Configuring Authentication

Using an SSH key

To configure an SSH key for a local user, you can use a Fedora CoreOS Config:

variant: fcos
version: 1.1.0
    - name: core
        - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDC5QFS...

SSH key locations

sshd uses a helper program to read public keys from files in a user’s ~/.ssh/authorized_keys.d directory. Key files are read in alphabetical order, ignoring dotfiles. The standard ~/.ssh/authorized_keys file is read afterward, in the usual way. To debug the reading of ~/.ssh/authorized_keys.d, manually run the helper program and inspect its output:


Ignition writes configured SSH keys to ~/.ssh/authorized_keys.d/ignition. On platforms where SSH keys can be configured at the platform level, such as AWS, Afterburn writes those keys to ~/.ssh/authorized_keys.d/afterburn.

Using password authentication

Fedora CoreOS ships with no default passwords. You can use a Fedora CoreOS Config to set a password for a local user:

variant: fcos
version: 1.1.0
    - name: core
      password_hash: "$y$j9T$A0Y3wwVOKP69S.1K/zYGN.$S596l11UGH3XjN..."

To generate a secure password hash, use the mkpasswd command:

$ mkpasswd --method=yescrypt

The yescrypt hashing method is recommended for new passwords. For more details on hashing methods, see man 5 crypt.

The configured password will be accepted for local authentication at the console. By default, Fedora CoreOS does not allow password authentication via SSH.

Enabling SSH password authentication

To enable password authentication via SSH, use the following Fedora CoreOS Config:

variant: fcos
version: 1.1.0
    - path: /etc/ssh/sshd_config.d/20-enable-passwords.conf
      mode: 0644
        inline: |
          # Fedora CoreOS disables SSH password login by default.
          # Enable it.
          # This file must sort before 40-disable-passwords.conf.
          PasswordAuthentication yes