* use -t ed25519 to generate keys, much more efficient for same security compared to RSA
* don’t use ufw. It easily becomes a big mess and is a pain to manage with ansible. firewalld is a much better high-lever firewall. Preferably with nftables backend.
If you have a bit bigger fleet and manage a CA you could look into using signed SSH certificates instead of public keys. That way you can provision access centrally without adding individual keys to individual servers.
It’s all still what I’d call “good advice if you refuse to take some better advice”. The caveat at the beginning acknowledges that this is a pragmatic approach rather than the best approach, and I think in the intervening time I’ve become more convinced that the better approach is the only approach: namely to automate a lot more of these things, which is alluded to at the end.
I’d also ditch the use of any shared credential other than the emergency root password, which should be locked away and not actually known by any people. Your mechanism for syncing ssh pubkeys (which, btw, isn’t specified in the article, which in my experience means it doesn’t really exist :D) on the shared account should instead populate the user keys directory and there should be one logon per user.
* use -t ed25519 to generate keys, much more efficient for same security compared to RSA
* don’t use ufw. It easily becomes a big mess and is a pain to manage with ansible. firewalld is a much better high-lever firewall. Preferably with nftables backend.
If you have a bit bigger fleet and manage a CA you could look into using signed SSH certificates instead of public keys. That way you can provision access centrally without adding individual keys to individual servers.