SSH keys: passwordless login

In this guide: SSH keys: passwordless login. Generate an ed25519 key and install it on the server.

Recommendation: keep a fallback access path (second SSH session, SSH key, provider console). Apply security changes in small steps and verify access after each change.

If something goes wrong: check the service is running, listening on the expected port, and that your firewall allows the connection. For web services, `nginx -t` and `journalctl -u nginx` are good starting points. Important: permissions should be `700` for `~/.ssh` and typically `600` for `authorized_keys`, otherwise SSH may ignore keys.

After security changes, always re-check login and access rights. If something breaks, rollback should be quick and obvious (fallback session/console).

Below you’ll find a quick checklist, verification commands, and common pitfalls. This helps you not only “do it”, but also confirm what a correct outcome looks like.

Quick checklist

• Keep a fallback access path (second SSH session/provider console).
• Do not expose unnecessary ports. Publish only what you need.
• Verify permissions on keys/configs (a frequent cause of issues).
• Make one small change at a time and verify the result immediately.
• Keep notes of what you changed (file/command/time).

Verify the result

# Verify / sanity checks
sudo sshd -t
sudo ufw status verbose || true
sudo fail2ban-client status sshd || true
sudo ss -lntup | head -n 80

Common pitfalls

• Disabling passwords/root before verifying key login.
• Overly aggressive firewall rules (locking yourself out).

ssh-keygen -t ed25519 -C "[email protected]"

ssh-copy-id -i ~/.ssh/id_ed25519.pub user@YOUR_SERVER_IP