Step 3. Specify Credentials and SSH Settings
At the SSH Connection step of the wizard, specify credentials for the Linux server and additional SSH connection settings.
- From the Credentials list, select credentials for the account that has permissions described in Required Permissions. You can select a credentials record that uses the password authentication method or credentials record that uses the Identity/Pubkey authentication method.
If you have not set up credentials beforehand, click the Manage accounts link or click Add on the right to add the credentials. For more information, see Managing Credentials.
To build a hardened repository, click Add and select Single-use credentials for hardened repository. Veeam Backup & Replication does not store these credentials, they are used only for deploying Veeam Data Mover to the server. These credentials reduce the rights for the Veeam Data Mover. Single-use, or temporary, credentials is a recommended option for a hardened repository, but you can also use persistent credentials. In this case, the rights for the transport service will be reduced at the Configure Backup Repository Settings step of the Adding Backup Repository wizard. User with root permissions cannot use single-use credentials.
In the Credentials window, specify username, password, SSH port and select the Use "su" if "sudo" fails check box. For more information, see Deploying Hardened Repository.
If you add a Linux server with single-use credentials, the folder with the repository must be accessible for accounts with user permissions (and not only root).
- To configure SSH settings, click Advanced. This option becomes available after you have entered your credentials. In the SSH Settings window:
- In the Service console connection section, specify an SSH timeout. By default, the SSH timeout is set to 20000 ms. If a task targeted at the Linux server is inactive after the specified timeout, Veeam Backup & Replication will automatically terminate the task.
- In the Data transfer options section, specify connection settings for file copy operations. Provide a range of ports that will be used as transmission channels between the source host and target host (one port per task). By default, Veeam Backup & Replication uses port range 2500-3300. If the virtual environment is not large and data traffic will not be significant, you can specify a smaller range of ports, for example, 2500-2510 to run 10 concurrent jobs at the same time.
Port 6162 is opened by default. It is a port used by Veeam Data Mover.
If you want to open these ports only for certain firewalld zones, you can specify the required zones in the configuration files. For instructions, see the Before You Begin section.
- [For the Linux server deployed outside NAT] In the Preferred TCP connection role section, select the Run server on this side check box. In the NAT scenario, the outside client cannot initiate a connection to the server on the NAT network. As a result, services that require initiation of the connection from outside can be disrupted. With this option selected, you will be able to overcome this limitation and initiate a ‘server-client’ connection — that is, a connection in the direction of the Linux server.
You can also change the SSH port over which you want to connect to the Linux server. For this, click the Manage accounts link and edit the account used to connect to the Linux server.
- When you add a Linux server, Veeam Backup & Replication saves a fingerprint of the Linux host SSH key to the configuration database. During every subsequent connection to the server, Veeam Backup & Replication uses the saved fingerprint to verify the server identity and avoid the man-in-the-middle attack.
To let you identify the server, Veeam Backup & Replication displays the SSH key fingerprint:
- If you trust the server and want to connect to it, click Yes.
- If you do not trust the server, click No. Veeam Backup & Replication will display an error message, and you will not be able to connect to the server.
If you update the SSH key on the server, you must acknowledge the new key in the server connection settings. To do this, in the Backup Infrastructure view open the server settings, pass through the Edit Server wizard and click Trust to acknowledge the new key.