Secure SSH Access Setup for Proxmox and LXC
ByThe default,goal manyis LXCto templates allow root login via SSH, sometimes even with password authentication. This representsestablish a significantconsistent, securitykey-based risk,authentication especiallymodel foracross exposedboth environments.
ThisProxmox chapterhost describesand howits to secure SSH access inside an LXC container by:containers:
disablingnodirectSSH root logincreatingnoanadminaccount in the containeraddingyour own SSH public keyfor loginenforcing key-onlypassword authentication
Goal:only Onlythrough youran admin user with an SSH key
rootThis approach reduces attack surface and improves manageability.
StepPart 1: Create an Admin User Inside the LXC Container
Connect to the container via:
pct enter <CTID>
# or use the Proxmox console
Create the user:
adduser admin
Assign sudo privileges:
usermod -aG sudo admin
This account will be used for SSH access.
Step 2: AddPrepare Your SSHLocal Key to the ContainerMachine
Generate an SSH key pair
If yournot localalready machine (if you don't have one yet):available:
ssh-keygen -t ed25519 -C "admin@lxc"admin"
ThenStore copyit securely, for example:
/home/username/.ssh/admin_key
Optional: Add the publickey to the agent
If the key intohas a passphrase:
ssh-add /home/username/.ssh/admin_key
Part 2: Secure the Proxmox Host
Create an administrative user
On the Proxmox host (web shell or SSH):
adduser admin
usermod -aG sudo admin
Deploy your SSH key
ssh-copy-id -i /home/username/.ssh/admin_key.pub admin@<Proxmox-hostname>
Test access:
ssh -i /home/username/.ssh/admin_key admin@<Proxmox-hostname>
Disable insecure authentication
Edit /etc/ssh/sshd_config:
PermitRootLogin no
PasswordAuthentication no
ChallengeResponseAuthentication no
PubkeyAuthentication yes
Apply changes:
systemctl restart sshd
The host now accepts only key-based logins for admin.
Part 3: Secure LXC Containers
Many templates allow SSH access as root, sometimes with passwords. Apply the same hardening inside each container.
Create an administrative user
Access the container:
pct enter <CTID>
Create the user and grant sudo access:
adduser admin
usermod -aG sudo admin
Deploy your key to the container
On your local machine:
ssh-copy-id -i /home/username/.ssh/admin_key.pub admin@<lxc-ip-or-hostname>
Enter the temporary password once.
After this step, SSH login should work using your key.
Test:
ssh admin@<lxc-ip-or-hostname>
You should log in without a password.
Step 3: Disable Rootinsecure Login in the Container
Inside the container:
sudo nano /etc/ssh/sshd_config
Adjust:
- PermitRootLogin yes
+ PermitRootLogin no
Restart SSH:
sudo systemctl restart sshd
Root can no longer access the container via SSH.
Step 4: Enforce Key-Only Authentication
Stillauthentication inside the container:container
Edit /etc/ssh/sshd_config:
sudoPermitRootLogin nano /etc/ssh/sshd_config
Ensure:
- PasswordAuthentication yes
+no
PasswordAuthentication no
- ChallengeResponseAuthentication yes
+ ChallengeResponseAuthentication no
(Optional but recommended):
PubkeyAuthentication yes
Restart:
sudo systemctl restart sshd
The
Finalcontainer State
now - mirrors
SSHtherootsecuritylogin:posturedisabledof Passwordtheauthentication:disabledOnlyadminwith your SSH key can log inadminhas full sudo access
Optional:Part 4: Local SSH ConfigConvenience Shortcut (Local Machine)Configuration
To simplify access, create aor local SSH config entry:edit:
~/.ssh/config
Example:
Host proxmox
HostName <Proxmox-hostname>
User admin
IdentityFile /home/username/.ssh/admin_key
Host lxc-admin
HostName <lxc-ip-or-hostname>
User admin
IdentityFile ~/home/username/.ssh/id_ed25519
Port 22admin_key
MakeProtect itthe private:file:
chmod 600 ~/.ssh/config
Now you can connect with:
ssh proxmox
ssh lxc-admin
If
Result
- Proxmox
Ihostcan:and✅containersadduseatheversionsamespecificallysecure login method - root login disabled everywhere
- password authentication disabled
- one key and one user for
templatingadministrativeLXCaccess - simple
sohosteveryselectionfuturethroughcontainerSSHinheritsconfiguration
pve-firewallsshd