diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/50-flatcar-ssh.conf b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/50-flatcar-ssh.conf
new file mode 100644
index 0000000000..1a88c1614c
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/50-flatcar-ssh.conf
@@ -0,0 +1 @@
+# Use defaults for ssh client system-wide configuration.
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/50-flatcar-sshd.conf b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/50-flatcar-sshd.conf
new file mode 100644
index 0000000000..2bf63df028
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/50-flatcar-sshd.conf
@@ -0,0 +1,26 @@
+# Use most defaults for sshd configuration.
+Subsystem sftp internal-sftp
+ClientAliveInterval 180
+
+# These are either defaults or already set up by config generated by
+# the Gentoo ebuild. But we need to keep them, as the older
+# installations may still use the old symlink from
+# /etc/ssh/sshd_config to /usr/share/ssh/sshd_config.
+#
+# BEGIN SETTINGS KEPT FOR COMPATIBILITY
+UseDNS no
+UsePAM yes
+# handled by PAM
+PrintLastLog no
+# handled by PAM
+PrintMotd no
+# END SETTINGS KEPT FOR COMPATIBILITY
+
+Ciphers chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
+MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,umac-128-etm@openssh.com,umac-128@openssh.com
+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
+
+# Temporarily accept ssh-rsa algorithm for openssh >= 8.8,
+# until most ssh clients could deprecate ssh-rsa.
+HostkeyAlgorithms +ssh-rsa
+PubkeyAcceptedAlgorithms +ssh-rsa
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/no-trigger-limit-burst.conf b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/no-trigger-limit-burst.conf
new file mode 100644
index 0000000000..da57a42f47
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/no-trigger-limit-burst.conf
@@ -0,0 +1,2 @@
+[Socket]
+TriggerLimitBurst=0
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/misc-files-0-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/misc-files-0-r2.ebuild
similarity index 75%
rename from sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/misc-files-0-r1.ebuild
rename to sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/misc-files-0-r2.ebuild
index b92882df67..77d5330688 100644
--- a/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/misc-files-0-r1.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/misc-files-0-r2.ebuild
@@ -4,7 +4,7 @@
 EAPI=8
 
 TMPFILES_OPTIONAL=1
-inherit tmpfiles
+inherit systemd tmpfiles
 
 DESCRIPTION='Flatcar miscellaneous files'
 HOMEPAGE='https://www.flatcar.org/'
@@ -12,13 +12,24 @@ HOMEPAGE='https://www.flatcar.org/'
 LICENSE='Apache-2.0'
 SLOT='0'
 KEYWORDS='amd64 arm64'
+IUSE="openssh"
 
 # No source directory.
 S="${WORKDIR}"
 
+# Versions listed below are version of packages that shedded the
+# modifications in their ebuilds.
+#
+# net-misc/openssh must be installed on host for enabling its unit to
+# work during installation.
+DEPEND="
+	openssh? ( >=net-misc/openssh-9.4_p1 )
+"
+
 # Versions listed below are version of packages that shedded the
 # modifications in their ebuilds.
 RDEPEND="
+	${DEPEND}
 	>=app-shells/bash-5.2_p15-r2
 "
 
@@ -56,7 +67,7 @@ src_install() {
     # /etc will be moved in its place.
     #
     # These links exist because old installations can still have
-    # references to `/usr/share/(bash|skel)`.
+    # references to them.
     local -A compat_symlinks
     compat_symlinks=(
         ['/usr/share/bash/bash_logout']='/usr/share/flatcar/etc/bash/bash_logout'
@@ -68,6 +79,12 @@ src_install() {
         ['/usr/lib/selinux/mcs']='/usr/share/flatcar/etc/selinux/mcs'
         ['/usr/lib/selinux/semanage.conf']='/usr/share/flatcar/etc/selinux/semanage.conf'
     )
+    if use openssh; then
+        compat_symlinks+=(
+            ['/usr/share/ssh/ssh_config']='/usr/share/flatcar/etc/ssh/ssh_config.d/50-flatcar-ssh.conf'
+            ['/usr/share/ssh/sshd_config']='/usr/share/flatcar/etc/ssh/sshd_config.d/50-flatcar-sshd.conf'
+        )
+    fi
 
     local link target
     for link in "${!compat_symlinks[@]}"; do
@@ -106,4 +123,23 @@ src_install() {
         dosym "${target}" "${link}"
         fowners --no-dereference 500:500 "${link}"
     done
+
+    if use openssh; then
+        # Install our configuration snippets.
+        insinto /etc/ssh/ssh_config.d
+        doins "${FILESDIR}/50-flatcar-ssh.conf"
+        insinto /etc/ssh/sshd_config.d
+        doins "${FILESDIR}/50-flatcar-sshd.conf"
+
+        # Install our socket drop-in file that disables the rate
+        # limiting on the sshd socket.
+        local override_dir
+        override_dir="$(systemd_get_systemunitdir)/sshd.socket.d"
+        dodir "${override_dir}"
+        insinto "${override_dir}"
+        doins "${FILESDIR}/no-trigger-limit-burst.conf"
+
+        # Enable some sockets that aren't enabled by their own ebuilds.
+        systemd_enable_service sockets.target sshd.socket
+    fi
 }