Linux @lemmy.ml Ademir @lemmy.eco.br 11 mo. ago

OpenSSH is about to change. (For the better.)

OpenSSH's ssh-keygen command just got a great upgrade.

New video from @vkc@mspsocial.net

Edit:

She has a peertube channel: !veronicaexplains@tinkerbetter.tube and it federatess as a Lemmy Community

The Peertube video in Lemmy.ml: https://lemmy.ml/post/8842820

Link to the video in your instance.

39 comments

tl;dw - ed25519 keys are now the default
- Thanks for reducing the click bait.
- From the thumbnail I was wondering if it was this. Thanks for saving me the watch.
- Finally damnit
- Nice!
- Oh nice! That's the key type I use anyway, so nice to know I don't have to pass as many options in now
Woah peertube federating with lemmy is actually really cool!
- right!? the fediverse is so cool!
i don't think I've created an RSA key since 2017
- A surprising amount of services (including Azure last I tried) can only handle RSA keys, so after trying ecdsa only for a while I ended up adding a RSA key again.
  
  With that said - it's 2023, in almost all cases you should have your keys in a hardware module nowadays, in which case you'd use a different command for keygeneration.
  
  Actually it is the same story with TLS 1.3 and TLS 1.2. A bunch of sites still doesn't support TLS 1.3 (e. g. arstechnica.com, startpage.com) and some of them only support TLS 1.2 with RSA (e. g. startpage.com).
  
  You can try this yourself in Firefox by disabling ciphers (search for security.ssl3 in about:config) or by setting the minimum TLS version to 1.3 (security.tls.version.min = 4 in about:config).
  
  ed25519 ≠ ecdsa
  
  Do you have a link for storing keys in hardware? I have no idea how you'd do that.
- I delete them from the ssh config folder after installation, along with the DSA and ECDSA keys. No ed25519? No auth.
  
  Also prevents a handful of bots from attempting SSH login into your cloud infra, a lot of them don't support ed25519 kex
- I had to create one this year after discovering that connectbot (ssh client on Android) didn't support agent forwarding otherwise.
  
  Probably a good idea to look for a different client, call me tinfoil but I wouldn't want to touch a very old mechanism that is supported/pushed by a very recognisable 3 letter agency
  
  considered harmful
YouTube thumbnails are cancer
- https://addons.mozilla.org/en-GB/firefox/addon/clickbait-remover-for-youtube/
  
  DeArrow by the same developer as SponsorBlock seems to be actively developed and community contributions are fast.
- YouTube titles, too :(
Permanently Deleted
- Yeah, look at the curves on that guy.
- It says that
  
  Starting in 2014, OpenSSH defaults to Curve25519-based ECDH.
  
  So what changed recently? (I didn't watch the video, in fairness).
  
  ssh-keygen now defaults to ed25519 so you don't have to do ssh-keygen -t ed25519 anymore. The default since 2014 is for key exchange when connecting.
TL;DR: It'll use a new, more secure key type.
Nice no ChatGPT anymore to remember how that damn Algorithm is spelled.

Why not just call it RSB ? People, really!
Here is an alternative Piped link(s):

https://piped.video/tdfBbpJPTGc

Piped is a privacy-respecting open-source alternative frontend to YouTube.

I'm open-source; check me out at GitHub.
Isn't elliptic curves cryptography sensitive to quantum computers attack? Shor's algorithm etc
- Yes, it is. ed25519 depends upon discrete log for its security, which Shor's algorithm can (theoretically, of course, not like it's ever been done) efficiently solve.
  
  The post-quantum algorithms are in active research right now. I don't blame anyone for avoiding those at least until we've quantum computers big enough to solve baby toy elliptic curves.
- Yes, though OpenSSH has already switched to a quantum resistant algorithm for key exchange (Streamlined NTRU Prime, combined with x25519 in case SNTRUPrime turns out to be weak), and that's the stuff that needs to be switched as soon as possible to preserve forward secrecy. Authentication keys are less urgent.

You've viewed 39 comments.