Proxmox VE Cluster when SSH Port is Non-standard and Root Login is Disabled

Proxmox VE 2.0 Cluster assumes root access over port 22.  What do you do if your security protocols call for a non-standard secure shell port and disabling root login?

None of my servers permit root logins and all use a different port for secure shell access. This is easy to implement if your server configuration is managed by a tool such as Puppet and improves security.  But it is a barrier to implementing Proxmox VE 2.0 Cluster.

Overcoming Port 22 Limitation

The SSH Port 22 limitation can be overcome by changing the ssh client's default port to the one matching the Promox VE node that will be connected.  This is done in the ssh client config file /etc/ssh/ssh_config by changing the default Port value.

This will affect all uses of ssh client on that host, but since the host will only be used for Proxmox VE it should not be a big deal.  Note that this solution is to change the default behavior of the ssh client.

Overcoming Root Login Limitation

Even though all of my servers forbid root access, I am willing to permit it from a specific server that connects from the local network in order to create a Proxmox VE Cluster.  I enable this through the server configuration file for ssh, /etc/ssh/sshd_config using the AllowUsers directive:

AllowUsers root@192.168.33.40 (list of all other users)

This approach requires listing allow allowed users in the AllowUsers directive.  While the simplest approach, this may not be suitable to most situations.

The next simplest solution is to allow root logins only through SSH keys using the confusing "without-password" option to the PermitRootLogin directive.

PermitRootLogin without-password

Using this approach, we need to share the public keys from the Proxmox VE Cluster nodes.

Common Gotchas

The SSHD directives AllowUsers and AllowGroups calculate an intersection (not a union) of accounts permitted to log into the server.  If you use either of these directives along with the PermitRootLogin directive above, you will need to include the root account in the directive.

January 27th, 2013 Posted by Jon Jaroker Filed in: Cluster

Be the first to comment. Leave a comment

Your email address will not be published. Required fields are marked *