Skip to main content

Preparing a Secure LXC Template (Proxmox)

This chapter describes how to create a hardened LXC template that can be cloned in Proxmox. Each container created from this template will:

  • provide SSH access only via an admin user
  • use your local SSH public key
  • deny direct root login
  • disable password authentication

This approach ensures consistent and secure deployments without manual post-install steps.

Step 1: Create a Base Container

Create a normal LXC container from your preferred image, for example:

pveam update
pveam download local debian-12-standard_*.tar.zst

Then deploy the container:

pct create <CTID> local:vztmpl/debian-12-standard_*.tar.zst

Start it:

pct start <CTID>
pct enter <CTID>

Step 2: Create the Admin User Inside the Template

Within the container:

adduser admin
usermod -aG sudo admin

This user will become the only SSH entry point.

Step 3: Install Your SSH Public Key

On your local machine, ensure you have a key:

ssh-keygen -t ed25519 -C "admin@lxc"

Copy it into the container:

ssh-copy-id admin@<container-ip>

Test login:

ssh admin@<container-ip>

You should log in without a password.

Step 4: Harden the SSH Configuration

Inside the container:

sudo nano /etc/ssh/sshd_config

Apply:

- PermitRootLogin yes
+ PermitRootLogin no

- PasswordAuthentication yes
+ PasswordAuthentication no

- ChallengeResponseAuthentication yes
+ ChallengeResponseAuthentication no

(Optional):

PubkeyAuthentication yes

Restart:

sudo systemctl restart sshd

Step 5: Clean and Prepare for Template Use

To avoid propagating temporary artifacts:

Inside the container:

history -c
rm -rf /tmp/*
apt clean

Do not remove:

  • /home/admin/.ssh/authorized_keys
  • the admin user
  • SSH configuration changes

These are required for template functionality.

Step 6: Shut Down and Convert to Template

Exit the container and stop it:

pct stop <CTID>

Convert to a Proxmox template:

pct template <CTID>

The container is now stored as a reusable template.

Result

Every future container cloned from this template will automatically provide:

  • secure SSH access
  • non-root login
  • enforced key-based authentication
  • consistent sudo configuration

No further SSH hardening steps required.

Cloning Usage Example

pct clone <TEMPLATE-ID> 120 --hostname web01 --storage local-lvm
pct start 120

Then connect immediately:

ssh admin@web01
Back to top