1

Fedora CoreOS Flatcar Linux

Victor LEFEBVRE edited this page 2025-09-15 15:29:02 +02:00

Table of Contents

• Fedora CoreOS / Flatcar Linux

Fedora CoreOS / Flatcar Linux

Fedora CoreOS is a minimal OS with automatic updates. Scalable and secure. Flatcar Container Linux is a similar distro, using the same config file type for its configuration.

To make the server pass the ssh-audit tests, include this butane ignition snippet in you config:

storage:
  files:
    - path: /etc/ssh/sshd_config.d/35-ssh-audit.conf
      mode: 0400
      contents:
        inline: |
          HostKey /etc/ssh/ssh_host_ed25519_key
          HostKey /etc/ssh/ssh_host_rsa_key
          KexAlgorithms mlkem768x25519-sha256,sntrup761x25519-sha512@openssh.com
          HostKeyAlgorithms ssh-ed25519,rsa-sha2-512,rsa-sha2-256
          Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
          MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com
          CASignatureAlgorithms ssh-ed25519,rsa-sha2-512,rsa-sha2-256
          HostbasedAcceptedAlgorithms ssh-ed25519,rsa-sha2-512,rsa-sha2-256
          PubkeyAcceptedAlgorithms ssh-ed25519,rsa-sha2-512,rsa-sha2-256
          RekeyLimit 512M 1h
          GSSAPIAuthentication no
          GSSAPIKeyExchange no
          RequiredRSASize 3072
          KbdInteractiveAuthentication no
          Compression no

The above should get you a 100 score on current ssh-audit tests.

⚠️ The file is named 35-ssh-audit.conf so it's loaded before /etc/ssh/sshd_config.d/40-redhat-crypto-policies.conf which lists options that fail certain tests and cannot be overwritten later.

---

Note: The above file was tests with FedoraCoreOS but not FlatCar, it is assumed FlatCar will use the same solution. Note 2: This was found through trial and error, if you find a better solution feel free to inform users (https://github.com/jtesta/ssh-audit/issues/337) and edit this page !

_footer