Shengwei Hou | Setting up an RSA Key Pair for password-less authentication

Note: This is an export from my old wordpress website, your comments or references might be lost during the migration. Sorry for the inconvenience.

By putting your public key on the remote servers, one can connect to them without passwords, the pairing private key on your local client will do the authentication work.

Generate an RSA Key Pair on your local machine

 
ssh-keygen -t rsa

File location and passphrase will be asked while generating the RSA key pair. After that, we can find the public (id_rsa.pub) and private (id_rsa) keys under the ~/.ssh/ folder.

Install the public key to remote servers

 
ssh-copy-id -i ~/.ssh/id_rsa.pub user@host_name

By running this command, the content within the public key id_rsa.pub will be copied into the authorized_keys file on the remote server. Alternatively, we can just copy the content of ~/.ssh/id_rsa.pub on the client side, then append it at the end of the file ~/.ssh/authorized_keys on the server side. The following command ¹ will do the same work:

 
cat ~/.ssh/id_rsa.pub | ssh user@host_name "mkdir -p ~/.ssh && cat >>  ~/.ssh/authorized_keys"

Change the file and folder permissions of remote server ²

 
ssh user@host_name "chmod 700 .ssh; chmod 640 .ssh/authorized_keys"

Enable SSH key authentication ³

Edit the SSH server config file /etc/ssh/sshd_config as below:

 
RSAAuthentication yes
PubkeyAuthentication yes
ChallengeResponseAuthentication no
PasswordAuthentication no
UsePAM no

Troubleshooting
- The following error might be raised when you re-built your remote server:

 
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@       WARNING: POSSIBLE DNS SPOOFING DETECTED!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
The ECDSA host key for shengweihou.com has changed,
and the key for the corresponding IP address XX.XX.XX.XX
is unchanged. This could either mean that
DNS SPOOFING is happening or the IP address for the host
and its host key have changed at the same time.
Offending key for IP in /home/USER/.ssh/known_hosts:50
  remove with:
  ssh-keygen -f "/home/USER/.ssh/known_hosts" -R XX.XX.XX.XX
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:......................................................
Please contact your system administrator.
Add correct host key in /home/USER/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /home/USER/.ssh/known_hosts:48
  remove with:
  ssh-keygen -f "/home/USER/.ssh/known_hosts" -R host_name.com
ECDSA host key for domain_name.com has changed and you have requested strict checking.
Host key verification failed.

The solution has been suggested in the error message:

 
ssh-keygen -f "/home/USER/.ssh/known_hosts" -R [host_name.com or host_IP]

Reference

https://www.digitalocean.com/community/tutorials/how-to-set-up-ssh-keys–2 ↩
https://www.tecmint.com/ssh-passwordless-login-using-ssh-keygen-in-5-easy-steps/ ↩
http://linux-sys-adm.com/ubuntu-16.04-lts-how-to-install-and-configure-ssh/ ↩