For Backups Guest OS files and indexing(and application awareness), Veeam needs Admin rights in Guest OS(Windows and Linux). In Windows a Domain Administrator account, and in Linux root access to perform this type of Backups and also Restore.
In this article, we will only focus on the Linux root account.
Since for security reasons most companies will not provide root access to the Backup tool, we can do this by creating a nonroot account with a Linux Private Key that will be elevated to root account.
First, we will create the user and the Private Key in Linux.
Note: We will create a Private Key, but also a Passphrase for security reasons.
1. Linux Create User:
Create Private Key: ssh-keygen -C “Key for Veeam Linux user Backup” -O no-x11-forwarding -O no-port-forwarding -O no-agent-forwarding
Note: Use a Passphrase password(if you leave blank, will not use a Passphrase ) to use in the Veeam Section.
Local user to be configured:
- user name: veeam-linux
- user id: 90
- home: /var/lib/veeam-linux
- SSH key file: /var/lib/veeam-linux/.ssh/authorized_keys
Linux command to create local user and key:
adduser -b /var/lib/ -c “Veeam Linux user Backup” -g users -m -u 90 veeam-linux
passwd -l veeam-linux # Prevent login via password
su – veeam-linux
mkdir .ssh
chmod 700 .ssh/
vi .ssh/authorized_keys
-> enter Public key:
ssh-rsa (public key)== Key for Veeam backup user
visudo
-> veeam-linux ALL=NOPASSWD: ALL
After the user is created and also the Public Key to your authorized_keys in your Linux OS, you should use the RSA_key.ppk(name that we used) file with the Private Key in Veeam.
Note: After we test this user and add the Public Key, if is working for Linux Backup jobs, we will use Linux Puppet to spread the User vs. Public Key to all our Linux VMs and all be able to use the same Key in authorized_keys.
Depending on your environment, you can also copy the corresponding Public Key to all your Linux Guests.
2. Veeam Linux user Configuration:
Next, we will create new Linux credentials to use in our Backups.
Open your Veeam Backup & Replication Console, and in the upper left corner we can open “Manage Credentials.”
Now click add and choose to add a Linux Private Key.
Next, add the user and use the information from the Linux User and Private Key create in the Linux section.
Option 1: Add the user created in the Linux Guest OS
Option 2: Add the Passphrase used in ssh-keygen.
Option 3: Use the RSA file extracted from the Linux Private Key.
Option 4: Since the account will only be elevated to root(not a root account) enable this option.
After these tasks, we have a Linux user that will use a Private Key and will be elevated to root in the VMs Linux Backups.
After this, we will create a job to test(Linux Backup) the Credentials and our Private Key.
In the “Guest Processing” screen we can test our User / Private Key to see if it works when we start the job.
In “Guest OS Credentials” choose the user that we have created above. Then click the option “Test Now.”
As we can see in the next image, the user was able to connect to the Guest OS and have the right permissions. All tests are green.
After this, we can use this user(with the Private Key) to Backup and Restore all our Linux VMs.
In this job example, we had only one VM to test this user, but if you have a job just for Linux VMs if you choose this user will set and will use for all VMs automatically.
But in case you have some mix OS Guest jobs(like we have) you should set the user for the Linux VMs.
Just edit your Backup Job and again go to the “Guest Processing” screen. Here click on “Credentials” options.
Choose VMs that should use the Linux User and click “Set User” and then “Linux credentials.”
Next, click “Add” and choose the Linux user.
After this, all Linux VMs will use that user to Backup and Restore.
After all this, you now have a Linux OS Guest user with a Private Key.
Hope this can help you how to configure this option. If you have any doubts or need extra help, don’t hesitate to contact me, or reply to this post.
For extra information, please check Veeam Help for this subject HERE
Final Note: Will like to thank you my Linux colleague Philipp van Huellen for help on the part of the Linux Private Key testing and also to provide the right security configuration on the Linux side.
Note: Share this article, if you think it is worth sharing.
©2016 ProVirtualzone. All Rights Reserved
A round of applause for your forum topic.Thanks Again. Really Cool. Titus
Thanks for your comments.
LP
Extra help would be appreciated or a modernized version as most of the commands don’t work in Ubuntu 20+ as far as I can tell. I know my employer may even be willing to hire a freelancer as we are hitting walls with this at the moment because of lacking and ambiguous or outdated documentation.
Hi Jeromy,
I wrote this long time ago, that even remember what I wrote here 🙂
What type of problems you are getting?
Contact me by email if you want.
LP
[…] 8. Veeam: Create Linux user for Private Key Login Credentials … […]