supported by the FIPS compliant Rebex library
2. We can use the Renci library with CTR ciphers. But the Renci library is not FIPS compliant.
Best regards,
Hannes
Red Hat told us, that they would work to upgrade the STIGs to add GCM ciphers. But it's hard to estimate how long that will take. I also talked to Canonical on the same topic. STIGs say that "FIPS 140-2 approved ciphers" are allowed. In the checks, they only look for CTR. But GCM ciphers are also FIPS approved (that's the Ubuntu document, but it should be the same on RHEL).
From Veeam side, we have two libraries (well three, but the third is legacy)
1. CTR ciphers are not supported by the FIPS compliant Rebex library
2. We can use the Renci library with CTR ciphers. But the Renci library is not FIPS compliant.
Best regards,
Hannes
Who is online
Users browsing this forum: No registered users and 10 guests