Standalone backup agent for Linux servers and workstations on-premises or in the public cloud
Post Reply
DonZoomik
Expert
Posts: 178
Liked: 36 times
Joined: Nov 25, 2016 1:56 pm
Contact:

SSH required from Agent to repository when using Backup and Replication server?

Post by DonZoomik » Jan 23, 2020 12:40 pm

According to documentation Agent needs SSH to connect to repository, even when managed through BnR server:
https://helpcenter.veeam.com/docs/backu ... l?ver=95u4
https://helpcenter.veeam.com/docs/agent ... tml?ver=30
Is this correct? What credentials would Agent use? The only thing that comes to mind is that BnR server would provide SSH password/key to Agent and that sounds bad as there are are pretty high privileges involved.

nielsengelen
Veeam Software
Posts: 3131
Liked: 638 times
Joined: Jul 15, 2013 11:09 am
Full Name: Niels Engelen
Contact:

Re: SSH required from Agent to repository when using Backup and Replication server?

Post by nielsengelen » Jan 23, 2020 1:19 pm

There is a section on security around the communication available as well in our user guide. For Linux we support password & key methods with non-root accounts as well (see this section).
VCP-DCV
Veeam Certified Architect (VMCA)
http://foonet.be

DonZoomik
Expert
Posts: 178
Liked: 36 times
Joined: Nov 25, 2016 1:56 pm
Contact:

Re: SSH required from Agent to repository when using Backup and Replication server?

Post by DonZoomik » Jan 23, 2020 2:13 pm

First link is about Agent <-> BnR server communications and and second about permissions within Agent computer.
I'm asking about Agent -> Repository connections.

nielsengelen
Veeam Software
Posts: 3131
Liked: 638 times
Joined: Jul 15, 2013 11:09 am
Full Name: Niels Engelen
Contact:

Re: SSH required from Agent to repository when using Backup and Replication server?

Post by nielsengelen » Jan 23, 2020 2:21 pm

Port 22 is used to communicate between VBR & the agent to deploy it.

If the backup repository is a Linux box, then port 22 is also required to the repo as stated in the user guide.
If it is Windows then it's 49152 to 65535.

For both, we also utilize 2500 to 3000 as default range of ports used as data transmission channels.
VCP-DCV
Veeam Certified Architect (VMCA)
http://foonet.be

DonZoomik
Expert
Posts: 178
Liked: 36 times
Joined: Nov 25, 2016 1:56 pm
Contact:

Re: SSH required from Agent to repository when using Backup and Replication server?

Post by DonZoomik » Jan 23, 2020 2:43 pm

If the backup repository is a Linux box, then port 22 is also required to the repo as stated in the user guide.
But what credentials would agent use, and for what? I don't see any option in Agent to enter repository credentials separately. If BnR provided the repository's credentials to the Agent that'd be pretty bad as repository account requires pretty much root-level privileges (or at least still full RW access to any backups if limited like this post170788.html#p170788 ).

DonZoomik
Expert
Posts: 178
Liked: 36 times
Joined: Nov 25, 2016 1:56 pm
Contact:

Re: SSH required from Agent to repository when using Backup and Replication server?

Post by DonZoomik » Jan 27, 2020 12:18 pm

Anyone?

PTide
Product Manager
Posts: 5451
Liked: 495 times
Joined: May 19, 2015 1:46 pm
Contact:

Re: SSH required from Agent to repository when using Backup and Replication server?

Post by PTide » Jan 27, 2020 2:20 pm

Hello,

Must be a mistake - Agents do not need to connect to port 22 on linux repos.

We will correct the User Guide shortly

Thank you for noticing!

DonZoomik
Expert
Posts: 178
Liked: 36 times
Joined: Nov 25, 2016 1:56 pm
Contact:

Re: SSH required from Agent to repository when using Backup and Replication server?

Post by DonZoomik » Jan 27, 2020 3:48 pm

You might want to then check agent to Windows repository ports as well, as it lists RPC port range as a requirement. This once again requires authentication with credentials that Agent should not have.
But thanks for feedback.

DGrinev
Expert
Posts: 1943
Liked: 246 times
Joined: Dec 01, 2016 3:49 pm
Full Name: Dmitry Grinev
Location: St.Petersburg
Contact:

Re: SSH required from Agent to repository when using Backup and Replication server?

Post by DGrinev » Jan 27, 2020 4:03 pm

In the situation, with Backup Agent for Windows, you should provide credentials when choosing backup repository as a target.
You can grant access permissions to a backup repository within UI. See Access Permissions article in the User Guide.

Thanks!

DonZoomik
Expert
Posts: 178
Liked: 36 times
Joined: Nov 25, 2016 1:56 pm
Contact:

Re: SSH required from Agent to repository when using Backup and Replication server?

Post by DonZoomik » Jan 27, 2020 4:31 pm

Agent connects to BnR server with BnR server's Windows credentials. Repository access limiting is only performed logically within BnR server with credentials that are local to BnR server (let's not consider domain membership for now).
If repository is on another server then agent doesn't have credentials to Repository server (only BnR). While you could use unauthenticated RPC, it's unusual and a bad idea (https://www.stigviewer.com/stig/windows ... ng/V-73541). RPC would also imply TCP135 (RPC endpoint mapper) to be required as dynamic RPC is well... dynamic and ports could change on every service restart. This would also require rpcclient that would include smbtools. So I guess it's a copy-paste error as well.

Post Reply

Who is online

Users browsing this forum: No registered users and 7 guests