Skip to main content

Securing SSH Access for LXC Containers (Proxmox)

By default, many LXC templates allow root login via SSH, sometimes even with password authentication. This represents a significant security risk, especially for exposed environments.

This chapter describes how to secure SSH access inside an LXC container by:

  • disabling direct root login
  • creating an admin account in the container
  • adding your own SSH public key for login
  • enforcing key-only authentication

Goal: Only your admin user with an SSH key can log in. No password logins. No SSH access as root.

Step 1: Create an Admin User Inside the LXC Container

Connect to the container via:

pct enter <CTID>
# or use the Proxmox console

Create the user:

adduser admin

Assign sudo privileges:

usermod -aG sudo admin

This account will be used for SSH access.

Step 2: Add Your SSH Key to the Container

Generate an SSH key pair on your local machine (if you don't have one yet):

ssh-keygen -t ed25519 -C "admin@lxc"

Then copy the public key into the container:

ssh-copy-id admin@<lxc-ip-or-hostname>

Enter the temporary password once. After this step, SSH login should work using your key.

Test:

ssh admin@<lxc-ip-or-hostname>

You should log in without a password.

Step 3: Disable Root Login in the Container

Inside the container:

sudo nano /etc/ssh/sshd_config

Adjust:

- PermitRootLogin yes
+ PermitRootLogin no

Restart SSH:

sudo systemctl restart sshd

Root can no longer access the container via SSH.

Step 4: Enforce Key-Only Authentication

Still inside the container:

sudo nano /etc/ssh/sshd_config

Ensure:

- PasswordAuthentication yes
+ PasswordAuthentication no

- ChallengeResponseAuthentication yes
+ ChallengeResponseAuthentication no

(Optional but recommended):

PubkeyAuthentication yes

Restart:

sudo systemctl restart sshd

Final State

  • SSH root login: disabled
  • Password authentication: disabled
  • Only admin with your SSH key can log in
  • admin has full sudo access

Optional: SSH Config Shortcut (Local Machine)

To simplify access, create a local SSH config entry:

Host lxc-admin
    HostName <lxc-ip-or-hostname>
    User admin
    IdentityFile ~/.ssh/id_ed25519
    Port 22

Make it private:

chmod 600 ~/.ssh/config

Now connect with:

ssh lxc-admin

If you'd like, I can:

✅ add a version specifically for templating LXC containers, so every future container inherits this setup ✅ add a security section about pve-firewall + sshd binding to a VPN interface only

Back to top