Skip to main content

Secure SSH Access Setup for Proxmox and LXC

The goal is to establish a consistent, key-based authentication model across both the Proxmox host and its containers:

  • no SSH root login
  • no password authentication
  • access only through an admin user with an SSH key
  • convenient access via SSH configuration

This approach reduces attack surface and improves manageability.

Part 1: Prepare Your Local Machine

Generate an SSH key pair

If not already available:

ssh-keygen -t ed25519 -C "admin"

Store it securely, for example:

/home/username/.ssh/admin_key

Optional: Add the key to the agent

If the key has a passphrase:

ssh-add /home/username/.ssh/admin_key

Part 2: Secure the Proxmox Host

Create an administrative user

On the Proxmox host (web shell or SSH):

adduser admin
usermod -aG sudo admin

Deploy your SSH key

ssh-copy-id -i /home/username/.ssh/admin_key.pub admin@<Proxmox-hostname>

Test access:

ssh -i /home/username/.ssh/admin_key admin@<Proxmox-hostname>

Disable insecure authentication

Edit /etc/ssh/sshd_config:

PermitRootLogin no
PasswordAuthentication no
ChallengeResponseAuthentication no
PubkeyAuthentication yes

Apply changes:

systemctl restart sshd

The host now accepts only key-based logins for admin.

Part 3: Secure LXC Containers

Many templates allow SSH access as root, sometimes with passwords. Apply the same hardening inside each container.

Create an administrative user

Access the container:

pct enter <CTID>

Create the user and grant sudo access:

adduser admin
usermod -aG sudo admin

Deploy your key to the container

On your local machine:

ssh-copy-id -i /home/username/.ssh/admin_key.pub admin@<lxc-ip-or-hostname>

Test:

ssh admin@<lxc-ip-or-hostname>

Disable insecure authentication inside the container

Edit /etc/ssh/sshd_config:

PermitRootLogin no
PasswordAuthentication no
ChallengeResponseAuthentication no
PubkeyAuthentication yes

Restart:

sudo systemctl restart sshd

The container now mirrors the security posture of the host.

Part 4: Local SSH Convenience Configuration

To simplify access, create or edit:

~/.ssh/config

Example:

Host proxmox
    HostName <Proxmox-hostname>
    User admin
    IdentityFile /home/username/.ssh/admin_key

Host lxc-admin
    HostName <lxc-ip-or-hostname>
    User admin
    IdentityFile /home/username/.ssh/admin_key

Protect the file:

chmod 600 ~/.ssh/config

Now you can connect with:

ssh proxmox
ssh lxc-admin

Result

  • Proxmox host and containers use the same secure login method
  • root login disabled everywhere
  • password authentication disabled
  • one key and one user for administrative access
  • simple host selection through SSH configuration
Back to top