From 728ec62d894c0d4d2ab3b1abb46ba74b72aed457 Mon Sep 17 00:00:00 2001 From: James Le Cuirot Date: Mon, 29 Dec 2025 17:37:09 +0000 Subject: [PATCH] coreos-base/misc-files: Drop Ciphers, MACs, KexAlgorithms from sshd conf Setting an absolute list was preventing newer options from being enabled, leading to this scary error message from newer clients. $ ssh flatcar Warning: Permanently added '[127.0.0.1]:2222' (ED25519) to the list of known hosts. ** WARNING: connection is not using a post-quantum key exchange algorithm. ** This session may be vulnerable to "store now, decrypt later" attacks. ** The server may need to be upgraded. See https://openssh.com/pq.html Last login: Wed Oct 15 10:05:46 UTC 2025 from 10.0.2.2 on pts/0 Flatcar Container Linux by Kinvolk beta 4426.1.0 for QEMU After going through each of the options, the only ones we were adding above the current 10.2p1 defaults were the diffie-hellman-group KEX algorithms. These were dropped upstream in 2024 because they are slower while providing no benefit over other options. The continued presence of ecdh-sha2-nistp256 ensures compatibility with default clients at least as far back as 2016. I think we should just continue to follow the upstream defaults unless some significant client breakage is reported. They're usually quite forgiving. The order of these is significant, and our order did differ from upstream's slightly, but I trust their order over ours. Signed-off-by: James Le Cuirot --- changelog/changes/2026-01-02-sshd-config.md | 1 + .../coreos-base/misc-files/files/openssh/50-flatcar-sshd.conf | 4 ---- .../{misc-files-0-r8.ebuild => misc-files-0-r9.ebuild} | 0 3 files changed, 1 insertion(+), 4 deletions(-) create mode 100644 changelog/changes/2026-01-02-sshd-config.md rename sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/{misc-files-0-r8.ebuild => misc-files-0-r9.ebuild} (100%) diff --git a/changelog/changes/2026-01-02-sshd-config.md b/changelog/changes/2026-01-02-sshd-config.md new file mode 100644 index 0000000000..6a5df29e7c --- /dev/null +++ b/changelog/changes/2026-01-02-sshd-config.md @@ -0,0 +1 @@ +- Dropped Ciphers, MACs, and KexAlgorithms from the sshd configuration so that the OpenSSH upstream defaults are used. This introduces post-quantum key exchange algorithms for better security. ([Flatcar#1921](https://github.com/flatcar/Flatcar/issues/1921)). Users requiring legacy Ciphers, MACs, and/or KexAlgos can override / re-enable this by deploying a custom drop-in config to `/etc/ssh/sshd_config.d/`. diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/openssh/50-flatcar-sshd.conf b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/openssh/50-flatcar-sshd.conf index 2bf63df028..bdad9639ad 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/openssh/50-flatcar-sshd.conf +++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/openssh/50-flatcar-sshd.conf @@ -16,10 +16,6 @@ PrintLastLog no PrintMotd no # END SETTINGS KEPT FOR COMPATIBILITY -Ciphers chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com -MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,umac-128-etm@openssh.com,umac-128@openssh.com -KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256 - # Temporarily accept ssh-rsa algorithm for openssh >= 8.8, # until most ssh clients could deprecate ssh-rsa. HostkeyAlgorithms +ssh-rsa diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/misc-files-0-r8.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/misc-files-0-r9.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/misc-files-0-r8.ebuild rename to sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/misc-files-0-r9.ebuild