Showing posts with label Veeam Agent Free. Show all posts
Showing posts with label Veeam Agent Free. Show all posts

Veeam Agent Free and SSH Service – Secure Backup Access and Configuration Guide

Veeam Agent Free and SSH Service – Secure Backup Access and Configuration Guide

introduction


Data protection is more than just backups; it's about the last line of defense for enterprise security. Veeam incorporates security into every detail of its products through a zero-trust design philosophy.


In any system, obtaining account credentials is the starting point for hacker attacks, and backup systems are no exception. Storing and managing accounts carries certain security risks, so when designing and configuring systems, reducing unnecessary automatic remembering and saving of account information is a crucial security measure. In backup solutions, Veeam Agent for Linux introduces passwordless account management, which significantly enhances system security. This approach eliminates the need to store account information within the system, effectively reducing potential security vulnerabilities and data breach risks. This passwordless management mechanism not only elevates backup security but also simplifies administrator workflows. For specific systems, it can even avoid using the SSH management protocol, making the overall system more secure and reliable.

When managing remote backups in Linux and Windows environments, enabling SSH service for Veeam Agent Free ensures secure communication and control. This method allows IT administrators to perform automated, remote, and encrypted backup operations without exposing systems to unnecessary risks.

This guide explains how to configure SSH access in Veeam Agent Free, why it matters, and best practices for maintaining backup security.

Additionally, for environments where bastion hosts manage root passwords, this deployment method can adapt to constantly changing account credentials, eliminating the need to modify stored passwords in the backup system.


How It Works

Before deploying Veeam Agent for Linux, administrators first install Veeam's deployment service package and a temporary certificate on the Linux machine. With this service package in place, when VBR initiates an Agent push/management operation, it detects this component on the Linux system. After establishing a connection with this component, it checks the necessary certificates. If it's a temporary certificate, VBR will issue a formal certificate to replace the current temporary one. Thereafter, VBR will use this valid certificate to communicate with the Linux machine, managing and installing the relevant Agent components. This entire process completely eliminates the need to enter the Linux machine's administrator username and password on the backup server.


Step-by-Step Guide

Now, follow me step-by-step to see how to use this feature.


Step 1: 

First, you need to export the pre-installation software package and temporary certificate from VBR using the following PowerShell command:

 
Generate-VBRBackupServerDeployerKit -ExportPath "C:\Users\Administrator\Documents"

Click the hamburger icon (three horizontal lines) in the top left corner of the VBR server, find the PowerShell menu under Console, enter the above command, and you will obtain this Deployer Kit.


In the exported directory, you will see the files:

  • client-cert.pem
  • server-cert.p12
  • veeamdeployment_12.2.0.334_amd64.deb
  • veeamdeployment-12.2.0.334-1.x86_64.rpm
  • VeeamDeploymentSvc.mmp

Among them, the rpm package is for Red Hat-based systems, and the deb package is for Debian-based systems. Depending on the system, you need to copy client-cert.pem, server-cert.p12, and either the rpm or deb package to the target Linux machine.


Step 2: 

Run the command to install the rpm package:

 
yum install veeamdeployment-12.2.0.334-1.x86_64.rpm


Step 3: 

Then run the command to install the certificate:

 
/opt/veeam/deployment/veeamdeploymentsvc --install-server-certificate server-cert.p12
/opt/veeam/deployment/veeamdeploymentsvc --install-certificate client-cert.pem
/opt/veeam/deployment/veeamdeploymentsvc --restart


Step 4: 

Return to the VBR console and create a protection group. In the protection group creation wizard, when adding a Linux host, select "Connect using certificate-based authentication." After adding, you can use the "Test Now" button to check connectivity. When using certificate-based authentication mode, VBR will no longer require any SSH service to deploy Veeam Agent for Linux.

Screenshot of creat Veeam Agent for Linux


Step 5: 

Once everything is normal, you can complete the creation of the Protection Group and push the Agent as usual. During the push process, VBR will update the temporary certificate on the target server, replacing it with a formal communication certificate, and install the Transport service.

Benefits of Using SSH with Veeam Agent Free:

  • Secure data transfer and command execution.

  • Allows remote management for Linux backups.

  • Integrates easily with Veeam Backup & Replication for central control.

  • Supports key-based authentication, reducing password risks.

👉 Related reading: Secure Veeam Backup & Replication Login – Complete Guide

That's all for this security tip on Linux Agent management. I hope it helps with your IT system's security. In the next issue, I'll show you how to use passwordless management for Windows systems.

Posted by at No comments:
Tags , , , , , ,
Subscribe to: Comments (Atom)