Skip to content

Fedora CoreOS Flatcar Linux

Jump to bottom Edit New page
Victor LEFEBVRE edited this page Sep 15, 2025 · 1 revision

Fedora CoreOS / Flatcar Linux

Fedora CoreOS is a minimal OS with automatic updates. Scalable and secure. Flatcar Container Linux is a similar distro, using the same config file type for its configuration.

To make the server pass the ssh-audit tests, include this butane ignition snippet in you config:

storage:
  files:
    - path: /etc/ssh/sshd_config.d/35-ssh-audit.conf
      mode: 0400
      contents:
        inline: |
          HostKey /etc/ssh/ssh_host_ed25519_key
          HostKey /etc/ssh/ssh_host_rsa_key
          KexAlgorithms mlkem768x25519-sha256,[email protected]
          HostKeyAlgorithms ssh-ed25519,rsa-sha2-512,rsa-sha2-256
          Ciphers [email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
          MACs [email protected],[email protected],[email protected]
          CASignatureAlgorithms ssh-ed25519,rsa-sha2-512,rsa-sha2-256
          HostbasedAcceptedAlgorithms ssh-ed25519,rsa-sha2-512,rsa-sha2-256
          PubkeyAcceptedAlgorithms ssh-ed25519,rsa-sha2-512,rsa-sha2-256
          RekeyLimit 512M 1h
          GSSAPIAuthentication no
          GSSAPIKeyExchange no
          RequiredRSASize 3072
          KbdInteractiveAuthentication no
          Compression no

The above should get you a 100 score on current ssh-audit tests.

⚠️ The file is named 35-ssh-audit.conf so it's loaded before /etc/ssh/sshd_config.d/40-redhat-crypto-policies.conf which lists options that fail certain tests and cannot be overwritten later.

Note: The above file was tests with FedoraCoreOS but not FlatCar, it is assumed FlatCar will use the same solution. Note 2: This was found through trial and error, if you find a better solution feel free to inform users (https://github.com/jtesta/ssh-audit/issues/337) and edit this page !

_footer

Add a custom sidebar
Clone this wiki locally