SSH Keys

[gauthig]

Does proxmox use ssh for any of it's work, i.e. I want to secure my box by:
1. not allowing root ssh access
2. create a sudoers user and setting up ssh key access

Thanks in advance.

 

[tom]

ssh is used on many places, depends on what you features you need.

if you do changes, make sure that you document all your changes and test if all you need is still running afterwards.

 

[gauthig]

Ok, here is what I want to do:
On the host node, can I do the following to secure the node:

Change sshd_confgi to:
1. Not allow root login from SSH
2. Other users must use keys
3. Change ssh port to another port

In the PROXMOX GUI
4. Disable PAM as a authentication mode for PROXMOX, i.e. delete the PAM entry
5. Enable pve authentication with multi-factor (yubikey)

I know how to do 4 & 5, but was wondering if 1-3 would break the proxmox engine. If that does not work, cloud I just use iptables to allow only 127.0.0.1 and the other host-node access to port 22?

 

[Q-wulf]

there are also some parts of the Proxmox GUI that ONLY work with the root-account in PAM.

e.g. Ceph comes to mind.

 

[spirit]

Proxmox use root account for all lot of things. (starting vm on node2 from node1 for example).
So you can't disable it in sshd config and you can't change ssh port.

 

[RobFantini]

Why not use /etc/ssh/ssh_config ? Put an entry like this at all nodes

Host pve1
Port 51722
Host pve1.MYDOMAIN.COM #  change this line.
Port 51722

I have not tried that but it may be worth a try.

 

[madmatuk]

Hi all,

I am very new to the Proxmox scene, and have been wanting to do this myself.

I managed to change the port without breaking anything ( i think! ) by changing the port in both the ssh_config and sshd_config files on all proxmox nodes.

Disabling root access caused immediate problems so i have had to revert back to permit root login for now.

I added fail2ban to protect both ssh and proxmox gui login for that little bit of extra piece of mind. Would really like to use ssh keys and disable root ssh login for everything other than cluster communication though

Will continue to mess

 

[Q-wulf]

Can't you just block 0.0.0.0/0 access to SSH, enable your Proxmox-IP's And then go into your Cluster via a specific Range, or from inside the Cluster ??

 

[zgbkdlm]

Ok, here is what I want to do:
On the host node, can I do the following to secure the node:

Change sshd_confgi to:
1. Not allow root login from SSH
2. Other users must use keys
3. Change ssh port to another port

In the PROXMOX GUI
4. Disable PAM as a authentication mode for PROXMOX, i.e. delete the PAM entry
5. Enable pve authentication with multi-factor (yubikey)

I know how to do 4 & 5, but was wondering if 1-3 would break the proxmox engine. If that does not work, cloud I just use iptables to allow only 127.0.0.1 and the other host-node access to port 22?

Ok, here is what I want to do:
On the host node, can I do the following to secure the node:

Change sshd_confgi to:
1. Not allow root login from SSH
2. Other users must use keys
3. Change ssh port to another port

In the PROXMOX GUI
4. Disable PAM as a authentication mode for PROXMOX, i.e. delete the PAM entry
5. Enable pve authentication with multi-factor (yubikey)

I know how to do 4 & 5, but was wondering if 1-3 would break the proxmox engine. If that does not work, cloud I just use iptables to allow only 127.0.0.1 and the other host-node access to port 22?

Did anyone knows how to 4&5? I'm always wondering how to disable pam authentication in Proxmox.