Remote access is powerful. Because you are opening a door into your primary development environment, you must treat it like production access.

If your phone is lost or a password is reused or leaked, a poorly secured SSH server can become a fast path to a total account takeover. Using keys and hardening your settings reduces that risk dramatically.

Operate with the minimum level of access required to get the job done.

• Consider creating a dedicated "doom-coding" user account on your host
• Keep that user's permissions limited to your development directories
• Do not develop or SSH in as an administrator or root user

Passwords are susceptible to brute-force attacks and credential stuffing. SSH keys (Ed25519 preferred) provide much stronger authentication.

• Once you verify your keys work, disable password-based authentication
• Optionally restrict which specific users or IPs are allowed to SSH into the host

• Ensure FileVault (macOS), BitLocker (Windows), or LUKS (Linux) is active.
  • macOS: Run fdesetup status to verify.
• Keep the host OS and SSH server updated.
• Enable a firewall and only allow traffic from your private VPN.

• Your phone is your key. Use biometric locks or strong passcodes
• Store your private keys in a secure enclave or a password manager that supports SSH key storage
• Periodically check your VPN dashboard to see which devices are connected to your private network

← Previous: Requirements | Next: Host Setup →