Skip to main content

Secure SSH Access on Proxmox VENew Page

By default, Proxmox VE permits root login via SSH---a significant security risk in production or exposed environments. This chapter walks you through disabling root login, creating a privileged sudo user, and enforcing public key authentication only.

Goal: Eliminate password-based logins and prevent direct root access over SSH.

Step 1: Disable Root Login via SSH

  1. Connect to your Proxmox node as root via SSH or console.\
  2. Edit the SSH daemon configuration:
    bash nano /etc/ssh/sshd_config\
  3. Locate and modify:
- PermitRootLogin yes
+ PermitRootLogin no
  1. Save and exit (Ctrl+O, Enter, Ctrl+X).\
  2. Restart the SSH service:
systemctl restart sshd

Note: After this step, root can no longer log in via SSH. Ensure you have an alternative access method (e.g., console, IPMI) before proceeding.

Step 2: Create a Sudo User with Key-Based Authentication

2.1 Create the User

adduser myuser

Follow prompts to set a strong password (temporary---will be disabled later).

2.2 Grant Sudo Privileges

usermod -aG sudo myuser

2.3 Generate an SSH Key Pair (on your local machine)

ssh-keygen -t ed25519 -C "myuser@proxmox"
# or for maximum compatibility:
# ssh-keygen -t rsa -b 4096 -C "myuser@proxmox"

Press Enter to accept default location (~/.ssh/id_ed25519).

2.4 Copy the Public Key to Proxmox

ssh-copy-id myuser@<proxmox-ip-or-hostname>

Enter the temporary password when prompted.

2.5 Test Login

ssh myuser@<proxmox-ip-or-hostname>

You should log in without a password.

Step 3: Enforce Key-Only Authentication

  1. Log in as myuser (via key).\
  2. Edit the SSH config again:
sudo nano /etc/ssh/sshd_config
  1. Ensure these lines are set:
- PasswordAuthentication yes
+ PasswordAuthentication no

- ChallengeResponseAuthentication yes
+ ChallengeResponseAuthentication no
  1. (Optional but recommended) Explicitly allow pubkey:
PubkeyAuthentication yes
  1. Save, exit, and restart SSH:
sudo systemctl restart sshd

Final State:\

  • Root login: disabled\
  • Password login: disabled\
  • Only myuser with SSH key can log in\
  • myuser has full sudo access

Bonus: Streamline Access with admin.pve and SSH Config

Many users prefer logging in via the Proxmox web interface's built-in Shell using the admin.pve realm user. Here's how to enable key-based login for it.

1. Generate a Dedicated Key (Local Machine)

ssh-keygen -t ed25519 -C "admin.pve" -f ~/.ssh/admin_pve_key

2. Copy Public Key to Proxmox

ssh-copy-id -i ~/.ssh/admin_pve_key.pub admin.pve@<proxmox-hostname>

3. Create an SSH Config Shortcut (~/.ssh/config)

Host proxmox
    HostName <proxmox-ip-or-hostname>
    User admin.pve
    IdentityFile ~/.ssh/admin_pve_key
    Port 22

Make it private:

chmod 600 ~/.ssh/config

4. Connect Instantly

ssh proxmox

→ Opens a shell as admin.pve with full Proxmox CLI access (pct, qm, pveam, etc.).

Back to top