82views
Introduction
Veeam Software’s Software Appliance (VSA) and Infrastructure Appliance are designed with security as a core principle. Out of the box, they are hardened, consistent, and tightly controlled—but also intentionally restrictive. By default, there is no SSH, shell access, root login, or sudo privileges. All access is governed through controlled requests and explicit approvals.
While this approach significantly enhances security, it also requires administrators to understand the proper workflow for obtaining shell access—especially when root-level access becomes necessary.
This guide outlines the real-world process, including the user interface flow, approval mechanisms, and common operational challenges. It also covers recovery scenarios, such as when the web console has been disabled and needs to be restored.
There are two primary methods to enable SSH access. The first is through the local Veeam Host Management console available directly on the machine during initial setup. After configuration, access can also be managed remotely via the web-based host management console, which is accessible over port 10443.
How to get root access?
Root access can be obtained through 3 pathways that are essentially the same. The first two are again the Veeam Host Management console, locally on the machine, and the web host management console on port 10443. Once you have SSH access, you can request root access via the Veeam Host management console over SSH as well. You can also restrict access via these interfaces.
Note
I also enable the security officer option in the lab. That can indeed be annoying during testing, but I like to train with the tools I will use when it’s for real. You learn and operate under the same restrictions as in production and, yes, suffer the same frustrations at times. That is the price of security.
The local Veeam Host Management console
At your appliance console, select Sign In.
Enter your username and password and hit ENTER.
When prompted, enter your OTP to login.
From that point on, everything you need lives under the Remote Access configuration.
To request shell access, you choose Enter shell.
As mentioned, we have a security officer, so approval must be granted by that person.
The security officer can now approve or decline your request.
FYI: the security officer sign-in is only available via the web console!
Note that the entry for the approved request does not disappear. The security officer can decline it at any moment. For example, when you notify the security officer that you have completed your work. If not, it will expire after 8 hours.
Anyway, the console message changed to “Press <Enter> to access shell” and “Press <F1> to disable shell access.”
Hit ENTER, and you have shell access with root privileges.
Note that this root shell access is:
- Time‑limited / non‑persistent
- Audited
- The only supported escalation path
Enabling root shell access via the web host management UI
Navigate to the IP address or the FQDN of your appliance over port 10443 and log in
Under Overview, you can request root access. Again, this triggers the security officer approval workflow.
Once approved, a warning is displayed indicating that access privileges have been elevated to root. Note that you can revoke these yourself at any time.
Once approved, the TUI will allow you to open a temporary, audited root shell.
Once shell access is approved, you can:
- Choose Enter shell in the TUI on the physical or virtual console
- or enable SSH and log in remotely
Note that you always authenticate as the Host Administrator, not root. Dropping into the shell is always as root. When logged in via SSH, you do not use sudo or su to become root. You have to launch the TUI manually. Just run:
/opt/veeam/hostmanager/veeamhostmanagertui
That is useful when you want to activate an already-approved root shell without returning to the physical or virtual console.
As you can see, you have the same interface and have to sign in again. You can then enter the shell only if approval has already been granted; otherwise, you’ll have to wait for your security officer to approve your request. For people without access to the physical or virtual console, requesting SSH access in combination with root shell access is the only option. SSH alone will never get you to root. Remember that. Because:
- root login is disabled
- SSH root login is disabled
- sudo is restricted
- No direct escalation paths exist outside the TUI, making it the only supported privilege‑escalation mechanism.
Turning off the host management web UI
The appliance also lets you turn off the host management web UI. Sure, it might sound great for even further hardening, but it comes with an Important catch: turning off the host management web UI can Lock You Out (unless you have physical or virtual console access).
If you disable the web console and you do not have shell access or SSH enabled, the only way back in is through the hypervisor VM console. The physical or virtual console is your last‑resort access path. If you lose that, you have basically lost the appliance if all other options are disabled.
Some operational tips
Use root access with care and only when needed
I hope this is self-explanatory.
Use the web host management console & enable SSH on demand
We handle normal operations via the web consoles and the full console. When SSH is needed, request it.
Never turn off the web console unless you have guaranteed VM console access
If your hypervisor is managed by someone else, for example, think twice. Silos and multiple layers of communication and responsibilities are productivity, efficiency, and support-killing factors in way too many “enterprise”- grade environments. For real people, “enterprise IT” is not the badge of quality and efficiency many think it is; quite the contrary.
The Security Officer must be on call
When you tie actions to a security officer, ensure they are on call and kept informed. Make sure these are people with a clue, not just someone who approves anything without knowing what or why. Also, make sure they are very well aware of what normal backup and recovery operations require and what constitutes an exceptional but valid request. Otherwise, you can’t approve shell or root requests when you need them, or everything gets approved. The technology is only as good as the people and the processes.
Conclusion
While root shell access may be needed in a real-world environment, it should be used only when necessary and with great care. That is why I advise you to enable the security officer in production. And if you are like me, use the security officer feature in labs to make sure you learn and know the processes where this approval is required. How to Open a Root Shell on the Veeam Software or Infrastructure Appliance is also documented on Veeam Backup Enterprise Manager Guide
add a comment
Microsoft 365 Backup: delegate administration, configure billing policies
Microsoft has launched departmental billing for Microsoft 365 Backup, effective March 2, 2026, enabling organizations to configure billing policies, delegate...
How to Set Up Automated Incremental Backups with rsync and Cron on Linux
Data loss is one of the most disruptive events a system administrator or Linux user can experience. Hard drives fail....
Veeam Backup & Replication 13.0.1.180 Build 20251114
Veeam Backup & Replication 13.0.1.180 Build 20251114 is a powerful solution for backup, recovery, and data management, designed for virtual,...
Veeam Agent For Windows 13.0.1.120
Veeam Agent for Microsoft Windows 13.0.1.120 is a powerful and reliable backup solution designed to protect your Windows-based systems. Whether...
