INTRODUCTION
Following the recent article on the use of Custom Settings in the Veeam Software Appliance, we will now look at another topic that involves some significant differences compared to the Windows version: password management for local users on the Veeam Backup & Replication Server.
VSA – USERS AND ROLES
We have always been familiar with the classic VBR installed on Windows OS, where we create new local users via the “Local Users and Groups” interface, accessible directly via the “lusrmgr.msc” snap-in or integrated within the “Computer Management” tool.
Even when resetting a user password, the change is always made via this panel. The important thing, of course, is to always have administrative access to the OS.
With the introduction of the Linux-based VSA, things have obviously changed.
User management is carried out, in this case, via the Veeam Host Management Console, and is only permitted for users with the Host Administrator role.
Furthermore, if the user with the Security Officer role is also enabled during the initial wizard, it will be possible to perform a series of specific operations, which we will look at in detail shortly.
Note: if the Security Officer step is skipped during installation, in order to enable the default user “veeamso” at a later stage, it will be necessary to reinstall the VSA from scratch.
VSA – PASSWORD RECOVERY
Normally, a standard user’s password is reset by a Host Administrator.
In turn, to change the password of a Host Administrator who can no longer access the Veeam Host Management Console, another Host Administrator is required. Upon their next login, the user will need to reconfigure their MFA.
What happens, however, if the Host Administrator who needs to recover their password is the only user in the system with this role?
There are two procedures: one to use if there is a user with the Security Officer role in the system, and one if this role has not been assigned.
In the first case, the Host Administrator initiates the password recovery process via the corresponding “Forgot password” link. This process must be approved by the Security Officer, who then enables the Host Administrator to receive the credential reset email and complete the wizard for creating new credentials.
In the second case, however, as the Host Administrator account is the only one available in the system, it will not be possible to carry out the above password recovery, but an “emergency” procedure will need to be performed.
As indicated in the official KB4761, you must use the “LiveOS ISO” provided by Veeam and follow the steps below:
- Mount the ISO in the VSA VM
- Restart the VM and boot from the ISO
- Launch the Veeam Live Environment wizard
- Log in using the default credentials “root/veeam”
- Set a new root password for the Live Environment
Once logged in, we can begin the password recovery process.
The first step is to mount the VSA’s filesystem: veeam_mount_system
The second step is to access the VSA’s filesystem with root privileges: veeam_chroot_system
Once inside, depending on your needs, you can:
- unlock an account: faillock –user –reset
- reset a password: passwd <username>
Once the account recovery operation is complete, exit LiveOS and reboot the VSA.
Note: to reset the MFA using this procedure, you must contact official Veeam support. If the MFA to be reset belongs to a Security Officer account, the only possible method is via the recovery token.
Tip: to review/modify configurations relating to account lockout policies, access the file /etc/security/faillock.conf; for password requirements, however, the relevant files are /etc/security/pwhistory.conf and /etc/security/pwquality.conf
CONCLUSION
We have seen how the VSA administrative account recovery procedures differ from those of a classic Windows-based VBR server, but by following the correct steps, it is still possible to get out of trouble.
Tip: we recommend always having at least one additional user configured with the Host Administrator role, preferably without MFA, to be used as a “break glass account” exclusively in emergencies.
Enjoy! 💚