Bind SSH Daemon to Specific NIC: GUI Setting?

Sep 1, 2022
266
51
33
40
tl;dr: (1) Is there a way to do this? Does binding the SSH daemon to, e.g., a management VLAN break anything?

Is there a setting in Proxmox's GUI (or in the CLI, I suppose) to bind the SSH daemon to a specific network interface? I know I can edit the config files manually via SSH or the web shell, but it seems like this would be useful, especially when setting up multiple VLANs and adding a management VLAN that is supposed to be the only pathway to access the machine's web GUI/SSH shell.

Though, as I type this, now I'm wondering if this would break ZFS replication or something. Doesn't it depend on SSH? So binding the daemon just to listen for connections on the management interface is probably a bad idea. It would also need to be bound to whatever interface is doing ZFS replication, which really makes this seem like a setting that should be exposed and managed in the GUI…

EDIT: After thinking about it a bit more, is this one of the things the Firewall in PVE is meant to handle?
 
Last edited:
Ah. So the firewall does impact the node itself, not just the VMs in the node. Good to know. And that's where I need fix this.

I guess I'll stop doing what I was actually doing (which has nothing to do with SSH … I just happened to notice that SSHd was listening on every VLAN attached to the node, which is not what I wanted at all) and learn how the firewall works. Awesome. :P

Configuring sshd directly via text files worked, but I'd rather have it all exposed in the GUI so Proxmox exposes its actual settings to the web GUI user.
 
As @cwt mentioned, you can bind SSH daemon to a specific ListenAddress. This is the IPv4 that the interface is configured with.
Binding to a the Proxmox node management IP will not break anything.

As @cwt also pointed out, firewall rules is also an option. In most cases this is probably better option. Because you can configure the rule to accept SSH connection only from a specific IP or IPSets. That way it is more secured than just binding the daemon to a specific IP or port.
You can create an IPSet with all the Proxmox nodes so they can connect to each other and a management VM IP if you do have one.
 
  • Like
Reactions: SInisterPisces

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!