
Four interacting decisions break ssh access - r4um
http://rachelbythebay.com/w/2018/03/20/sshclock/
======
dozzie
There are also other options that can break SSH access just as easily
(AllowGroup being one prominent example). The whole thing is _too brittle_ to
be used exclusively as user-facing service ("build server" where users log
into and run build jobs), file server (scp/sftp), server debugging channel,
and configuration distribution method.

For servers administration at least one more channel is a must, and CFEngine
(and as a derivative, Puppet) got that right, while Ansible did the dumbest
thing, because "agentless!" (though you still have an agent on the OS' side,
it's just overloaded with other functions).

