<- back to Blog

SSH setup on Debian

January 27, 2025

To better control which machines can access a specific VM in Proxmox, I decided to limit the SSH access to specific IPs.

First I had to generate an SSH key on the machine that is to connect to the VM. Mind you, the example client is going to be a Windows machine, so the pathing might seem a bit unusual

ssh-keygen -t rsa -b 4096 -f .\.ssh\my-server-key

Because the VM uses Debian, I was able to preinstall openssh-server on it when setting up Debian itself. This automatically created an .ssh directory in the root’s home directory and also set up some defaults in the /etc/.ssh/sshd_config file.

Then I had to temporarily enable SSH via password so that I can configure the public key authentication. It’s important to later disable this again for a more secure environment. These are the variables that needed to be set in the sshd_config file:

PermitRootLogin yes
PasswordAuthentication yes

With those, I could easily SSH into the server and was prompted to input the password of the root user. I had already assigned a password to the root user while setting up the VM.

ssh root@IP.OF.YOUR.VM

Once connected to the VM, I could copy the contents of the public key, which is located in ..ssh\my-server-key.pub and transfer them to a new file .ssh/authorized_keys

Depending on your use case, you might want to limit the access to only a specific user (recommended!) rather than save the key in the root .ssh directory

mkdir /home/YOURUSER/.ssh
chmod 700 /home/YOURUSER/.ssh
echo "<paste-your-public-key>" >> /home/YOURUSER/.ssh/authorized_keys
chmod 600 /home/YOURUSER/.ssh/authorized_keys

With that I could verify that the connection can be established without a password prompt

ssh -p 22 -i .\.ssh\my-server-key YOURUSER@IP.OF.YOUR.VM

Finally, I set up a config file in the .ssh dir to define an alias to the above command so I can save myself some time whenever I want to connect to the VM

Host funny-vm-name
	HostName IP.OF.YOUR.VM
	Port 22
	User YOURUSER
	IdentityFile ~/.ssh/my-server-key

This way instead of having to write the entire ssh command from earlier manually, I can simply call the alias

ssh funny-vm-name

Now that I no longer need to connect with a password, I can go back to the VM and adjusted the /etc/.ssh/sshd_config file. And since I want to limit the access to the VM to only one client with a specific IP, while also disabling SSH as root and SSH in general, I have to change the following entries

PasswordAuthentication no
PubkeyAuthentication no
Match Address IP.OF.YOUR.CLIENT
        PubkeyAuthentication yes

And that’s it! Hopefully I can refer back to this post whenever I need to set up a new VM in the future, and hopefully it helped you get a bit of an insight into how to do it yourself.

Written by Nedko Chulev
<- newer post older post ->