debian: adapt tests (docker/dpdk), disable install-recommends, fix ssh warning#925
Merged
Conversation
The debian iso contains ovs-dpdk by default now. At the same time, docker is not used anymore (replaced by podman). Signed-off-by: Florent CARLI <florent.carli@rte-france.com>
This is to prevent recommended packages from being pulled in automatically, reducing unnecessary package bloat on managed hosts. Signed-off-by: Florent CARLI <florent.carli@rte-france.com>
insatomcat
changed the title
The ANSSI BP-28 hardening config generated by ssh-audit predates post-quantum key exchange support in OpenSSH. As a result, OpenSSH 10.0 was unable to negotiate mlkem768x25519-sha256 and fell back to classical algorithms, triggering a "store now, decrypt later" warning on every connection despite both client and server supporting PQ. Prepend mlkem768x25519-sha256 to the KexAlgorithms list in sshd_config.d/ssh-audit_hardening.conf. This hybrid algorithm combines ML-KEM-768 (FIPS 203) with X25519, retaining full classical security while adding quantum resistance. The remainder of the hardened algorithm list is unchanged. Signed-off-by: Florent CARLI <florent.carli@rte-france.com>
insatomcat
changed the title
insatomcat
changed the title
dupremathieu
approved these changes
May 11, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
debian-tests: remove docker and add dpdk
The debian iso contains ovs-dpdk by default now.
At the same time, docker is not used anymore (replaced by podman).
debian: disable apt install-recommends by default
This is to prevent recommended packages from being pulled in automatically, reducing unnecessary package bloat on managed hosts.
fix(debian/hardning/ssh): add ML-KEM-768 to KexAlgorithms in ssh-audit hardening config
The ANSSI BP-28 hardening config generated by ssh-audit predates
post-quantum key exchange support in OpenSSH. As a result, OpenSSH 10.0
was unable to negotiate mlkem768x25519-sha256 and fell back to classical
algorithms, triggering a "store now, decrypt later" warning on every
connection despite both client and server supporting PQ.
Prepend mlkem768x25519-sha256 to the KexAlgorithms list in
sshd_config.d/ssh-audit_hardening.conf. This hybrid algorithm combines
ML-KEM-768 (FIPS 203) with X25519, retaining full classical security
while adding quantum resistance. The remainder of the hardened algorithm
list is unchanged.