[SOLVED] PVE cluster: can I safely turn off ssh PermitRootLogin, PasswordAuthentication and UsePAM?

[proxwolfe]

Hi,

I have implemented certificate based authentication via SSH on my cluster nodes.

As with my VMs, I would now like to turn off PermitRootLogin, PasswordAuthentication and UsePAM. But it is my understanding that PVE uses SSH for cluster purposes and I don't want to break things.

So, can I safely turn these settings off or is any of them needed for the cluster to work?

Thanks!

 

[Dunuin]

As far as I understand PVE needs root password login when doing specific tasks like joining a new node to the cluster.

Edit:
See here: https://forum.proxmox.com/threads/j...ut-using-the-root-password.112345/post-484938

 

[spirit]

some tasks (like live migration), are done through ssh between node, with root login, with sshkeys.

so you can disable passwordauth, no problem. But don't turn off permitrootlogin.

 

[societus]

I'm not sure how you could integrate it into Proxmox per se, but I think it would be handy if you could assign a non-root user with password-less ssh to be the agent user for proxmox clustering. Would add a degree of entropy for attackers by way of not knowing what user to attack, and you'd still be able to disable root login. Agreed on former comments though, disabling password is a good start

 

[fabian]

I'm not sure how you could integrate it into Proxmox per se, but I think it would be handy if you could assign a non-root user with password-less ssh to be the agent user for proxmox clustering. Would add a degree of entropy for attackers by way of not knowing what user to attack, and you'd still be able to disable root login. Agreed on former comments though, disabling password is a good start

that doesn't really work at the moment, since the stuff that is run over SSH needs root privileges (so even if you'd change the user that is used for SSH, that user would still need to be effectively root via setuid/passwordless sudo/...). this concerns just a few "cross-node" operations like migrations, accessing the console/shell of another node (or a guest running there), ..

SSH login with password is only needed if you use the legacy cluster joining method (that uses SSH), the default one uses the API. the "clustering" itself (as in, keeping track of quorum and syncing /etc/pve and metadata) is handled by corosync and pmxcfs and doesn't use SSH itself.

 

[proxwolfe]

Thank you all for your input.

I had disabled PasswordAuthentication and PermitRootLogin. But then I ran into issues when trying to access the console of a VM on one node from one of the other nodes.

So I have now enabled PermitRootLogin again and the issues are gone (with PasswordAuthentication still disabled).

 

[Blazemonkey]

The paranoia in me would love to to disable the PermitRootLogin option in the PVE host's sshd_config, even though the host resides on a separate management vlan. I do hope the Proxmox team will eventually get this sorted out as it is best practice, and now a default option on many linux distros.