SSH required from Agent to repository when using Backup and Replication server?

[DonZoomik]

According to documentation Agent needs SSH to connect to repository, even when managed through BnR server:
https://helpcenter.veeam.com/docs/backu ... l?ver=95u4
https://helpcenter.veeam.com/docs/agent ... tml?ver=30
Is this correct? What credentials would Agent use? The only thing that comes to mind is that BnR server would provide SSH password/key to Agent and that sounds bad as there are are pretty high privileges involved.

[nielsengelen]

There is a section on security around the communication available as well in our user guide. For Linux we support password & key methods with non-root accounts as well (see this section).

[DonZoomik]

First link is about Agent <-> BnR server communications and and second about permissions within Agent computer.
I'm asking about Agent -> Repository connections.

[nielsengelen]

Port 22 is used to communicate between VBR & the agent to deploy it.

If the backup repository is a Linux box, then port 22 is also required to the repo as stated in the user guide.
If it is Windows then it's 49152 to 65535.

For both, we also utilize 2500 to 3000 as default range of ports used as data transmission channels.

[DonZoomik]

If the backup repository is a Linux box, then port 22 is also required to the repo as stated in the user guide.

But what credentials would agent use, and for what? I don't see any option in Agent to enter repository credentials separately. If BnR provided the repository's credentials to the Agent that'd be pretty bad as repository account requires pretty much root-level privileges (or at least still full RW access to any backups if limited like this post170788.html#p170788 ).

[DonZoomik]

Anyone?

[PTide]

Hello,

Must be a mistake - Agents do not need to connect to port 22 on linux repos.

We will correct the User Guide shortly

Thank you for noticing!

[DonZoomik]

You might want to then check agent to Windows repository ports as well, as it lists RPC port range as a requirement. This once again requires authentication with credentials that Agent should not have.
But thanks for feedback.

[DGrinev]

In the situation, with Backup Agent for Windows, you should provide credentials when choosing backup repository as a target.
You can grant access permissions to a backup repository within UI. See Access Permissions article in the User Guide.

Thanks!

[DonZoomik]

Agent connects to BnR server with BnR server's Windows credentials. Repository access limiting is only performed logically within BnR server with credentials that are local to BnR server (let's not consider domain membership for now).
If repository is on another server then agent doesn't have credentials to Repository server (only BnR). While you could use unauthenticated RPC, it's unusual and a bad idea (https://www.stigviewer.com/stig/windows ... ng/V-73541). RPC would also imply TCP135 (RPC endpoint mapper) to be required as dynamic RPC is well... dynamic and ports could change on every service restart. This would also require rpcclient that would include smbtools. So I guess it's a copy-paste error as well.

[kaffeine]

Hello,

regarding this topic, according to the Veeam Agent for Microsoft Windows 5.0 User Guide, the Port 22 on the Linux Repo should be opened to the Windows Veeam Agents:



Is this a typo or indeed by design? If the later, it would be against the best practice of hardened linux repos with SSH disabled, wouldn't it?

Regards


PS - I've noticed now that this thread lies within the Linux Agent sub forum, not the Windows Agent one. Could some Mod please move this post? Sorry for the trouble and thanks in advance

[kaffeine]

Update: we left the port 22 between the Veeam Agent Computer and the Linux hardened repo, and the backup jobs go through without error. So I suppose the official guide (from where the screenshot above was taken of) is incorrect?

Regards

[PTide]

Hi,

Yes, it is incorrect and will be fixed shortly.

On of the reasons why hardened repository is called so is that it does not require an SSH to operate at all (provided that the initial setup which occurs via SSH was successful), regardless of whether it is Windows agent or Linux agent.

You can even shutdown SSH completely on the hardende repo side and thinks should work as before (and you've already tried that as far as I can see).

Thanks!

[sunman123]

We have a hardened linux repository that was working fine (added via SSH user with sudo and with sudo removed aftewards). Backups were going fine for a week then we decided to disable SSHD and remove the linux firewall rule for SSHD. All backups are failing now to the SOBR with the following:

Task failed. Error: Failed to save the backup metadata file: no extent is selected.

Is SSH definitely not required for the repo after initial setup?

(Note this is for VMware VM backups, not agent based backups)

[PTide]

Hi,

Have you opened a support case already? We will have to review the logs anyway.

And yes, hardened repo is supposed to work without running SSH (that's the purpose). However, SSH connection is necessary when upgrading to v12.

Thanks!