Agent-based backup of Windows, Linux, Max, AIX and Solaris machines.
Post Reply
jgosnell56
Novice
Posts: 3
Liked: never
Joined: Apr 12, 2023 8:45 pm
Full Name: Jody Gosnell
Contact:

Veeam B&R and RHEL8

Post by jgosnell56 »

Hi All,
We are seeing an issue with B&R not having the ability to perform a "rescan" or an agent install on RHEL8 devices that have been hardened in accordance with DISA STIGs. Apparently the Rebex SSH library that Veeam uses for communication does not support any CTR ciphers, even though Veeam expressly recommends CTR ciphers on this page:
https://helpcenter.veeam.com/docs/backu ... mendations
I have an open case (#05948185) but it doesn't sound like there is much of an option other than either temporarily enabling CBC or GCM ciphers or using an agent managed backup. Neither are good options. I am just curious if anyone else has ran into this and if you have any other fixes or workarounds we could try without reversing a STIG rule. I am sure there are others that have to harden their devices the same way.
HannesK
Product Manager
Posts: 14314
Liked: 2887 times
Joined: Sep 01, 2014 11:46 am
Full Name: Hannes Kasparick
Location: Austria
Contact:

Re: Veeam B&R and RHEL8

Post by HannesK »

Hello,
and welcome to the forums.

Just to be sure... you configured exactly these cyphers in /etc/crypto-policies/back-ends/opensshserver.config ?

Code: Select all

-oCiphers=aes256-ctr,aes192-ctr,aes128-ctr
I just tried that out and the "test password" works. But the rescan fails. Same as you see (I also tried switching to the Renci library). I will talk to support.

Best regards,
Hannes
jgosnell56
Novice
Posts: 3
Liked: never
Joined: Apr 12, 2023 8:45 pm
Full Name: Jody Gosnell
Contact:

Re: Veeam B&R and RHEL8

Post by jgosnell56 »

Yes, based on the DISA STIG for RH machines, only CTR ciphers are allowed.
jgosnell56
Novice
Posts: 3
Liked: never
Joined: Apr 12, 2023 8:45 pm
Full Name: Jody Gosnell
Contact:

Re: Veeam B&R and RHEL8

Post by jgosnell56 »

HannesK wrote: Apr 13, 2023 11:22 am Hello,
and welcome to the forums.

Just to be sure... you configured exactly these cyphers in /etc/crypto-policies/back-ends/opensshserver.config ?

Code: Select all

-oCiphers=aes256-ctr,aes192-ctr,aes128-ctr
I just tried that out and the "test password" works. But the rescan fails. Same as you see (I also tried switching to the Renci library). I will talk to support.

Best regards,
Hannes
Were you able to get any additional information from support staff? Will the libraries be updated soon to include CTR ciphers?
HannesK
Product Manager
Posts: 14314
Liked: 2887 times
Joined: Sep 01, 2014 11:46 am
Full Name: Hannes Kasparick
Location: Austria
Contact:

Re: Veeam B&R and RHEL8

Post by HannesK »

Hello,
Red Hat told us, that they would work to upgrade the STIGs to add GCM ciphers. But it's hard to estimate how long that will take. I also talked to Canonical on the same topic. STIGs say that "FIPS 140-2 approved ciphers" are allowed. In the checks, they only look for CTR. But GCM ciphers are also FIPS approved (that's the Ubuntu document, but it should be the same on RHEL).

From Veeam side, we have two libraries (well three, but the third is legacy)
1. CTR ciphers are not supported by the FIPS compliant Rebex library
2. We can use the Renci library with CTR ciphers. But the Renci library is not FIPS compliant.

Best regards,
Hannes
Post Reply

Who is online

Users browsing this forum: No registered users and 3 guests