SSH Keys

In this section we will setup SSH so we can connect from your workstation to your Proxmox server. You can also use these as an authentication with public (e.g., Github) and your own private Git servers.

We will create a pair of SSH keys on your workstation: one private and one public. The private key is used by your workstation to prove its identity, and must not be shared.

The public key's role is to be shared with other computers, such as your Proxmox server, who will use it when connecting via SSH to check if it is indeed connected to your workstation and not an imposter.

Creating a pair of SSH keys

Windows

Open PowerShell and run the following command, following the prompts. Leave the passphrase empty.

ssh-keygen -t ed25519

You will now have two files in your SSH folder:

• a private named id_ed25519,
• and a public SSH key named id_ed25519.pub

The location of your SSH folder is .ssh under C:\Users\your-username, which you can conveniently access via cd ~\.ssh

Linux

Open a shell and run the following command, following the prompts. Leave the passphrase empty.

ssh-keygen -t ed25519

You will now have two files in your SSH folder:

• a private named id_ed25519,
• and a public SSH key named id_ed25519.pub

The location of your SSH folder is .ssh under /home/your-username, which you can conveniently access via cd ~/.ssh.

Note that folders that start with a dot are hidden, and won't show by default using ls unless you use the -a flag, e.g. ls -a. Also note the permissions: they should default to 0600 for the private key and 0644 for the public key.

Allowing SSH access into your Proxmox server

Open the Proxmox Web UI, select your server from the Nodes tree item, then select Shell from the list view. Next, cd into the .ssh folder, and edit the file called authorized_hosts. Copy your public key you created above, and paste it at the end of the file on a new line. Save and close.

Each line in this file is a public key. The owners of the matching private key are allowed to connect to this machine via SSH.

Test connecting

On your workstation, run the following command (with your setup's particulars):

ssh root@192.168.100.2 -i ~\.ssh\id_ed25519 

You should not get any prompt for a username or a password.

Additionally, if this is your first time connecting via SSH, you should get a prompt to trust the server's certificate. Press Enter to continue. You should end up in a bash shell on your Proxmox server.

Example Warning Messsage

The authenticity of host '192.168.100.2 (192.168.100.2)' can't be established.
ED25519 key fingerprint is SHA256:B0aMj1fpf5pPnphE/nvAt+ri0vRL6BXie0+YEx2yWaA.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.100.2' (ED25519) to the list of known hosts.

SSH config file

Now that it's working, we will create a file named config (no extension) in the .ssh folder, e.g. C:\Users\bob\.ssh\config. If you're using Notepad, double check that it hasn't automatically added a .txt extension to the end.

Add the below contents to the file, substituting the particulars of your setup:

Host *
  IdentityFile C:\Users\User\.ssh\id_ed25519
  IdentitiesOnly yes
Host proxmox
  HostName 192.168.100.2
  User root

Now when we run ssh proxmox, it will look for that named Host in the config file, and use the settings, i.e., the username, the IP address, and the SSH keys.

Allowing SSH access into containers/VMs

The same method applies when setting up containers or VM for SSH access. If you run into difficult, check the /etc/ssh/sshd_config file to see if there are any options that might be preventing you from using SSH. The default settings should allow you to login as root via public key authentication.

Copying files using scp

A benefit of using ssh that wasn't obvious to me at first is that is that you can use scp to copy files over a SSH connection. This lets you copy files to and from the connected machine without having to fuss around with Samba or NFS shares.

If you can connect via ssh, then you should be able to use the following in either your workstation or your Proxmox server's terminal:

scp ~\some_local_file user@remote:C:\Users\User\Desktop\now_a_remote_file
scp user@remote:C:\Users\User\Desktop\a_remote_file ~\now_its_a_local_file

You can also use wildcards and recursion. For more info, see the docs: scp(1) - Linux manual page.

If you need to transfer a large amount of files or folders, you might want to tar and zip first. tl;dr:

• tar cf file.tar ./folder To tar a folder into a file (c for create)
• tar xf file.tar To extract a tar file to a folder (x for extract)

Further Reading

Once you're familiar with using asymmetric keys for authentication, you might want to consider using SSH certificates for authentication. In this setup, your hosts and clients trust a Certificate Authority, who then signs the public keys of the respective machines. Instead of having to approve and keep individual keys for each host or client, you delegate the trust to your Certificate Authority.

If this sounds confusing, you might want to wait until after you've set up and are comfortable with TLS/SSL Certificates later in this guide.

If it doesn't, then here are some links for further reading:

• A Simple Guide To Getting Started With SSH Certificates
• How to configure SSH Certificate-Based Authentication
• If you’re not using SSH certificates you’re doing SSH wrong
• 14.3.4. Distributing and Trusting SSH CA Public Keys Red Hat Enterprise Linux 6 | Red Hat Customer Portal

See also

• Gitea