Merge pull request #3614 from flatcar/chewi/sshd_config

coreos-base/misc-files: Drop Ciphers, MACs, KexAlgorithms from sshd conf

Author: chewi

changelog/changes/2026-01-02-sshd-config.md

@@ -0,0 +1 @@
+- Dropped Ciphers, MACs, and KexAlgorithms from the sshd configuration so that the OpenSSH upstream defaults are used. This introduces post-quantum key exchange algorithms for better security. ([Flatcar#1921](https://github.com/flatcar/Flatcar/issues/1921)). Users requiring legacy Ciphers, MACs, and/or KexAlgos can override / re-enable this by deploying a custom drop-in config  to `/etc/ssh/sshd_config.d/`.

sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/openssh/50-flatcar-sshd.conf

@@ -16,10 +16,6 @@ PrintLastLog no
 PrintMotd no
 # END SETTINGS KEPT FOR COMPATIBILITY
 
-Ciphers chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
-MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,umac-128-etm@openssh.com,umac-128@openssh.com
-KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
-
 # Temporarily accept ssh-rsa algorithm for openssh >= 8.8,
 # until most ssh clients could deprecate ssh-rsa.
 HostkeyAlgorithms +ssh-rsa