> "can't effectively be bruteforced like a user+password."

Only when the password is weak enough to bruteforce swiftly. It will take literally thousands of years to bruteforce strong passwords.

But you only need one weak password to get in

But you only need one password to protect your HTTP auth phpMyAdmin so just make it 30 characters.

> someone with enough time will eventually get in

That's only correct if the password is weak. With enough entropy, it's practically impossible to brute force.

Genuine question that I haven't found a good solution to yet, if I want to just go to any old computer and ssh into my server, do I have to carry around a USB stick with the ssh key on or something? because I sure as hell wont be able to just remember it

The preferred solution would be something like a Yubikey. However:

> just go to any old computer and ssh into my server

You've typed your password into a computer you don't control. Now it's gone. Same for plugging in the USB stick. The Yubikey approach mitigates that.

Assuming you want to do this, the best practice you can achieve is just making the password long.

I mean, the password to the only ssh thing accessible from outside is 17 characters, and root is not ssh-able, only my user with a custom username

There's no secure way to do that. You have no guarantee that the computer won't copy your key or keylog your password.

You can mitigate it by using an MFA method that requires confirming on a separate device like a phone, but that's down to one layer of defense.

I use an SSH app on my phone for remote access, and I go over a VPN. SSH is not exposed to the public internet.

In that case I'd normally recommend a bastion host with SSH MFA and fail2ban. It'd be publicly available and have SSH keys for other machines. Or you could look at setting up a VPN solution with MFA, but never have a password only admin login exposed to the public Internet.