sshd configuration is outdated

[chewi]

Users with very recent OpenSSH clients (e.g. Gentoo) will now see this rather unsettling message:

$ ssh flatcar
Warning: Permanently added '[127.0.0.1]:2222' (ED25519) to the list of known hosts.
** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html
Last login: Wed Oct 15 10:05:46 UTC 2025 from 10.0.2.2 on pts/0
Flatcar Container Linux by Kinvolk beta 4426.1.0 for QEMU

See https://openssh.com/pq.html.

I think we should nip this in the bud before more users start panicking. Our current configuration sets absolute lists. I'm assuming we don't just use the defaults to continue supporting weaker clients. In that case, we should append to the defaults with + instead.

[J4NS-R]

Workaround based on the docs:

In your butane yaml config, add this file:

    - path: /etc/ssh/sshd_config.d/10-pq.conf
      overwrite: true
      mode: 0600
      contents:
        inline: |
          KexAlgorithms +sntrup761x25519-sha512
          KexAlgorithms +mlkem768x25519-sha256

Tested this on a fresh install of version 4459.2.2 and it works. SSH no longer complains 🙂

---

If you want to update a live system, create the .conf file with the two lines shown above, then run:

sudo systemctl daemon-reload
sudo systemctl restart sshd.socket

then disconnect and log in again.