Purpose of first-define is the rule: In placing configuration files higher than user-defined configuration but Only with SSH client, can want user to have control from their config files: Remove from config files Place a couple under Match/MatchGroup using deny/accept.<p>SSHD (server/non-client) still support admin-defined by having system-wide settings done firstly. For those who have multi-file SSHD configurations, breakdown of the many config file locations and scopes here as it covers default user,
system-wide,
specific user:<p><a href="https://egbert.net/blog/articles/ssh-openssh-options-ways.html" rel="nofollow">https://egbert.net/blog/articles/ssh-openssh-options-ways.ht...</a><p>Also I broken out each and every SSHD and SSH options along with their ordering by execution by using file name and numbering as well as its various state machine, dispatch, CLI equivalence, network context, and function nesting, all in:<p><a href="https://github.com/egberts/easy-admin/tree/main/490-net-ssh">https://github.com/egberts/easy-admin/tree/main/490-net-ssh</a><p><a href="https://github.com/egberts/easy-admin/blob/main/490-net-ssh/sshd_config.d/410-protocol-auth-methods.conf">https://github.com/egberts/easy-admin/blob/main/490-net-ssh/...</a><p>Disclaimer: I do regular code reviews of OpenSSH and my employer authorizes me to release them (per se contract and NDA)<p>Also this showed how to properly mix and match authentication types using OR and AND logic(s) in<p><a href="https://serverfault.com/a/996992" rel="nofollow">https://serverfault.com/a/996992</a><p>It is my dump mess so wade 'em and enjoy.
This is perhaps old sysadmin knowledge, but different tools have very different heuristics about how they parse configuration, and you have to check every time and not assume. Among the consequences to not checking are gaping security holes.
That's why I erase sshd_config and put what I really meant there. You may say "but isn't it better to patch it properly?". It is not. Yet another vps hoster –> yet another /etc/ssh directory template that may have all sorts of access issues in it. Better to replace it and make it do exactly what you have planned.
Yeah, first-wins is definitely surprising. Off the top of my head, it feels like one would have to go out of one’s way to write a parser that does that (by storing an extra bit of state for each configuration item, and then checking it before setting the configuration item and toggling the state, rather than just applying the configuration item each time it is encountered).<p>Is there a good reason for this design? I can’t think of one, again off the top of my head, but of course I could be missing something.
The only time I hear or see anything about cloudinit, it is always a problem.
Nobody ever said "we don't need worry about that, cloudinit takes care of it".<p>What good does cloudinit do really?
I've made a big stink about this last time: <a href="https://news.ycombinator.com/item?id=42133181">https://news.ycombinator.com/item?id=42133181</a><p>They've updated the documentation on /etc/ssh/sshd_config
<a href="https://bugs.launchpad.net/ubuntu/+source/cloud-init/+bug/2088207" rel="nofollow">https://bugs.launchpad.net/ubuntu/+source/cloud-init/+bug/20...</a>
I don't like these systems where configuration is built from a million separate files. They're unpleasant to work with.<p>The best reason to do it this way seems to be that files are the unit of package management. Perhaps we need a smarter package manager.<p>My nginx.conf life got better when I deleted sites-available and sites-enabled and defined my sites inline in nginx.conf.<p>The only thing worse is when the configuration is actually a program that generates the configuration, like in ALSA.<p>And the only thing worse than ALSA style is Xorg style, with a default configuration generated by C code and you can only apply changes to it without seeing it. Xorg also has this weird indirection thing where the options are like Option "Foo" "Bar" instead of Foo "Bar", but that's a nitpick in comparison.
Curious, since when is directory "/etc/ssh/sshd_config.d/" a thing ?<p>I checked on my OpenBSD (7.6) System and Slackware (15.0) and that directory does not exist. I checked the man page for sshd and there is no mention of that dir.<p>Is this a new thing/patch Linux people came up with ?
This is weird. I've been hitting funny problems while trying to get ssh to authenticate (using passwords) via. a keycloak instance. I've been trying to do using PAM script but have been pretty unsuccessful till now. Apparently, they don't play nice together.
This is interesting, usually it's the latter because the config is ran line by line<p>Also, if it's not too much trouble, would someone help me understand why such files are required to start with numbers? In this case it's 10-no-password.conf.<p>I have noticed similar structure for apt and many more packages
It's a pet gripe with cli apps that do first wins as well.<p>You should be able to set<p><pre><code> alias foo='foo -p 80'
</code></pre>
And still write<p><pre><code> foo -p 81
</code></pre>
espeak suffers this affliction