Purpose of first-define is the rule: In placing configuration files higher than user-defined configuration but Only with SSH client, can want user to have control from their config files: Remove from config files Place a couple under Match/MatchGroup using deny/accept.
SSHD (server/non-client) still support admin-defined by having system-wide settings done firstly. For those who have multi-file SSHD configurations, breakdown of the many config file locations and scopes here as it covers default user,
system-wide,
specific user:
Also I broken out each and every SSHD and SSH options along with their ordering by execution by using file name and numbering as well as its various state machine, dispatch, CLI equivalence, network context, and function nesting, all in:
With multiple config files overriding each other in an predictable order you can effectively allow users to change some settings while ignoring (overriding) whatever they set on others.
I do enjoy dual-PK-certificate authentication in my homelab: one by equipment, and one by user/group.
Only misgiving is that the key management issues have worsen only for the key administrator(s). But it is a viable and sustainable AA model because there is the most important security component: instant denial of a user and/or a equupment.
Are you using the verboten Chrome and its inability to negotiate and defer to server absolut side of ChaCha20-Poly1305 with sha512? It refuses client-demanded Chrome-forced ChaCha/sha256, AES and then RSA.
For SSH clients, the naming of configuration files are read in lexical ordering by OpenSSH.
Starts reading with /etc/ssh/sshd.d directory which can provide admins to give/takeaway what user can specify in their user config files then OpenSSH reads in the user-defined configuration in $HOME/.ssh/sshd.d.
Inserting configuration items into system config directory takes away user's ability to use nor change.
Removing from system directory reverts to a user-changeable default settings. Adding to user-directory (without any in system directory) gives user that choice.
For finer granularity of option usage, remove said option from both system directory and user config files then insert into last of lexical ordering config files (typically 99-something.conf or 999-something.conf) and place a couple under Match/MatchGroup using deny/accept.
> The controls are discretionary in the sense that a subject with a certain access permission is capable of passing that permission (perhaps indirectly) on to any other subject (unless restrained by mandatory access control).
Which permissions and authorizations can be delegated?
DAC is the out of the box SELinux configuration for most Linux distros; some processes are confined, but if the process executable does not have the necessary extended filesystem attribute labels the process runs unconfined; default allow all.
You can see which processes are confined with SELinux contexts with `ps -Z`.
Biggest problem is the use of a SELinux compiler into components understood only by SELinux engine.
Does not help when the SELinux source text file is not buildable by function/procedure axiom: it is at its grittiest granularity, which ironically is the best kind of security, but only if composed by the most savviest SELinux system admins.
Often requires full knowledge of any static/dynamic libraries and any additional dynamic libraries it calls and its resource usages.
Additional frontend UI will be required to proactively determine suitability with those dynamic libraries before any ease of SELinux deployment.
For now, it is a trial and error in part on those intermediate system admins or younger.
Applications don't need to be compiled with selinux libraries unless they want to bypass CLI tools like chcon and restorecon (which set extended filesystem attributes according to the system policy; typically at package install time if the package provenance is sufficient) by linking with libselinux.
Not this again...Limiting it to a % of something will just make the current system increase costs to the point where 10% becomes enough to continue paying fat checks to all these leeches.
Hey. Didn't realize that it was like that child toy that looked like a clear double-lined liquid-gel-filled with sparklers where you squeeze one end and it escapes out bigger at the other end.
Ummm, now that I had time to visualize at macroeconomic level, simple cap at each middleman's transactional behooves the supply chain to conspire on price-fixing just to feed and assist all the middlemen down the line to the patient, as you've asserted.
To introduce inter-middleman fighting ensues between favorable price and lower price...
Fixing at 1% total for each step along the way doesn't work because one can just add even more middlemen.
Fixed 2% price, over entire chain: A competing supplier can easily undercut that downstream conspiratorial bloat.
PMF stands for Product-Market Fit. It refers to the stage when a startup has developed a product that meets a strong market demand, meaning customers are willing to pay for it, and adoption is growing organically.
Achieving PMF is a critical milestone, as it signals that a company has found a scalable business model. It often results in rapid user growth, increased customer retention, and reduced reliance on aggressive marketing. Startups that fail to achieve PMF usually struggle to sustain themselves, regardless of funding.
Marc Andreessen, who popularized the term, described PMF as the moment when “the market pulls the product out of the startup.”
Open source, in search of a viable business model.
Classic, since days of MIT license lore.
Looks like universities and research labs (corporate, private, and government, wait, scratch that last one a bit) will be picking up the tiny slacks, ... again.
While not privacy-related, that http-only would break my own model of banning all things Chrome via a certain combo of TLSv3.1 crypto, regardless of UserAgent string.
When a US surgeon is told by an onsite insurance adjuster/nurse to wait (while patient is in operating room) for a corporate insurance approval, that is when I know that overreach by insuranxe adjuster has become too much.
Ironically yet somewhat related, same health insurance company's CEO got gunned down for oppressive medical denials.
Deny, Defend, Depose: it is not just a book, it's reality.
SSHD (server/non-client) still support admin-defined by having system-wide settings done firstly. For those who have multi-file SSHD configurations, breakdown of the many config file locations and scopes here as it covers default user, system-wide, specific user:
https://egbert.net/blog/articles/ssh-openssh-options-ways.ht...
Also I broken out each and every SSHD and SSH options along with their ordering by execution by using file name and numbering as well as its various state machine, dispatch, CLI equivalence, network context, and function nesting, all in:
https://github.com/egberts/easy-admin/tree/main/490-net-ssh
https://github.com/egberts/easy-admin/blob/main/490-net-ssh/...
Disclaimer: I do regular code reviews of OpenSSH and my employer authorizes me to release them (per se contract and NDA)
Also this showed how to properly mix and match authentication types using OR and AND logic(s) in
https://serverfault.com/a/996992
It is my dump mess so wade 'em and enjoy.
reply