Securing SSH Access for LXC Containers (Proxmox)
By default, Proxmoxmany VELXC permitstemplates allow root login via SSH---, sometimes even with password authentication. This represents a significant security riskrisk, inespecially production orfor exposed environments.
This chapter walksdescribes youhow throughto secure SSH access inside an LXC container by:
admin account in the container
adding Goal: EliminateOnly password-basedyour loginsadmin anduser preventwith directan rootSSH key can log in. No password logins. No SSH access overas SSH.root.
Step 1: DisableCreate Rootan LoginAdmin viaUser SSHInside the LXC Container
Connect to yourthe container via:
pct enter <CTID>
# or use the Proxmox node as root via SSH or console.\bash nano /etc/ssh/sshd_config- PermitRootLogin yes
+ PermitRootLogin no
Ctrl+OEnterCtrl+Xsystemctl restart sshdconsole
Note: After this step, root can no longer log in via SSH. Ensure
you have an alternative access method (e.g., console, IPMI) before
proceeding.
Step 2: Create a Sudo User with Key-Based Authentication
2.1 Create the User
user:
adduser myuseradmin
FollowAssign promptssudo to set a strong password (temporary---will be disabled
later).privileges:
2.2 Grant Sudo Privileges
usermod -aG sudo myuseradmin
2.3
This account will be used for SSH access.
Step 2: Add Your SSH Key to the Container
Generate an SSH Keykey Pairpair (on your local machine)machine (if you don't have one yet):
ssh-keygen -t ed25519 -C "myuser@proxmox"
# or for maximum compatibility:
# ssh-keygen -t rsa -b 4096 -C "myuser@proxmox"admin@lxc"
PressThen Enter to accept default location (~/.ssh/id_ed25519).
2.4 Copycopy the Publicpublic Keykey tointo Proxmox
the container:
ssh-copy-id myuser@admin@<proxmox-lxc-ip-or-hostname>
Enter the temporary password whenonce.
prompted.After this step, SSH login should work using your key.
2.5 Test Login
Test:
ssh myuser@admin@<proxmox-lxc-ip-or-hostname>
You should log in without a password.
Step 3: EnforceDisable Key-OnlyRoot Authentication
myuserInside the SSH config again:
sudo nano /etc/ssh/sshd_config
Adjust:
- thesePermitRootLogin linesyes
are+ set:Restart SSH:
sudo systemctl restart sshd
Root can no longer access the container via SSH.
Step 4: Enforce Key-Only Authentication
Still inside the container:
sudo nano /etc/ssh/sshd_config
Ensure:
- PasswordAuthentication yes
+ PasswordAuthentication no
- ChallengeResponseAuthentication yes
+ ChallengeResponseAuthentication no
(Optional but recommended) Explicitly allow pubkey:
PubkeyAuthentication yes
Restart:
sudo systemctl restart sshd
Final
State:\State
RootSSH root login: disabled\- Password
login:authentication: disabled\- Only
with your SSH key can logmyuseradminin\inhas full sudo accessmyuseradmin
Bonus: Streamline Access with admin.pve and SSH Config
Many users prefer logging in via the Proxmox web interface's built-in
Shell using the admin.pve realm user. Here's how to enable
key-based login for it.
1. Generate a Dedicated Key (Local Machine)
ssh-keygen -t ed25519 -C "admin.pve" -f ~/.ssh/admin_pve_key
2. Copy Public Key to Proxmox
ssh-copy-id -i ~/.ssh/admin_pve_key.pub admin.pve@<proxmox-hostname>
3. Create anOptional: SSH Config Shortcut (~/.ssh/config)
Local Machine)
To simplify access, create a local SSH config entry:
Host proxmoxlxc-admin
HostName <proxmox-lxc-ip-or-hostname>
User admin.pveadmin
IdentityFile ~/.ssh/admin_pve_keyid_ed25519
Port 22
Make it private:
chmod 600 ~/.ssh/config
4.
Now Connectconnect Instantlywith:
ssh proxmoxlxc-admin
→If Opensyou'd like, I can:
✅ add a shellversion asspecifically for templating LXC containers, so every future container inherits this setup
✅ add a security section about admin.pvepve-firewallwith full Proxmox CLI access (pct,+ qmsshd, pveam,binding etc.).to a VPN interface only