SSH

Secure Shell — encrypted protocol to remotely connect to a server.
Uses a key pair: a private key (stays on your machine, never share it) and a public key (placed on the server).

Client Side

Generate a key pair

ssh-keygen -t ed25519 -C "my-vps"
# or RSA if ed25519 isn't supported
ssh-keygen -t rsa -b 4096 -C "my-vps"

This creates two files: ~/.ssh/id_ed25519 (private) and ~/.ssh/id_ed25519.pub (public).

~/.ssh/config

Lets you define shortcuts for your connections.

Host mysshconnection
    Hostname 127.0.0.1
    User lucas
    Port 22
    IdentitiesOnly yes
    IdentityFile ~/.ssh/key_id_rsa

Then connect with just: ssh mysshconnection

Server Side

Add your public key

mkdir -p ~/.ssh
chmod 700 ~/.ssh
nano ~/.ssh/authorized_keys   # paste your public key here
chmod 600 ~/.ssh/authorized_keys

Permissions matter — SSH will refuse to work if they're too open.

/etc/ssh/sshd_config

PermitRootLogin no          # never allow root login over SSH
PasswordAuthentication no   # key-only auth (disable password login)
PubkeyAuthentication yes    # ensure key auth is enabled

Apply changes:

sudo sshd -t          # test config for errors before restarting
sudo systemctl restart ssh

Cloud VPS override (cloud-init)

On cloud providers (DigitalOcean, AWS, etc.), cloud-init may create
/etc/ssh/sshd_config.d/50-cloud-init.conf which overrides the main config.
If PasswordAuthentication no isn't taking effect, set it there too:

sudo nano /etc/ssh/sshd_config.d/50-cloud-init.conf
# set: PasswordAuthentication no
sudo systemctl restart ssh

Files in sshd_config.d/ are loaded after the main config, so they win on conflicts.