Lesson 6: First Login — SSH and Security

What You're Doing

Your server is running and your SSH key was already added during deployment in Lesson 5. In this lesson you'll:

Log in for the first time via SSH
Create a non-root user
Copy your SSH key to the new user
Disable password login
Set up a basic firewall

This is the most technical lesson in the curriculum. Take it slow — every step matters.

SSH Basics

SSH (Secure Shell) is how you talk to your server from your computer. It's a text-based terminal — you type commands, the server runs them.

Since you added your SSH key during deployment in Lesson 5, you can log in as root without a password. Open the same terminal you used to generate your key and type:

ssh root@YOUR_SERVER_IP

Replace YOUR_SERVER_IP with the IP from Lesson 5. Type yes when asked about the fingerprint. You should be logged in automatically — no password needed.

Step 1: Update the System

First thing — update all packages:

apt update && apt upgrade -y

This may take a minute. Say yes to any prompts.

Step 2: Create a Non-Root User

Running everything as root is dangerous — one wrong command can destroy the system. Create a regular user:

adduser claw

Set a strong password (generate one in Bitwarden and save it as "Vultr VPS — claw user").

Give this user admin privileges:

usermod -aG sudo claw

This gives claw full admin power — with sudo, it can install software, change firewall rules, edit any file on the system, and even delete everything. We need this because later lessons use sudo to install OpenClaw, configure Caddy, and manage the firewall. This is also why the automatic backups you enabled in Lesson 5 matter — if a sudo command ever goes sideways, you can restore from a backup instead of starting over.

Step 3: Copy Your SSH Key to the New User

Your SSH key was already added to the root account during deployment in Lesson 5. Now copy it to your new claw user so you can log in as that user with the same key.

Still logged in as root on the server, run:

mkdir -p /home/claw/.ssh
cp /root/.ssh/authorized_keys /home/claw/.ssh/authorized_keys
chown -R claw:claw /home/claw/.ssh
chmod 700 /home/claw/.ssh
chmod 600 /home/claw/.ssh/authorized_keys

Now verify it works — from your local computer, open a new terminal and run:

ssh claw@YOUR_SERVER_IP

You should be logged in without a password.

Step 4: Disable Password Login

Now that SSH keys work, disable password login to prevent brute-force attacks:

sudo nano /etc/ssh/sshd_config

Find and change these lines:

PasswordAuthentication no
PermitRootLogin no

Use Ctrl+W to search for each setting. Some may be commented out with a # — remove the # and change the value.

Save (Ctrl+O, Enter) and exit (Ctrl+X). Restart SSH:

sudo systemctl restart sshd

Before you close your current session, open a NEW terminal and verify you can still log in:

ssh claw@YOUR_SERVER_IP

If this works, you're safe. If it doesn't, go back to your existing session and fix the config. Remember: Vultr's View Console is your emergency escape hatch if you get locked out.

Step 5: Set Up the Firewall

sudo ufw allow OpenSSH
sudo ufw enable

Type y to confirm. This blocks all incoming traffic except SSH.

When You're Done

Logged in as root via SSH
System updated
Non-root user claw created with sudo access
SSH key verified for claw user
Password login disabled
Root login disabled
Firewall enabled with SSH allowed
Can log in as claw with SSH key (no password)
All credentials saved in Bitwarden

First Login — SSH and Security

What You're Doing

SSH Basics

Step 1: Update the System

Step 2: Create a Non-Root User

Step 3: Copy Your SSH Key to the New User

Step 4: Disable Password Login

Step 5: Set Up the Firewall

When You're Done

Further Reading