I realize security can become an issue, but I'd like to make sure the connection between clients and servers works first before moving on to deal with security. One step at a time since I'm dealing with a distant end user who a short time ago didn't know what a terminal was. I have their login info (which was sent via GnuPG)
I plan on using the DenyUsers, AllowUsers,DenyGroups,AllowGroups rules, changing the default port from 22, not permitting root login, adding the hostname to the ssh_config file, sshutout or equivalent to watch repeated failed ssh login attempts, but first I want to make sure the connection works, then add the security measures one at a time then attempt a successful ssh login, add another security measure, check for ssh login again etc. If I can't get past the first hurdle no point in trying the next. By changing one security measure at a time, if I can't login remotely at least I'll know what security measure is causing the problem.
If things work after implementing all the above for CLI, I'd like to attempt nomachines' programs for X11 forwarding. Yes, I realize the free version only allows a small number of connections but it's sufficient for this case.
On first connection attempt when you get the authenticity of host can't be established the fingerprint is etc etc etc. Where is that key found on the remote machine? Is it the one in /etc/ssh/ssh_host_rsa_key or is it /etc/ssh/ssh_host_rsa_key.pub? (if using rsa keys) or is it in the ~/.ssh/known_host file? If I contact the remote machines party and ask them to send me the output of the command
ssh-keygen -l -f /correct/path/to/file
in an encrypted Gnupg E-Mail would that work to get the fingerprint of the openssh server? I'm trying to avoid blindly answering yes to the prompt on the first connection attempt.
What is the difference between the ssh_host_rsa_key file and the ~/.ssh/known_host file?