Host-based backup of VMware vSphere VMs.
Post Reply
storageguy
Expert
Posts: 148
Liked: 13 times
Joined: Nov 19, 2014 4:20 am
Contact:

Single Use Credentials

Post by storageguy »

Hi,

For the hardened linux repository server, it is suggested to delete the single use credentials after the immutable repository is added to the VBR server. So then if I restart the repository server, which credential is used to start the veeam transport service?

thanks
chris.childerhose
Veeam Vanguard
Posts: 570
Liked: 131 times
Joined: Aug 13, 2014 6:03 pm
Full Name: Chris Childerhose
Location: Toronto, ON
Contact:

Re: Single Use Credentials

Post by chris.childerhose »

As per this page - https://helpcenter.veeam.com/docs/backu ... ml?ver=110

"When you add a Linux server, Veeam Backup & Replication saves a fingerprint of the Linux host SSH key to the configuration database. During every subsequent connection to the server, Veeam Backup & Replication uses the saved fingerprint to verify the server identity and avoid the man-in-the-middle attack."
-----------------------
Chris Childerhose
Veeam Vanguard / Veeam Legend / Veeam Ceritified Architect / VMCE
vExpert / VCAP-DCA / VCP6 / MCITP
Personal blog: https://just-virtualization.tech
Twitter: @cchilderhose
Origin 2000
Service Provider
Posts: 78
Liked: 20 times
Joined: Sep 24, 2020 2:14 pm
Contact:

Re: Single Use Credentials

Post by Origin 2000 »

@chris.childerhose
that doesnt make sense because there is no running SSH anymore when youre finished with the setup of the hardened repository. This is only true for a normal linux server.

@storageguy
The veeam service starts automaticly as any other registered service on that OS. Because you temporary grand permission for the selected/used user during the Veeam install the wizzard was able to register it services.
storageguy
Expert
Posts: 148
Liked: 13 times
Joined: Nov 19, 2014 4:20 am
Contact:

Re: Single Use Credentials

Post by storageguy » 1 person likes this post

@Origin 2000, I have a situation where we restarted our linux server and the VBR server can no longer connect to the repository. After our investigation, we found out that the veeamtransport service won't start because the user was not found. So we re-created the deleted user and after re-creating the user, VBR server was able to connect to the repository again and the veeamtransport service started successfully. Strange, and that's why I'm confuse as to which user will be used once the single use credential is deleted.
Regnor
Veeam Software
Posts: 929
Liked: 280 times
Joined: Jan 31, 2011 11:17 am
Full Name: Max
Contact:

Re: Single Use Credentials

Post by Regnor » 3 people like this post

Do I get it right that you've deleted the user, which you've used to connect the repository to Veeam? If so, that was wrong. The transport service will run in the context of this user, so it still needs to be present on your Linux server.
Veeam on the other hand only initially needs the credentials to deploy the transport service. That's why you use 'single use credentials' as Veeam doesn't need to save those credentials.

What you can and should to after the setup:
*remove the service user from the sudo group
*disable SSH and any remote access
chris.childerhose
Veeam Vanguard
Posts: 570
Liked: 131 times
Joined: Aug 13, 2014 6:03 pm
Full Name: Chris Childerhose
Location: Toronto, ON
Contact:

Re: Single Use Credentials

Post by chris.childerhose » 1 person likes this post

That is exactly right @Regnor as noted here too - https://helpcenter.veeam.com/docs/backu ... =110#step2
-----------------------
Chris Childerhose
Veeam Vanguard / Veeam Legend / Veeam Ceritified Architect / VMCE
vExpert / VCAP-DCA / VCP6 / MCITP
Personal blog: https://just-virtualization.tech
Twitter: @cchilderhose
perjonsson1960
Veteran
Posts: 426
Liked: 44 times
Joined: Jun 06, 2018 5:41 am
Full Name: Per Jonsson
Location: Sweden
Contact:

Re: Single Use Credentials

Post by perjonsson1960 »

If I want to change the description of the Linux server in the properties, I cannot get past the credentials step if I have used Single-Use Credentials. Does this mean that I have to start the SSH service in the Linux server first, and then submit the username and password for the "single-use account", and when I have finished the wizard, stop the SSH service again, just to change the description?

PJ
Gostev
Chief Product Officer
Posts: 31351
Liked: 6602 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Single Use Credentials

Post by Gostev »

Right, you need SSH to go through the wizard before the new configuration can be saved to configuration. I supposed as an alternative you could just change it in the configuration database directly :) if you have some experience with databases.
Post Reply

Who is online

Users browsing this forum: Baidu [Spider] and 205 guests