Restrict PermitRootLogin to PVE

N

NPK

Active Member
Oct 12, 2021
38
2
28
42
Hi,

Is it OK to restrict SSH PermitRootLogin to only PVE IP? Would this have an impact on how PVE works?
The goal is to prevent direct root connection via SSH from the rest of the network.

Code: 
Match User root Address 1.2.3.*
        PermitRootLogin yes
Match all
 
The official anwser:
No, it is not oke and should NEVER be done.

The community/my anwser:
It depends.

Why?:
Because PVE uses the root user for EVERYTHING and thus also for SSH when in a cluster.
If you restrict SSH or the root user via SSH it can (and often will) completely break and or brick clusters.
But if you do not use clusters and have no plans to ever cluster, then restricting SSH can be done. (But should still be done carefully and if somethings breaks no matter what, your on your own. (In terms of support.))

The best way is just to restrict the root user to SSH keys only and have something like fail2ban monitor for bruteforce attacks and ban IPs if needed.
 
Last edited:
Thanks.

I understand that PVE uses root access for a lot of things. But, why PVE can't be working safely if I just restrict root SSH connection from outside the cluster ? The main goal is to deny users to connect with root SSH on cluster from their workstations (they will log in with another account and use su if they need to be root). Of course, between cluster nodes, root by ssh will still be OK.

Interested by any details about the official answer, I didn't find anything about it.
 
Last edited:
Oke, given the 1.2.3.4, I assumed you used a public IP and not a private IP.
Given that you use a private IP, I would say:

Why are the cluster nodes not on there own network?
This way you have no need to block anything and still know no one can access the nodes directly. (SInce the nodes themselfs will not have a public IP and thus can only be accessed via the internal isolated network or a VPN if that is configured for remote access.)
 
It's private IP, my bad.

Nodes are on a different VLAN than users workstations (for example : 1.2.3.0/24 for nodes and 10.10.10.0/24 for workstations). Of course I can't block it with firewall rules, but... my users need to connect on nodes with SSH. Simply, I want to be sure that they can't connect directly as root, but only with their own account.
 
NPK said:
It's private IP, my bad.

Nodes are on a different VLAN than users workstations (for example : 1.2.3.0/24 for nodes and 10.10.10.0/24 for workstations). Of course I can't block it with firewall rules, but... my users need to connect on nodes with SSH. Simply, I want to be sure that they can't connect directly as root, but only with their own account.
Click to expand...

I hope below steps will help you.

You can create the user directly on the Proxmox host through the CLI below

adduser demouser

and if the user requires elevated privileges, add them to the sudo group using below command

usermod -aG sudo demouser

pve-hq-distro-user.png


Once the System User is created in the host, create same username using Web UI

create-demo-user.png
Then, go to the Proxmox Web UI under Datacenter > Permissions > Users (or create and use a group if you prefer group-based permissions),
Select the user demouser@pam,

demo-user-permission.png
Assign the appropriate roles to grant the required level of access.

Please note, if you have the cluster, you need to create same username with same password in each nodes of cluster.

Now you can try accessing the host using SSH.

demo-user-ssh.png

I hope this will help you.
 
Thanks @sumanraic001 but I already have my users (with PVE authentication serveur or AD). The question is to deny root connection by SSH but let users still connect with their own accounts ; I can do it but my question is if PVE can have some troubles with it.
 
Daniel-Doggy said:
In that case I would just do it simple:
Just restrict the root user to SSH keys only. (And if you worry about spam attemps just add fail2ban to monitor and possibly block failed SSH login attemps.)

set in the sshd config:
PermitRootLogin prohibit-password
Click to expand...

It's a solution, thanks. But modifying PermitRootLogin is OK for PVE health ?
 
NPK said:
It's a solution, thanks. But modifying PermitRootLogin is OK for PVE health ?
Click to expand...
No, setting PermitRootLogin no in /etc/ssh/sshd_config is not safe in a Proxmox VE cluster environment.
This configuration disables all root logins via SSH, including key-based authentication, which Proxmox relies on for critical inter-node operations like live migration, storage replication, VM console access across nodes, and adding new nodes to the cluster etc.
 
K

Thread 'Disable Password Auth'

Hi
We are looking into hardening our PVE setup. Currently access to the web UI is fairly locked down with restrictive inbound firewall rules and 2FA for all users, including root@pam.
We do however plan to update the SSH server configuration to disable password-based authentication entirely, so that you can only access SSH using key-based authentication. This way it becomes more difficult for a potential attacker to access servers if they were to infiltrate a "trusted" network and somehow gain the password for th root user.
Currently running 5 nodes on PVE 7.3, and expanding regularly as...

So as far as I understand it is:
prohibit-password is totally safe to use and only password authentication is needed if you want to add a new node initially.
As after connecting the node to the cluster PVE will change over to SSH keys.
 
Last edited:
You must log in or register to reply here.
Top Bottom