Lesson 6: First Login — SSH and Security

What You're Doing

Your server is running, but right now it's using a root password that was auto-generated. That's not secure for the long term. In this lesson you'll:

Log in for the first time via SSH
Create a non-root user
Set up SSH key authentication (much safer than passwords)
Disable password login
Set up a basic firewall

This is the most technical lesson in the curriculum. Take it slow — every step matters.

SSH Basics

SSH (Secure Shell) is how you talk to your server from your computer. It's a text-based terminal — you type commands, the server runs them.

On Mac/Linux

Open Terminal and type:

ssh root@YOUR_SERVER_IP

Replace YOUR_SERVER_IP with the IP from Lesson 5. Type yes when asked about the fingerprint, then paste the root password from Bitwarden.

On Windows

On Windows 10/11, open PowerShell or Windows Terminal and use the built-in ssh command:

ssh root@YOUR_SERVER_IP

If you're on an older version of Windows, download and install PuTTY.

Step 1: Update the System

First thing — update all packages:

apt update && apt upgrade -y

This may take a minute. Say yes to any prompts.

Step 2: Create a Non-Root User

Running everything as root is dangerous — one wrong command can destroy the system. Create a regular user:

adduser claw

Set a strong password (generate one in Bitwarden and save it as "Vultr VPS — claw user").

Give this user admin privileges:

usermod -aG sudo claw

Step 3: Set Up SSH Keys

SSH keys are like a lock and key pair. Your computer has the private key (never share this), the server has the public key.

On your local computer (not the server), open a new terminal:

ssh-keygen -t ed25519 -C "openclaw-vps"

Press Enter for the default location. Set a passphrase if you want extra security.

Copy Your Key to the Server

Mac/Linux

ssh-copy-id claw@YOUR_SERVER_IP

Windows (PowerShell)

Windows doesn't have ssh-copy-id. Instead, run this in PowerShell:

type $env:USERPROFILE\.ssh\id_ed25519.pub | ssh claw@YOUR_SERVER_IP "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"

Test it — you should be able to log in without a password:

ssh claw@YOUR_SERVER_IP

Step 4: Disable Password Login

Now that SSH keys work, disable password login to prevent brute-force attacks:

sudo nano /etc/ssh/sshd_config

Find and change these lines:

PasswordAuthentication no
PermitRootLogin no

Use Ctrl+W to search for each setting. Some may be commented out with a # — remove the # and change the value.

Save (Ctrl+O, Enter) and exit (Ctrl+X). Restart SSH:

sudo systemctl restart sshd

Before you close your current session, open a NEW terminal and verify you can still log in:

ssh claw@YOUR_SERVER_IP

If this works, you're safe. If it doesn't, go back to your existing session and fix the config. Remember: Vultr's View Console is your emergency escape hatch if you get locked out.

Step 5: Set Up the Firewall

sudo ufw allow OpenSSH
sudo ufw enable

Type y to confirm. This blocks all incoming traffic except SSH.

When You're Done

Logged in as root via SSH
System updated
Non-root user claw created with sudo access
SSH key pair generated and installed
Password login disabled
Root login disabled
Firewall enabled with SSH allowed
Can log in as claw with SSH key (no password)
All credentials saved in Bitwarden

First Login — SSH and Security

What You're Doing

SSH Basics

On Mac/Linux

On Windows

Step 1: Update the System

Step 2: Create a Non-Root User

Step 3: Set Up SSH Keys

Copy Your Key to the Server

Mac/Linux

Windows (PowerShell)

Step 4: Disable Password Login

Step 5: Set Up the Firewall

When You're Done

Further Reading