PVE SSH Key Based Authentication
In this article we are going to setup an SSH key based authentication for the PVE host. Let's assume we are on a terminal window (or console) at a remote instance and we want to log-in securely to the PVE host without enter our password.
The first step is to generate the key pair. For this purpose we will create a separate private directory where the key pair will be stored and then will generate the key inside this directory. Note the -N '' within the following command means empty passphrase, but it is matter of choice if you want to create it.
mkdir -p -m 700 ~/.ssh/pve-lan/
ssh-keygen -t rsa -b 4096 -C 'user@metalevel.tech' -f ~/.ssh/pve-lan/pve_id_rsa -q -N ''
The second step is to copy the public key to the PVE host. In the following command 192.168.1.200 is the LAN IP address of the PVE host. You will need to enter you root password in order to copy the .pub key over SSH.
ssh-copy-id -i ~/.ssh/pve-lan/pve_id_rsa.pub root@192.168.1.200
The third step is to add an entry in your ~/.ssh/config in order to allow easy CLI syntax. If the config file doesn't exist before we should change its permissions to octal 600, otherwise the SSH client will throw an error.
nano ~/.ssh/config && chmod 600 ~/.ssh/config
Host pve
HostName 192.168.1.200
IdentityFile ~/.ssh/pve-lan/pve_id_rsa
User root
Port 22
The Host entry pve is an alias to the HostName, you can change it to more descriptive one. Once the configuration file is saved, you will be able to connect to your PVE host by the following command.
ssh pve
Linux pve 5.13.19-2-pve #1 SMP PVE 5.13.19-4 (Mon, 29 Nov 2021 12:10:09 +0100) x86_64...
Last login: Sat Mar 19 09:51:25 2022 from 192.168.1.110
root@pve:~#
Finally, once the SSH key based authentication works, you can disable the SSH password based authentication at the PVE side.
nano /etc/ssh/sshd_config
PasswordAuthentication no
PermitEmptyPasswords yes
