Flatcar icon indicating copy to clipboard operation
Flatcar copied to clipboard
verified publisher icon flatcar

sshd configuration is outdated

Open chewi opened this issue 2 months ago • 0 comments

Users with very recent OpenSSH clients (e.g. Gentoo) will now see this rather unsettling message:

$ ssh flatcar
Warning: Permanently added '[127.0.0.1]:2222' (ED25519) to the list of known hosts.
** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html
Last login: Wed Oct 15 10:05:46 UTC 2025 from 10.0.2.2 on pts/0
Flatcar Container Linux by Kinvolk beta 4426.1.0 for QEMU

See https://openssh.com/pq.html.

I think we should nip this in the bud before more users start panicking. Our current configuration sets absolute lists. I'm assuming we don't just use the defaults to continue supporting weaker clients. In that case, we should append to the defaults with + instead.

chewi avatar Oct 15 '25 10:10 chewi