client

/etc/ssh/ssh_config

is for client side config – here you can for example enable

StrictHostKeyChecking yes

/etc/ssh/ssh_known_hosts

similar to ~/.ssh/known_hosts it contains the system-wide-accepted public keys of other hosts.

So if you have „StrictHostKeyChecking yes“ enabled, you could manually accept public ssh keys of other servers via:

ssh-keyscan 172.20.0.12 >> /etc/ssh/ssh_known_hosts
cat known_hosts
 172.20.0.12 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBE34/VhKn0tFZQryBgagbahNX2qh2My+ywGfXDNd/rNZRWJcpdr2g0++I6plyMtmahXd2vMU6j03g/Me67xD4C4=

(does not contain the full public key – just a hash of the key of server 0.12)

if the server’s key is not in the list you will get:

„No ECDSA host key is known for 172.20.0.12 and you have requested strict checking.
Host key verification failed.“

server

vi /etc/ssh/sshd_config

is for server side config – here you can specify what auth-meachanism (password or pgp) to use or what users and from what IP’s are allowed to login.
You should disable password auth completely and ONLY user public-private-key authentication.

if you have problems loggin in check the logs…

find /var/log/ -type f \( -name "*" \) ! -path '*.gz*' -exec tail -n0 -f "$file" {} +

sshd[11808]: Authentication refused: bad ownership or modes for directory /home/user/.ssh

solution:

chown -R user:user /home/user/.ssh
chmod 600 /home/user/.ssh/authorized_keys
chmod 700 /home/user/.ssh

tightening security

login to your server, become root… open a second console to test logging in with public keys.

the root-console will stay open even when you restart ssh 🙂

check version running:
sshd -v unknown option -- v OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017AllowUsers user1 user2 user3 # will allow only those usernames to login

vi /etc/ssh/sshd_config; # open up open ssh server config file
# only allow user user to login from IP 0.7 0.28 0.12 0.25 user maria may only login from ip 0.7

# if you even want to restrict to certain (fixed) IPs that should be allowed to login go like this:
AllowUsers user1@172.20.0.7 user2@172.20.0.28 user3@172.20.0.12

PermitRootLogin no <- should always be no
PubkeyAuthentication yes <- use this ONLY to prevent bruteforce attacks
ChallengeResponseAuthentication no
PasswordAuthentication no <- use this ONLY to prevent bruteforce attacks
# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several
# problems.
UsePAM no <- on debian i used to disable this
X11Forwarding no <- afaik this should be disabled as well, usually you don't have a gui on your server

:wq; # save and quit in vi

service sshd restart; # restart ssh

test to login from second console

telnet 94.1XX.XXX.XX 22; # will give you the ssh version the server is running... you probably want to hide that
Trying 94.1XX.XXX.XX...
Connected to 94.1XX.XXX.XX.
Escape character is '^]'.
SSH-2.0-OpenSSH_7.4

special tricks:

/etc/nologin

echo „all ssh-logins are temporarily disabled until the next reboot. sorry for the inconveniane.“ > /etc/nologin

if this file exists – nobody can login – except root directly at a physical server terminal.

the file seems to get automatically deleted on a reboot(debian8.8).

 

admin