Skip to main content

I built a Hardened Repository using the ISO provided here many months ago.  Very happy with it, until I decided to upgrade Veeam to 12.1.  Now it wants to update components on the Hardened Repository end or it will no longer be usable, which it can’t. 

 

Is there a workflow to deal with this or do I have to start all over again on the Hardened Repository side?

I believe you need to temporarily re-enable SSH on the VHR @kmcdermott . Have you tried that yet?


It won’t let me; it says I’m not allowed to.  I’m assuming because its harderned.

 


Or, re-add the VHR user to sudo. After upgrade, you can remove it. I had to remember what was needed. We had discussed this in a previous thread several mos ago. You can review the post & thread comments here.


I don’t think think it’s the SSH service that’s the issue, but the user you’re using for VHR needs sudo rights re-added temporarily. If the acct you’re using to login with doesn’t have the ability to make “administrative” changes on the Linux server, you need to login with one that does.


To make administrative changes, you need to add “sudo” at the beginning of the command you’re trying to run. If the account your logged in with is not in the sudo group on the server, then it won’t work. You need to either login as root or login with an account with sudo permissions.


I only have the one account that I created when I made the repo.

If I run “sudo systemctl start ssh”, I get back the error that the user is “not allow to execute as root”.

If I try to run “usermod -a -G sudo user” I get “permission denied”. “cannot lock /etc/passwd”

 

 


@kmcdermott the account you’re logged in with wasn’t given sudo rights then. Do you know the root account login credentials?


You can run systemctrl status sshd to see if SSH is running. You don’t need to admin credentials to check the status as you’re not modifying anything.


Just for giggles, I ran “systemctl start ssh without the sudo and that worked.  Interesting.

New problem, I need to figure out how to create a single-use credential. 


@kmcdermott -- You need to go in to Single-User mode for the VHR and turn on SSH.  Once you do that you can update the VHR via the console and then reboot to go back in to hardened mode.  I had to do this recently for an upgrade in my homelab - have one more VHR to do but understand the process now.  Here is an article for Single-User mode - Ubuntu Linux Defense: Secure Boot & Single User Mode (veeam.com)


You can’t create an account without the ability to do admin tasks, which is only done via root or an account with sudo rights. systemctrl status enable? Status is still only a ‘monitoring’ cmd. It doesn’t change anything. 


coolsport00 - sorry, I mistyped.  It was “systemctl start ssh”


Hmm...ok. Well, if your acct can make changes, you can create a new account by:
useradd -m <name-of-user> ; then add it to sudo: adduser <new-username> sudo 

The thing is though, since your VHR is already “working” (minus the upgrade part), you should already have a single-cred user you’re using. Search the passwd file to see if there is a “veeam user” in it (cat /etc/passwd).


While it looks like you can do stuff with SSH, etc. you cannot.  You need to follow the instructions I noted to go in to Single-User mode in order to update the VHR otherwise you cannot do anything.  Otherwise, you might as well redeploy it with the ISO file again and overwrite stuff.


Chris.Childerhose - I don’t see GRUB when I boot up.  It immediately goes to a blue screen that says “Hardened Repository”


Chris.Childerhose - I don’t see GRUB when I boot up.  It immediately goes to a blue screen that says “Hardened Repository”

I had this issue too.  If you are using VMware (VM) then open the console - hit the ESC key on boot to get a boot menu for the VM - select the option “ubuntu” in the list and once you do hit the ESC key just ONCE (don’t continually press it - this does not work). This will then get you the GRUB menu.


Nevermind.  Mashing “esc” brought it up.


Nevermind.  Mashing “esc” brought it up.

Yes, that is what I posted before you found out.  LOL 😂


anyone else reading this, if you hit “esc” too many times and you end up at GRUB command prompt, type “normal” to get to the proper screen. :)


anyone else reading this, if you hit “esc” too many times and you end up at GRUB command prompt, type “normal” to get to the proper screen. :)

Thanks for that little tip.  That is what I was having at first before I figured out the hit ESC once.  LOL

Very cool to know typing “normal” gets you to the menu. 👍🏼


So…  I booted into single user.  ran “adduser user sudo” and it says I’m already in sudo!

 

Guess thats not it?


So…  I booted into single user.  ran “adduser user sudo” and it says I’m already in sudo!

 

Guess thats not it?

So, leave that as is.  Start the SSH service and then update from the console the VHR server.  It will then install the new components, etc.  Once fully updated reboot the VHR to get back to hardened mode.


You will also need the single-use credentials for the update from the console.


FYI - Whatever user you’re logged in as, to see if you’re in the sudo group, you can simply type group and a list of groups you’re in will be displayed.


If you don’t want to play with ssh, wait CP1 for V12.1 as described on r&d forum:

Upgrade of VBR to 12.1 with Hardened Repo - R&D Forums (veeam.com)

Maybe @HannesK could give some advices if you want to update now.


Comment