From 36ed1c5ce894e6d3846efbbf388cfe3aeeb0b83f Mon Sep 17 00:00:00 2001
From: Victor LEFEBVRE <dev@vic1707.xyz>
Date: Mon, 15 Sep 2025 15:29:02 +0200
Subject: [PATCH] https://github.com/jtesta/ssh-audit/issues/337

---
 Fedora-CoreOS-Flatcar-Linux.md | 37 ++++++++++++++++++++++++++++++++++
 1 file changed, 37 insertions(+)
 create mode 100644 Fedora-CoreOS-Flatcar-Linux.md

diff --git a/Fedora-CoreOS-Flatcar-Linux.md b/Fedora-CoreOS-Flatcar-Linux.md
new file mode 100644
index 0000000..d7cb4ba
--- /dev/null
+++ b/Fedora-CoreOS-Flatcar-Linux.md
@@ -0,0 +1,37 @@
+# Fedora CoreOS / Flatcar Linux
+
+[Fedora CoreOS](https://fedoraproject.org/coreos) is a minimal OS with automatic updates. Scalable and secure.
+[Flatcar Container Linux](https://www.flatcar.org) is a similar distro, using the same config file type for its configuration.
+
+To make the server pass the ssh-audit tests, include this butane ignition snippet in you config:
+```yml
+storage:
+  files:
+    - path: /etc/ssh/sshd_config.d/35-ssh-audit.conf
+      mode: 0400
+      contents:
+        inline: |
+          HostKey /etc/ssh/ssh_host_ed25519_key
+          HostKey /etc/ssh/ssh_host_rsa_key
+          KexAlgorithms mlkem768x25519-sha256,sntrup761x25519-sha512@openssh.com
+          HostKeyAlgorithms ssh-ed25519,rsa-sha2-512,rsa-sha2-256
+          Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
+          MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com
+          CASignatureAlgorithms ssh-ed25519,rsa-sha2-512,rsa-sha2-256
+          HostbasedAcceptedAlgorithms ssh-ed25519,rsa-sha2-512,rsa-sha2-256
+          PubkeyAcceptedAlgorithms ssh-ed25519,rsa-sha2-512,rsa-sha2-256
+          RekeyLimit 512M 1h
+          GSSAPIAuthentication no
+          GSSAPIKeyExchange no
+          RequiredRSASize 3072
+          KbdInteractiveAuthentication no
+          Compression no
+```
+The above should get you a 100 score on current ssh-audit tests.
+
+_:warning:_ The file is named `35-ssh-audit.conf` so it's loaded before `/etc/ssh/sshd_config.d/40-redhat-crypto-policies.conf` which lists options that fail certain tests and cannot be overwritten later.
+
+---
+
+_Note:_ The above file was tests with FedoraCoreOS but not FlatCar, it is assumed FlatCar will use the same solution.
+_Note 2:_ This was found through trial and error, if you find a better solution feel free to inform users (https://github.com/jtesta/ssh-audit/issues/337) and edit this page !
\ No newline at end of file