SSH Hardening: Ed25519 Keys and Disabling Root Login

Ahnii! This is part 2 of the Production Linux series . Previous: Provision an Ubuntu VPS and Create a Deploy User . SSH is the front door to your server. A default installation leaves several doors unlocked: root login allowed, RSA keys accepted, authentication methods enabled that you never use. This post locks all of that down with ed25519 keys, full root login denial, and a minimal drop-in config file. Generate an Ed25519 Key Run this on your local machine, not the server: ssh-keygen -t ed25519 -C "your@email.com" This creates ~/.ssh/id_ed25519 (private) and ~/.ssh/id_ed25519.pub (public). The -C flag adds a comment to the public key to help you identify it later. Ed25519 is the current standard over RSA. The key is smaller, the math is faster, and the implementation has fewer side-channel risks. An RSA key at 4096 bits is still considered safe, but ed25519 achieves stronger security guarantees with 256 bits. Copy the public key to your server: ssh-copy-id -i ~/.ssh/id_ed25519.pub d