is for client side config – here you can for example enable

StrictHostKeyChecking yes


similar to ~/.ssh/known_hosts it contains the system-wide-accepted public keys of other hosts.

So if you have „StrictHostKeyChecking yes“ enabled, you could manually accept public ssh keys of other servers via:

ssh-keyscan >> /etc/ssh/ssh_known_hosts

cat known_hosts ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBE34/VhKn0tFZQryBgagbahNX2qh2My+ywGfXDNd/rNZRWJcpdr2g0++I6plyMtmahXd2vMU6j03g/Me67xD4C4=

(does not contain the full public key – just a hash of the key of server 0.12)

if the server’s key is not in the list you will get:

„No ECDSA host key is known for and you have requested strict checking.
Host key verification failed.“



is for server side config – here you can specify what auth-meachanism (password or pgp) to use or what users and from what IP’s are allowed to login.

# only allow user user to login from IP 0.7 0.28 0.12 0.25 user maria may only login from ip 0.7

AllowUsers user@ user@ user@ user@localhost user@ maria@


echo „all ssh-logins are temporarily disabled until the next reboot. sorry for the inconveniane.“ > /etc/nologin

if this file exists – nobody can login – except root directly at a physical server terminal.

the file seems to get automatically deleted on a reboot(debian8.8).