diff --git a/overlay.d/05core/usr/lib/dracut/modules.d/40ignition-conf/README.md b/overlay.d/05core/usr/lib/dracut/modules.d/40ignition-conf/README.md
new file mode 100644
index 0000000000..6fe9faf9b7
--- /dev/null
+++ b/overlay.d/05core/usr/lib/dracut/modules.d/40ignition-conf/README.md
@@ -0,0 +1,7 @@
+FCOS enables `afterburn-sshkeys@core.service` from `base.ign`, allowing the user
+to prevent Ignition from enabling the service with a user config if the user
+wants to change the username. Unlike FCOS, RHCOS doesn't fetch SSH keys and thus
+doesn't need `afterburn-sshkeys@core.service`. Therefore, RHCOS maintains its
+own copy of `base.ign`, and changes to one copy need to be synced to the other
+copy.
+See https://github.com/coreos/fedora-coreos-config/pull/626
diff --git a/overlay.d/05core/usr/lib/dracut/modules.d/40ignition-conf/base.ign b/overlay.d/05core/usr/lib/dracut/modules.d/40ignition-conf/base.ign
index 3ddac11f3a..11f49ec80f 100644
--- a/overlay.d/05core/usr/lib/dracut/modules.d/40ignition-conf/base.ign
+++ b/overlay.d/05core/usr/lib/dracut/modules.d/40ignition-conf/base.ign
@@ -15,5 +15,13 @@
         ]
       }
     ]
+  },
+  "systemd": {
+    "units": [
+      {
+        "enabled": true,
+        "name": "afterburn-sshkeys@core.service"
+      }
+    ]
   }
 }
diff --git a/overlay.d/05core/usr/lib/systemd/system-preset/40-coreos.preset b/overlay.d/05core/usr/lib/systemd/system-preset/40-coreos.preset
index 3ef10e9cd3..06f160f563 100644
--- a/overlay.d/05core/usr/lib/systemd/system-preset/40-coreos.preset
+++ b/overlay.d/05core/usr/lib/systemd/system-preset/40-coreos.preset
@@ -16,8 +16,6 @@ enable afterburn-checkin.service
 enable afterburn-firstboot-checkin.service
 # Target to write SSH key snippets from cloud providers.
 enable afterburn-sshkeys.target
-# Service to write SSH key snippets from cloud providers.
-enable afterburn-sshkeys@.service
 # Update agent
 enable zincati.service
 # Testing aid