[egberts1]

Purpose of first-define is the rule: In placing configuration files higher than user-defined configuration but Only with SSH client, can want user to have control from their config files: Remove from config files Place a couple under Match/MatchGroup using deny/accept.

SSHD (server/non-client) still support admin-defined by having system-wide settings done firstly. For those who have multi-file SSHD configurations, breakdown of the many config file locations and scopes here as it covers default user, system-wide, specific user:

https://egbert.net/blog/articles/ssh-openssh-options-ways.ht...

Also I broken out each and every SSHD and SSH options along with their ordering by execution by using file name and numbering as well as its various state machine, dispatch, CLI equivalence, network context, and function nesting, all in:

https://github.com/egberts/easy-admin/tree/main/490-net-ssh

https://github.com/egberts/easy-admin/blob/main/490-net-ssh/...

Disclaimer: I do regular code reviews of OpenSSH and my employer authorizes me to release them (per se contract and NDA)

Also this showed how to properly mix and match authentication types using OR and AND logic(s) in

https://serverfault.com/a/996992

It is my dump mess so wade 'em and enjoy.

[dfc]

The way you wrote the rule makes no sense to me. Maybe it's too early in the day for me?

"In placing configuration files higher than user-defined configuration but Only with SSH client, can want..."

[atoav]

With multiple config files overriding each other in an predictable order you can effectively allow users to change some settings while ignoring (overriding) whatever they set on others.

[egberts1]

https://news.ycombinator.com/item?id=43605285

[egberts1]

I find this SSHD snippet to be extremely useful in enterprise network, notably with OpenLDAP.

Also the most dangerous but flexible way to authenticate a user.

https://jpmens.net/2019/03/02/sshd-and-authorizedkeyscommand...

[efrecon]

This is really good! Thanks!

[egberts1]

For those that are exploring software-based public certificate and OpenSSH, Ive broken down the settings for most PKI handlers.

https://egbert.net/blog/articles/openssh-file-authorized_key...

[memco]

Thanks for sharing this! I think I may now have what I need to set up a system with multi-user shared keys that only work for a given set of users.

[egberts]

I do enjoy dual-PK-certificate authentication in my homelab: one by equipment, and one by user/group.

Only misgiving is that the key management issues have worsen only for the key administrator(s). But it is a viable and sustainable AA model because there is the most important security component: instant denial of a user and/or a equupment.

[gosub100]

We must have knocked your site offline

[egberts1]

Uptime remains uninterrupted.

Are you using the verboten Chrome and its inability to negotiate and defer to server absolut side of ChaCha20-Poly1305 with sha512? It refuses client-demanded Chrome-forced ChaCha/sha256, AES and then RSA.

[ThePowerOfFuet]

This comment seems to have a lot to say but it was word salad to me, quite confusing and hard to read :(

[egberts1]

https://news.ycombinator.com/item?id=43605285

[egberts1]

It has been translated from OpenSSH meta-spaghetti code logic. Break it down by parts of sentence.

[Thorrez]

I've tried reading it over and over, and tried breaking it down by pars of the the sentence. It still doesn't make sense to me.

[egberts1]

For SSH clients, the naming of configuration files are read in lexical ordering by OpenSSH.

Starts reading with /etc/ssh/sshd.d directory which can provide admins to give/takeaway what user can specify in their user config files then OpenSSH reads in the user-defined configuration in $HOME/.ssh/sshd.d.

Inserting configuration items into system config directory takes away user's ability to use nor change.

Removing from system directory reverts to a user-changeable default settings. Adding to user-directory (without any in system directory) gives user that choice.

For finer granularity of option usage, remove said option from both system directory and user config files then insert into last of lexical ordering config files (typically 99-something.conf or 999-something.conf) and place a couple under Match/MatchGroup using deny/accept.