> ## Documentation Index
> Fetch the complete documentation index at: https://wiki.lumiweb.cc/llms.txt
> Use this file to discover all available pages before exploring further.

# SSH keys

> Key-based login instead of a password

Key-based login is more secure than a password. A password can be cracked by brute-forcing; a key practically can't — it's a pair made of a private and a public part. Keep the private part to yourself and never show it to anyone; the public part goes on the server. When you log in, the two are checked automatically — no need to type a password.

## Create a key and put it on the server

<Tabs>
  <Tab title="Linux / macOS">
    <Steps>
      <Step title="Generate a key">
        In the terminal on your own computer:

        ```bash theme={"system"}
        ssh-keygen -t ed25519 -C "lumi-vps"
        ```

        When asked about the path, press Enter — the key will land in the default location.

        <Tip>
          Give the key a passphrase (a password on the key itself) — when `ssh-keygen` asks, type a phrase instead of leaving it empty. That way, even if someone steals the private file, they can't use it without the passphrase. To avoid typing it every time, add the key to ssh-agent: `ssh-add ~/.ssh/id_ed25519`.
        </Tip>

        Two files will appear:

        | File                    | What it is                                        |
        | ----------------------- | ------------------------------------------------- |
        | `~/.ssh/id_ed25519`     | private key — keep it to yourself, never share it |
        | `~/.ssh/id_ed25519.pub` | public key — this is what goes on the server      |
      </Step>

      <Step title="Copy the public key to the server">
        The simplest way is `ssh-copy-id`:

        ```bash theme={"system"}
        ssh-copy-id root@IP
        ```

        Replace `IP` with the server address from the bot. The command will ask for the root password once and add the key to the server itself.

        If you don't have `ssh-copy-id`, add the key manually. Print your public key:

        ```bash theme={"system"}
        cat ~/.ssh/id_ed25519.pub
        ```

        Log in to the server with the password and paste the line into `~/.ssh/authorized_keys`:

        ```bash theme={"system"}
        ssh root@IP
        mkdir -p ~/.ssh && chmod 700 ~/.ssh
        echo "PASTE_KEY_HERE" >> ~/.ssh/authorized_keys
        chmod 600 ~/.ssh/authorized_keys
        ```
      </Step>
    </Steps>
  </Tab>

  <Tab title="Windows">
    Windows 10/11 has built-in OpenSSH — so you can do without third-party programs.

    <Steps>
      <Step title="Generate a key in PowerShell">
        Open PowerShell and run:

        ```powershell theme={"system"}
        ssh-keygen -t ed25519 -C "lumi-vps"
        ```

        Press Enter at the path question. The keys will land in `C:\Users\NAME\.ssh\` — `id_ed25519` (private) and `id_ed25519.pub` (public).
      </Step>

      <Step title="Copy the public key to the server">
        Print the public key:

        ```powershell theme={"system"}
        type $env:USERPROFILE\.ssh\id_ed25519.pub
        ```

        Log in to the server with the password and add the line to `~/.ssh/authorized_keys`:

        ```bash theme={"system"}
        ssh root@IP
        mkdir -p ~/.ssh && chmod 700 ~/.ssh
        echo "PASTE_KEY_HERE" >> ~/.ssh/authorized_keys
        chmod 600 ~/.ssh/authorized_keys
        ```
      </Step>
    </Steps>

    <Note>
      If you use PuTTY, the key is created with **PuTTYgen**: choose the `EdDSA` (Ed25519) type, click **Generate**, and save the private key with the **Save private key** button (a `.ppk` file). Paste the line from the field at the top of the window onto the server into `~/.ssh/authorized_keys`. In PuTTY itself, the path to the key is set under **Connection → SSH → Auth → Credentials → Private key file**.
    </Note>
  </Tab>
</Tabs>

## Verify key-based login

Connect again:

```bash theme={"system"}
ssh root@IP
```

If you got in without being asked for the server password, the key works. (If you set a passphrase, that's exactly what you'll be asked for — it's the password for the key on your computer, not for the server.)

## Disable password login

Once the key works, you can turn off the password entirely — and the server will stop getting hammered by brute-forcers.

<Warning>
  First make sure key-based login really works. If you disable the password too early, you can lock yourself out of the server.
</Warning>

<Steps>
  <Step title="Open the SSH settings on the server">
    ```bash theme={"system"}
    nano /etc/ssh/sshd_config
    ```
  </Step>

  <Step title="Disallow password login">
    Find the `PasswordAuthentication` line and make it look like this (remove the leading `#` if there is one):

    ```text theme={"system"}
    PasswordAuthentication no
    ```

    Save the file: in nano that's `Ctrl+O`, Enter, then `Ctrl+X`.
  </Step>

  <Step title="Restart SSH">
    ```bash theme={"system"}
    systemctl restart ssh
    ```

    Your current connection won't drop. Open a **second** window and check that key-based login still works before closing the first one.
  </Step>
</Steps>

## Where to next

<CardGroup cols={2}>
  <Card title="Server hardening" icon="lock" href="/en/vps/hardening">
    A security checklist for right after your first login.
  </Card>

  <Card title="Firewall" icon="shield-halved" href="/en/vps/firewall">
    Close off unneeded ports, leave only the ones you need.
  </Card>
</CardGroup>
