client

/etc/ssh/ssh_config

is for client side config – here you can for example enable

StrictHostKeyChecking yes

/etc/ssh/ssh_known_hosts

similar to ~/.ssh/known_hosts it contains the system-wide-accepted public keys of other hosts.

So if you have „StrictHostKeyChecking yes“ enabled, you could manually accept public ssh keys of other servers via:

ssh-keyscan 172.20.0.12 >> /etc/ssh/ssh_known_hosts

cat known_hosts
172.20.0.12 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBE34/VhKn0tFZQryBgagbahNX2qh2My+ywGfXDNd/rNZRWJcpdr2g0++I6plyMtmahXd2vMU6j03g/Me67xD4C4=

(does not contain the full public key – just a hash of the key of server 0.12)

if the server’s key is not in the list you will get:

„No ECDSA host key is known for 172.20.0.12 and you have requested strict checking.
Host key verification failed.“

server

/etc/ssh/sshd_config

is for server side config – here you can specify what auth-meachanism (password or pgp) to use or what users and from what IP’s are allowed to login.

# only allow user user to login from IP 0.7 0.28 0.12 0.25 user maria may only login from ip 0.7

AllowUsers user@172.20.0.7 user@172.20.0.28 user@172.20.0.12 user@localhost user@172.20.0.25 maria@172.20.0.7

/etc/nologin

echo „all ssh-logins are temporarily disabled until the next reboot. sorry for the inconveniane.“ > /etc/nologin

if this file exists – nobody can login – except root directly at a physical server terminal.

the file seems to get automatically deleted on a reboot(debian8.8).

 

admin