Disable Password Auth

K

kenneth_vkd

Well-Known Member
Sep 13, 2017
39
3
48
31
Hi
We are looking into hardening our PVE setup. Currently access to the web UI is fairly locked down with restrictive inbound firewall rules and 2FA for all users, including root@pam.
We do however plan to update the SSH server configuration to disable password-based authentication entirely, so that you can only access SSH using key-based authentication. This way it becomes more difficult for a potential attacker to access servers if they were to infiltrate a "trusted" network and somehow gain the password for th root user.
Currently running 5 nodes on PVE 7.3, and expanding regularly as needed.

Are there any special considerations for doing this on existing nodes and will there be a change in the process of joingin a new node to the cluster?
 
Hi,

from the top of my head, removing password-based authentication from SSH should be fine for an existing cluster. Upon join the nodes should install the SSH keys on all other respective nodes. However, if you carry out a join through the GUI the root password will be used to do that out. I haven't tested it, but if you manually enter the new node's key beforehand on the other nodes, the join may still succeed. I'll see if I can get around to testing this soon, if you want.
 
As a colleague pointed out to me, you don't even need to exchange the ssh keys manually. We do that via the API these days. So yes, you can just disable password authentication. That should work just fine.
 
  • Like
Reactions: nMax and matt.
So in other words, setting
Code: 
PasswordAuthentication no
in sshd config is a good idea, and nothing breaks with it?

Regarding sshd options:
I read on the internet that disabling root login is a bad idea, is that still the case? Are there other options in the sshd config that should not be changed/set?
 
If you don't have other local user accounts, why don't you just use the normally nowadays default of

Code: 
PermitRootLogin prohibit-password

So that root cannot login via password, just via key/certificate.

nMax said:
in sshd config is a good idea, and nothing breaks with it?
Click to expand...
In recent Debian version, I'd just go with a file like /etc/ssh/sshd_config.d/disable_password_authentication.conf instead of changing the stock configuration file. This is perfect for scripting and also packaging of the file, yet YMMV.
 
  • Like
Reactions: nMax
Is there any benefit in using "prohibit-password" over "PasswordAuthentication no"?

Separate file in sshd_config.d/ is a smart idea, I'll do that!
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back