Securing SSH Access for LXC Containers (Proxmox)

By default, ~~Proxmox~~many VELXC ~~permits~~templates allow root login via SSH~~---~~, sometimes even with password authentication. This represents a significant security ~~risk~~risk, inespecially ~~production or~~for exposed environments.

This chapter ~~walks~~describes ~~you~~how ~~through~~to secure SSH access inside an LXC container by:

disabling direct root login,

creating an admin account in the container

adding ~~creating~~your aown ~~privileged sudo user~~~~, and~~ ~~enforcing~~SSH public key for login

enforcing key-only authentication

~~only~~

Goal: ~~Eliminate~~Only ~~password-based~~your ~~logins~~admin ~~and~~user ~~prevent~~with ~~direct~~an ~~root~~SSH key can log in. No password logins. No SSH access ~~over~~as ~~SSH.~~root.

Step 1: DisableCreate Rootan LoginAdmin viaUser SSHInside the LXC Container

Connect to ~~your~~the container via:

pct enter <CTID> # or use the Proxmox node as root via SSH or console.\

Edit the SSH daemon configuration: bash nano /etc/ssh/sshd_config\ Locate and modify:

- PermitRootLogin yes + PermitRootLogin no Save and exit (Ctrl+O, Enter, Ctrl+X).\ Restart the SSH service: systemctl restart sshdconsole

Note: After this step, root can no longer log in via SSH. Ensure
you have an alternative access method (e.g., console, IPMI) before
proceeding.

Step 2: Create a Sudo User with Key-Based Authentication

2.1 Create the User
user:
adduser myuseradmin

FollowAssign promptssudo to set a strong password (temporary---will be disabled
later).privileges:

2.2 Grant Sudo Privileges
usermod -aG sudo myuseradmin

2.3This account will be used for SSH access.


Step 2: Add Your SSH Key to the Container

Generate an SSH Keykey Pairpair (on your local machine)machine (if you don't have one yet):
ssh-keygen -t ed25519 -C "myuser@proxmox"
# or for maximum compatibility:
# ssh-keygen -t rsa -b 4096 -C "myuser@proxmox"admin@lxc"

PressThen Enter to accept default location (~/.ssh/id_ed25519).

2.4 Copycopy the Publicpublic Keykey tointo Proxmox
the container:
ssh-copy-id myuser@admin@<proxmox-lxc-ip-or-hostname>

Enter the temporary password whenonce.
prompted.After this step, SSH login should work using your key.
2.5 Test Login
Test:
ssh myuser@admin@<proxmox-lxc-ip-or-hostname>

You should log in without a password.

Step 3: EnforceDisable Key-OnlyRoot Authentication


LogLogin in asthe myuserContainer
(via key).\

EditInside the SSH config again:

container:
sudo nano /etc/ssh/sshd_config

Adjust:
Ensure- thesePermitRootLogin linesyes
are+ set:
PermitRootLogin 
no

Restart SSH:

sudo systemctl restart sshd

Root can no longer access the container via SSH.


Step 4: Enforce Key-Only Authentication

Still inside the container:

sudo nano /etc/ssh/sshd_config

Ensure:
- PasswordAuthentication yes
+ PasswordAuthentication no

- ChallengeResponseAuthentication yes
+ ChallengeResponseAuthentication no


(Optional but recommended) Explicitly allow pubkey:

:
PubkeyAuthentication yes


Save, exit, and restart SSH:

Restart:
sudo systemctl restart sshd


Final State:\
State

RootSSH root login: disabled\
Password login:authentication: disabled\
Only myuseradmin with your SSH key can log in\in
myuseradmin has full sudo access


Bonus: Streamline Access with admin.pve and SSH Config

Many users prefer logging in via the Proxmox web interface's built-in
Shell using the admin.pve realm user. Here's how to enable
key-based login for it.

1. Generate a Dedicated Key (Local Machine)

ssh-keygen -t ed25519 -C "admin.pve" -f ~/.ssh/admin_pve_key

2. Copy Public Key to Proxmox

ssh-copy-id -i ~/.ssh/admin_pve_key.pub admin.pve@<proxmox-hostname>

3. Create anOptional: SSH Config Shortcut (~/.ssh/config)
Local Machine)
To simplify access, create a local SSH config entry:
Host proxmoxlxc-admin
    HostName <proxmox-lxc-ip-or-hostname>
    User admin.pveadmin
    IdentityFile ~/.ssh/admin_pve_keyid_ed25519
    Port 22

Make it private:
chmod 600 ~/.ssh/config

4.Now Connectconnect Instantly
with:
ssh proxmoxlxc-admin


→If Opensyou'd like, I can:

✅ add a shellversion asspecifically for templating LXC containers, so every future container inherits this setup
✅ add a security section about admin.pvepve-firewall with full Proxmox CLI access (pct,+ qmsshd, pveam,binding etc.).to a VPN interface only

Securing SSH Access for LXC Containers (Proxmox)

Step 1: DisableCreate Rootan LoginAdmin viaUser SSHInside the LXC Container

Step 2: Create a Sudo User with Key-Based Authentication

2.1 Create the User

2.2 Grant Sudo Privileges

2.3
This account will be used for SSH access.

Step 2: Add Your SSH Key to the Container

2.4 Copycopy the Publicpublic Keykey tointo Proxmox

Step 3: EnforceDisable Key-OnlyRoot Authentication

Step 4: Enforce Key-Only Authentication

Final State:\
State

Bonus: Streamline Access with admin.pve and SSH Config

1. Generate a Dedicated Key (Local Machine)

2. Copy Public Key to Proxmox

3. Create anOptional: SSH Config Shortcut (~/.ssh/config)

4.
Now Connectconnect Instantly

Securing SSH Access for LXC Containers (Proxmox)

Step 1: DisableCreate Rootan LoginAdmin viaUser SSHInside the LXC Container

Step 2: Create a Sudo User with Key-Based Authentication

2.1 Create the User

2.2 Grant Sudo Privileges

2.3This account will be used for SSH access.

Step 2: Add Your SSH Key to the Container

2.4 Copycopy the Publicpublic Keykey tointo Proxmox

2.5 Test Login

Step 3: EnforceDisable Key-OnlyRoot Authentication

Step 4: Enforce Key-Only Authentication

Final State:\State

Bonus: Streamline Access with admin.pve and SSH Config

1. Generate a Dedicated Key (Local Machine)

2. Copy Public Key to Proxmox

3. Create anOptional: SSH Config Shortcut (~/.ssh/config)

4.Now Connectconnect Instantly

2.3
This account will be used for SSH access.

Final State:\
State

4.
Now Connectconnect Instantly