SSH setup on Debian

In order to better control who can access a specific VM in Proxmox, I wanted to configure a limited SSH access via only a specific IP.

For that, I first had to generate an SSH key on the machine that is to connect to the VM. Mind you, this client is going to be a Windows machine, so the pathing is a bit unusual

ssh-keygen -t rsa -b 4096 -f .\.ssh\my-server-key

Because the VM I created uses Debian, I was able to preinstall openssh-server on it via the GUI installation of the OS itself. This automatically created an .ssh directory in the root’s home directory and also set up some defaults in the /etc/.ssh/sshd_config file.

First I had to enable SSH via password so that I can configure the public key authenticaion. It’s important to later disable this again for a more secure environment. These are the variables that needed to be set in the sshd_config file:

PermitRootLogin yes
PasswordAuthentication yes

With those, I could SSH into the server like so

ssh root@IP.OF.YOUR.VM

and was prompted to input the password of the user. I had already assigned a password to the root user while setting up the VM.

Once you’re connected to the VM, you can copy the contents of the public key, which is located in ..ssh\my-server-key.pub and transfer them to a new file .ssh/authorized_keys Depending on your use case, you might want to limit the access to only a user (recommended) rather than save the key in the root .ssh directory

mkdir /home/YOURUSER/.ssh
chmod 700 /home/YOURUSER/.ssh
echo "<paste-your-public-key>" >> /home/YOURUSER/.ssh/authorized_keys
chmod 600 /home/YOURUSER/.ssh/authorized_keys

Now you can test that the connection can be established without a password prompt:

ssh -p 22 -i .\.ssh\my-server-key YOURUSER@IP.OF.YOUR.VM

Finally you can save yourself some time by creating a config file under ..ssh to essentially assign an alias to the above command

Host funny-vm-name
	HostName IP.OF.YOUR.VM
	Port 22
	User YOURUSER
	IdentityFile .\.ssh\my-server-key

This way executing the following command should allow you to connect with the VM as the selected user without a password prompt

ssh funny-vm-name

Once all of the above is up and running, you should go back to the VM and adjust the /etc/.ssh/sshd_config file to disable the permissions that you don’t want enabled. For me, I wanted to limit the access to the VM to only one client with a specific IP, disable SSH as root and SSH in general, while only allowing the specific client to SSH via public key authentication. The relevant variables for that can be seen below:

PasswordAuthentication no
PubkeyAuthentication no
Match Address IP.OF.YOUR.CLIENT
        PubkeyAuthentication yes