Skip to main content
Key-based login is more secure than a password. A password can be cracked by brute-forcing; a key practically can’t — it’s a pair made of a private and a public part. Keep the private part to yourself and never show it to anyone; the public part goes on the server. When you log in, the two are checked automatically — no need to type a password.

Create a key and put it on the server

1

Generate a key

In the terminal on your own computer:
ssh-keygen -t ed25519 -C "lumi-vps"
When asked about the path, press Enter — the key will land in the default location.
Give the key a passphrase (a password on the key itself) — when ssh-keygen asks, type a phrase instead of leaving it empty. That way, even if someone steals the private file, they can’t use it without the passphrase. To avoid typing it every time, add the key to ssh-agent: ssh-add ~/.ssh/id_ed25519.
Two files will appear:
FileWhat it is
~/.ssh/id_ed25519private key — keep it to yourself, never share it
~/.ssh/id_ed25519.pubpublic key — this is what goes on the server
2

Copy the public key to the server

The simplest way is ssh-copy-id:
ssh-copy-id root@IP
Replace IP with the server address from the bot. The command will ask for the root password once and add the key to the server itself.If you don’t have ssh-copy-id, add the key manually. Print your public key:
cat ~/.ssh/id_ed25519.pub
Log in to the server with the password and paste the line into ~/.ssh/authorized_keys:
ssh root@IP
mkdir -p ~/.ssh && chmod 700 ~/.ssh
echo "PASTE_KEY_HERE" >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys

Verify key-based login

Connect again:
ssh root@IP
If you got in without being asked for the server password, the key works. (If you set a passphrase, that’s exactly what you’ll be asked for — it’s the password for the key on your computer, not for the server.)

Disable password login

Once the key works, you can turn off the password entirely — and the server will stop getting hammered by brute-forcers.
First make sure key-based login really works. If you disable the password too early, you can lock yourself out of the server.
1

Open the SSH settings on the server

nano /etc/ssh/sshd_config
2

Disallow password login

Find the PasswordAuthentication line and make it look like this (remove the leading # if there is one):
PasswordAuthentication no
Save the file: in nano that’s Ctrl+O, Enter, then Ctrl+X.
3

Restart SSH

systemctl restart ssh
Your current connection won’t drop. Open a second window and check that key-based login still works before closing the first one.

Where to next

Server hardening

A security checklist for right after your first login.

Firewall

Close off unneeded ports, leave only the ones you need.