(How-To) Setup an OpenSSH SFTP Server to Store NSX-T Backups

We are going to walk through configuring an Ubuntu 18.04 LTS server with a dedicated service account to be used for backing up your NSX-T appliances. We will then walk through testing your backup solution to ensure you have end to end connectivity.

I chose the OpenSSH package on Ubuntu 18.04 LTS to use as our NSX-T backup solution because its stable, secure, open source and, best of all its FREE!

The ISO for Ubuntu 18.04 LTS can be found here.

Create a service account to be used for SFTP backups

What is a service account and why should I create/use one?

A service account is an account used by machines to connect or perform an action with other machines. The benefits of a service account allow you to only give the permissions necessary to perform the actions needed by the machine using the account. Also, by creating an account name that stands out so it is easily identifiable as a service account and what machine uses the account is a big help from a security perspective when reviewing logs. If you simply used the root account it would be difficult to determine if the actions you are seeing being executed by that account are legitimate. Also, the root account has unfettered access to a system.

We will be creating a service account with a name beginning with ‘svc‘ to easily identify this account is a service account followed by ‘backup‘ to identify the purpose of the service account and finally end the account name with something to identify what machine is using this service account. In our case its the NSX-T manager so we will be using ‘nsxt‘.

When creating the account you will be required to choose a password. Set a strong password for the backup service account that is going to be used for backing your NSX-T manager.

1) Login to the SFTP server

2) To add the service account user we will need to run the following command

Make sure the passwords you select meet VMware’s and your company’s password complexity requirements.

VMware password complexity requirements:

  • At least 12 characters
  • At least one lower-case letter
  • At least one upper-case letter
  • At least one digit
  • At least one special character
  • At least five different characters
  • No dictionary words
  • No palindromes
  • More than four monotonic character sequence is not allowed
adduser svc_backup-nsxt
Adding user `svc_backup-nsxt' ...
Adding new group `svc_backup-nsxt' (1001) ...
Adding new user `svc_backup-nsxt' (1001) with group `svc_backup-nsxt' ...
Creating home directory `/home/svc_backup-nsxt' ...
Copying files from `/etc/skel' ...
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for svc_backup-nsxt
Enter the new value, or press ENTER for the default
        Full Name []: backup service account
        Room Number []:
        Work Phone []:
        Home Phone []:
        Other []:
Is the information correct? [Y/n] Y

Now that we have successfully created our service account, we need to add the service account to the group ‘backup’. We want to add our backup service account to a group so its easier to manage permissions for this backup service account and any other backup service accounts that may be created in the future to backup other machines via SFTP. Remember, each service account ends with the name of the machine using the account so service accounts should not be reused with other appliances.

3) To add our service account to the ‘backup’ group we will run the following command

usermod -aG backup svc_backup-nsxt

Command Flags:

  -a, –append                  append the user to the supplemental GROUPS

-G, –groups GROUPS           new list of supplementary GROUPS

Now, let’s list the groups our service account is a member of to confirm we successfully added our service account to the ‘backup’ group. We can do that with the following command.

id svc_backup-nsxt
uid=1001(svc_backup-nsxt) gid=1001(svc_backup-nsxt) groups=1001(svc_backup-nsxt),34(backup)

Create the folder where our SFTP backups will be stored

Next, we need to create the folder structure where all of our SFTP backup files will be stored and then apply the correct permissions to the folder structure so our backup service accounts group has read, write and execute permissions.

4) to create the folders we can run the following command to create all the folders at once

mkdir -p /sftp/backups/nsx-t_backups

Command flags:

  -p, –parents     no error if existing, make parent directories as needed

Now that we have our folder structure in place for holding our backups we need to change the owner,group and permissions on these folders to allow the members of the ‘backup’ group access to write their backup files to the folders.

5) Run the following command to change the owner and group of our folder backup folder structure recursively

chown -R svc_backup-nsxt:backup /sftp/

Command Flags:

-R, –recursive operate on files and directories recursively

Next, we need to change the permissions on the folders to ensure only the permissions necessary are given.

chmod 775 -R /sftp

Command Flags

7 – read, write, execute (user)

7 – read, write, execute (group)

5 – read, execute (others)

-R, –recursive operate on files and directories recursively

Testing connectivity between NSX-T manager and the SFTP server (optional)

Now that we have successfully configured our SFTP server, we need to verify connectivity, services are running and permissions are correct.

6) Login to an NSX-T manager appliance via root or if you do not have root login enabled you can login via the ‘admin’ account and then type ‘st en’ and then provide your root password.

nsxt-mgr> st en
Password:
***************************************************************************
NOTICE TO USERS

WARNING! Changes made to NSX Data Center while logged in as the root user
can cause system failure and potentially impact your network. Please be
advised that changes made to the system as the root user must only be made
under the guidance of VMware.
***************************************************************************
root@nsxt-mgr:~#

7) From the root CLI of an NSX-T manager appliance we will run the following command to try and connect to our SFTP server and login using the built in OpenSSH package on the NSX-T appliance.

sftp svc_backup-nsxt@sftp-backup
The authenticity of host 'sftp-backup (10.0.1.27)' can't be established.
ECDSA key fingerprint is SHA256:tm1qkfHb19sx5qzwJABAtojOd4cVywRCjmkoGeHeR6E.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'sftp-backup' (ECDSA) to the list of known hosts.

             Authorized Personnel Only
--------------------------------------------------------
WARNING: Unauthorized access to this system is forbidden
and will be prosecuted to the fullest extent of the law.
--------------------------------------------------------

svc_backup-nsxt@sftp-backup's password:
Connected to sftp-backup.

Now that we are connected to our SFTP server we have successfully validated

  • We have network connectivity from the NSX-T manager to the SFTP server
  • The SFTP server service is running on the SFTP server listening for connections
  • The service account created has permission to connect via the SFTP protocol

8) Now we need to verify the service account has permission to navigate to the destination backup folder structure we created earlier and create a folder to verify we have ‘write’ permissions

cd /sftp/backups/nsx-t_backups/
mkdir test
ls
test
rmdir test
ls
bye

We have now successfully deployed a backup SFTP server that meets the security requirements of NSX-T and validated end to end network connectivity, the SFTP service is running/listening and we have the necessary permissions.

Next, we need to configure our NSX-T manager appliance to backup to our SFTP server. The steps to configure the NSX-T manager for SFTP backups can be found in our (How-To) Setup Automatic Backups For NSX-T.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s