Proxmox hardening - SSH keys
Proxmox hardening: Install SSH keys¶
Proxmox is a powerful virtualization platform, but security is crucial. With Debian Bullseye or Bookworm as a basis, additional security levels can be implemented through targeted hardening. This also includes the generation of SSH keys. This article deals with SSH key creation on a Linux system. Windows follows.
Please Note
No guarantee of completeness. Interference with Linux servers can lead to data loss if carelessness or errors are made. You can also lock yourself out if you set the firewall, ports, networks or configurations incorrectly. If you don't have any experience with Linux, it's best to stay away from it and get to grips with Linux first. The instructions below are tested and working. However, if you don't do something right, you may find yourself locked out of the SSH or firewall area!
Don't just enter Linux commands blindly into the console. It is always important to check which Linux and Proxmox versions are being used. The network, IP, server and environment configuration is also crucial as to whether and how the tips given here can be applied. Each point should also be dealt with individually and intensively. You can't just "work through" everything and then it works. Securing Proxmox takes time and must be done with extreme caution. Additionally, server security is an ongoing process. Setting everything up and slamming the cellar door is not the proper approach.
Create SSH keys on Linux and install them in Proxmox¶
First create an SSH key on your local machine. To do this, use the following command:
When creating the key, always give it a unique name. This keeps everything clear. After generating the key, the system asks where and under what name the key should be saved. Enter the full path to save, for example:
There are many ways in Linux to copy SSH keys to a server. These include methods such as copying with SCP, using ssh-copy-id, manually pasting the key or using various software tools. In this article I will show you two ways: First, the manual copying under bullet 1 and then what I think is currently the best and easiest method: ssh-copy-id.
- Manually view and insert SSH key on a Linux, Proxmox server.
View the public key using the following command:
Copy the public key to the server. Mark the key with the mouse, copy it to the clipboard, go to the Proxmox server, go to "Datacenter", "Node" in the shell, go to the .ssh folder (cd .ssh) open the file authorized_keys and paste the key into the file. Then save the file and then systemctl restart sshd: - Copy the key to the server using ssh-copy-id. Please note that for this option, both entries in the sshd_config or in the sshd_config.d/my-custom-sshd.conf must be set to yes: PasswordAuthentication yes and PermitRootLogin yes. The command requires a server login.Enter this command and adjust the port and IP in the command to suit your server environment:
No matter which route you take to copy the key to the server: Now test the login with your key. To do this, use: If the login is successful, you will be logged into the server. If this doesn't work, go to the Proxmox server in the GUI, then in the shell. Then open the sshd_config file there to ensure that key authentication is enabled. Of course, if you have a sshd_config.d/my-custom-sshd.conf, open this file:Find the line with PubkeyAuthentication. Remove the hash sign and make sure the line looks like this:
Please Note
PubkeyAuthentication yes
Save the file and restart the SSH service:
Test the login again with your SSH key:
If the login works, you can safely store the private key. It is important to protect this key because it is required to access your server. For example, save it in a password manager like 1Password or on encrypted media.
To further increase security, disable password login for the root user. To do this, open the sshd_config again:
Change the PermitRootLogin setting:Please Note
PermitRootLogin prohibit-password
Save the file and restart the SSH service:
But be careful. It is better to use a separate sshd_config file, because the file could be overwritten during an ssh server update:
I entered the following values in my file:
Test the new config. If no errors are thrown, it is OK:
SSH Key Key File for Putty Convert¶
This means that it is no longer possible to log in as root with a password. Access is now only via the SSH key.
If you want to use the key in PuTTY, you must convert it to PuTTY's own format (.ppk). First install the necessary tools:
Then convert the key using the following command:
With this file you can connect to the server via PuTTY. Continue to make sure to store your key securely and back it up regularly. This means your access remains reliable and protected.
Explanations of commands and permissions
Permissions. The SSH key files and the .ssh folder require the following permissions. However, these should already be set correctly when creating:
Explanations of the commands:
The chmod 600 ~/.ssh/pve01 command changes the file's permissions so that only the owner can read and write the file. The number 600 means that the owner has the rights to read and write the file, while all other users do not have access to the file. This is necessary to ensure that private keys are protected and cannot be viewed or manipulated by other users.
The chmod 700 ~/.ssh command sets the permissions for the .ssh directory. This gives the owner the rights to read the directory, write to it and that only the owner has full access to the directory. This is important because sensitive data such as keys or configuration files are stored in this directory and must be protected from unauthorized access.
This command creates a new key pair for SSH authentication. -t rsa specifies that the key should use the RSA algorithm, and -b 4096 specifies that the key length is 4096 bits. This creates a secure private key (e.g. id_rsa) and a public key (e.g. id_rsa.pub). The private key remains on your computer while the public key is copied to the server. This path specifies the location for the key files to be created. The private key is stored as ~/.ssh/proxmox and the public key as ~/.ssh/proxmox.pub. By specifying a unique name, the key is organized clearly and does not get confused with other keys. This command copies the public key to the server. The -i option specifies the path to the public key file (in this case ~/.ssh/proxmox.pub). The -p 22 parameter specifies port 22 on the server. The user root and the IP address indicate where the key should be copied. The tool adds the key to the /root/.ssh/authorized_keys file on the server to enable access. This command connects to the server using the private key ~/.ssh/proxmox. -p 22 specifies the port. The user root and the IP address specify the destination. If authentication is successful, login takes place without a password prompt. This command opens the SSH daemon (sshd) configuration file in the nano text editor. The /etc/ssh/sshd_config file contains all settings for the SSH service, such as whether key authentication is enabled or whether root is allowed to log in. Changes to this file affect the security and accessibility of the server. This command restarts the SSH service (sshd). After making changes to the /etc/ssh/sshd_config file, a reboot is required for the new settings to take effect. Without this step, the old configuration parameters remain active. This command converts the SSH private key ~/.ssh/proxmox to PuTTY format (.ppk). The PuTTY format is required to use the key in PuTTY or other Windows tools. The converted file will be saved at ~/.ssh/proxmox.ppk. This command installs putty-tools, a package that includes tools like puttygen for Linux. This allows OpenSSH keys to be converted to PuTTY format. These tools are specifically intended for integration with PuTTY and other Windows applications.Please Note
PermitRootLogin prohibit-password
This setting in the /etc/ssh/sshd_config file only allows root login with an SSH key. Login with a password will be completely disabled. This increases security by eliminating the use of passwords that could be guessed by attackers.