is for client side config – here you can for example enable
similar to ~/.ssh/known_hosts it contains the system-wide-accepted public keys of other hosts.
So if you have „StrictHostKeyChecking yes“ enabled, you could manually accept public ssh keys of other servers via:
ssh-keyscan 172.20.0.12 >> /etc/ssh/ssh_known_hosts
172.20.0.12 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBE34/VhKn0tFZQryBgagbahNX2qh2My+ywGfXDNd/rNZRWJcpdr2g0++I6plyMtmahXd2vMU6j03g/Me67xD4C4=
(does not contain the full public key – just a hash of the key of server 0.12)
if the server’s key is not in the list you will get:
„No ECDSA host key is known for 172.20.0.12 and you have requested strict checking.
Host key verification failed.“
is for server side config – here you can specify what auth-meachanism (password or pgp) to use or what users and from what IP’s are allowed to login.
# only allow user user to login from IP 0.7 0.28 0.12 0.25 user maria may only login from ip 0.7
AllowUsers firstname.lastname@example.org email@example.com firstname.lastname@example.org user@localhost email@example.com firstname.lastname@example.org
echo „all ssh-logins are temporarily disabled until the next reboot. sorry for the inconveniane.“ > /etc/nologin
if this file exists – nobody can login – except root directly at a physical server terminal.
the file seems to get automatically deleted on a reboot(debian8.8).