🔐 Securing SSH Access to Proxmox with a Dedicated Admin User - myomaniac/myomaniaclab GitHub Wiki

This guide explains how to securely create a non-root system user for SSH access to your Proxmox host, set up key-based login from a separate Linux client (like WSL), and lock down root and password access to prevent unauthorized logins.

🧠 What This Secures

  • Blocks root login over SSH
  • Prevents password-based login (key-only access)
  • Only your secure user can connect
  • Full sudo access without needing root account

✅ Step 1: Create a Dedicated User

On your Proxmox server:

adduser <your-admin-user>

Follow the prompts to create a new system account.
Set a strong password (even if not used later).

✅ Step 2: Install sudo and Grant Admin Rights

Still on Proxmox (as root):

nala install sudo -y
usermod -aG sudo <your-admin-user>

This allows the new user to run sudo commands.

✅ Step 3: Generate SSH Key on Your Client Machine

On your secure local machine (e.g., WSL/Linux/macOS):

ssh-keygen -t ed25519 -f ~/.ssh/<your-key-name> -C "<your-admin-user>@proxmox"

This generates a key pair:

  • ~/.ssh/<your-key-name> (private)
  • ~/.ssh/<your-key-name>.pub (public)

✅ Step 4: Install Public Key on Proxmox

Run from the client:

ssh-copy-id -i ~/.ssh/<your-key-name>.pub <your-admin-user>@<your-proxmox-ip>

🧠 If that fails, manually:

  1. Copy the contents of ~/.ssh/<your-key-name>.pub
  2. On Proxmox:
mkdir -p /home/<your-admin-user>/.ssh
nano /home/<your-admin-user>/.ssh/authorized_keys

Paste the public key, then:

chmod 700 /home/<your-admin-user>/.ssh
chmod 600 /home/<your-admin-user>/.ssh/authorized_keys
chown -R <your-admin-user>:<your-admin-user> /home/<your-admin-user>/.ssh

✅ Step 5: Test SSH Access

From your client:

ssh -i ~/.ssh/<your-key-name> <your-admin-user>@<your-proxmox-ip>

You should log in without entering a password.

✅ Step 6: Harden SSH Configuration

On Proxmox, edit:

sudo nano /etc/ssh/sshd_config

Update/add:

PermitRootLogin no
PasswordAuthentication no
PermitEmptyPasswords no
AllowUsers <your-admin-user>

Save and restart SSH:

sudo systemctl restart ssh

✅ Step 7: Confirm Final Access

Try logging in again:

ssh -i ~/.ssh/<your-key-name> <your-admin-user>@<your-proxmox-ip>

Only that user and key should now work.
No one can log in as root or use a password.

🔒 Summary

You’ve now:

  • Replaced root SSH with a secure system user
  • Enforced SSH key-only access
  • Locked out password and brute-force attacks
  • Set up full sudo control from a safe account

✅ Next Step: Enable firewall, setup fail2ban, or document this in your security wiki.