OpenSSH is about to change. (For the better.)

You know what else is an ancient system in 2023? Azure DevOps.

Using unique user key per server is rather... unconventional. The whole idea behind use of public key cryptography is so that you can disseminate the public keys all over the place and not worry about it. As an admin, you may want to regularly check what keys are in authorized_keys of root or similar, but that's different. What you shouldn't do is to have the same private key on multiple systems (as when one of those gets compromised, or possibly gets compromised, all keys should be considered to be compromised).

Why would anyone care about the speed or size of the generated keys?
The only thing that matters is the security

thank you for educating the people. for those on ArchLinux replacing their RSA keys with ED25519 keys, you may need the "ssh-add -D" command to fully remove prior keys from the cached keys before running ssh-copy-id again.

...I don't even use SSH keys. I just auth using standard creds.

miss you on peertube 😔

I ❤the xeyes 🥰

Windowmaker. nice!!!

I have LMDE6 on an old Dell M4700. Till now, for me the minus is the way to configure an Access Point. I`m wondering if you also found some stuff that needs some refactory/improvement.

Been using 25519 for years now and been (unsuccessfully) trying to convince my colleagues to switch, too. They're so much easier to deal with

With Quantum computers coming fast those RSA keys can be cracked fast. I thought I heard that NIST was going to come out with some new standard for keys soon. Their last one was like 2015.

Great video! Thanks :)

Thank you for saving me from having to find this out.
Pausing my recovery for a moment, I can imagine this breaking things at my old workplace, perhaps on OpenVMS stuff.
But as they are not paying me, I'm going to watch a cat video.

I'm probably getting old but I won't succumb to a new thing unless it's proven that the old RSA mechanism is compromised. Who cares if the key is a few hundred characters shorter when we actually have storage devices which can hold so much more, it never was an issue even on the 8Gb SD card my raspberry pi has been running of for the last 12 years 😊 however 0 day exploits are a thing, I still remember an openssl flaw in debian where the random number generator only limited the numbers it could generate making you an easier target for an attack. So yeah, don't fix it if it's not broken.

ed25519 Is not quantum proof. Any keys used currently that are not post-quantum will have current data logged and broken when we develop enough logical qbits. It's not a matter of if, it's a matter of when. It's within our lifetimes.

I love your dot matrix printer. I want to snag an Epson FX-80 and just listen to a few man pages print out on greenish line feed paper. ASMR for this mid-forties moron…

This is so good. Finally, someone is addressing topics like these.

I understand why these algos were deprecated, but it's annoying AF to have to look up how to whitelist those old servers/embedded systems

I used to swear by RSA but it's probably time I rotate old keys out anyways. I have some old switches I'm sure will need RSA but I can always keep separate keys for those.

I don’t care, I have 1Password handling all my SSH keys etc. and also for login/signing etc. Nothing more to think about on macOS 👌🏻

I think for the last 3 or 4 years, all my SSH keys are already ed25519 :)

That is why i love MikroTik network equipment. even after over twenty years their switches and APs still get firmware updates to support the newest tech.

so great to see you back! Set looks like it's coming along well, and I hope things are turning for the better across the board for you!!

I can't recall ever seeing the ED25519 option whenever I've generated SSH keys on Cisco gear, so I'm guessing it either doesn't support it, or possibly calls it something else. The latter wouldn't surprise me, since Cisco seem to like having their own way of doing things.

Also, Macintosh Librarian is a great channel! Maccy is so much fun!

that feel when using ed25519 for more than 10 years by now and just seeing it finally becoming a default

Veronica, you are very fucking cool.

I needed to keep RSA keys around because AWS EC2 didn't support ed25519 keys. I just checked again, and it turns out they added support for it 2 years ago. I can now use ed25519 keys for all my use cases

Can someone let the smartcard manufacturers to support ed25519 to? They only seem to support curve 251 :(

I have been using ed25519 since Edward Snowden said we should. He didn't say why but he are probably right.

A fun thing with ed25519 is that it has quite a long header. The first 24 characters are always the same.

$ echo n AAAAC3NzaC1lZDI1NTE5AAAA | base64 -d | od -c -w40 | tr -d ' ' | cut -c8
\0\0\0\vssh-ed25519\0\0\0

That’s awesome news. I have been using ed25519 keys for many years.

Ed25519 is much faster algorithm, lightweight and AFAIK have higher trust among cryptologist around the world

1. Couldn't agree more about the Macintosh Librarian- one of my favorites

2. Thank you, this is exactly the kind of fun yet informative content that is so hard to find. Hitting the patron.

i just realized. you’re like a linux variant of technology connections

Private ssh key should never be readable by your user nor stored on your filesystem where your kernel could copy them.

Instead they should be stored on a smartcard keycard where they can never be read out again.

Oh I love Mac Librarian! Her vids are so good.

I love your videos! Great tips and very positive energy, you ALWAYS make my day 😁, by the way, the C=64 and Amiga Boing reminded me of all the fun. Thanks and Greetings from Northwest Mexico.

Remember that SSH is the underpinning for SFTP, which is used by a few other user classes besides system admins and devops.

Just yestarday I generated a new keypar for a fresh arch install and when I pasted the public key on my nas server, I noticed this weird new key that look nothing like my old ones. Thanks for the info 😅😊

I found a RHEL CD from 1998 in my box of archived stuff... nope, don't wanna go back to that.

i want to set up a home network and ssh into my wife's laptop. so i really have to breakdown and learn ssh. thanx for your excellent videos. you always give details. i like that.

Finally! I am so tired of typing '-t ed25519' for new installs.

I do sysadmin in a "legacy" setting (so many stupid windows servers), we are just looking at transferring to ssh keypairs... Although somehow we run docker containers like they're going out of fashion. Gonna go watch the OpenSSH video now, cheers!

been waiting for ages to SSH to switch the default to ed25519, been generating them as ed25519 for the past few years

teach me cobalt

I love the random Commodore 64 drops. I remember using that machine. Good times. :-)

Bitbucket forced an update to ed25519. It was painless to do the update. It's good to learn more about these crypto mechanisms. I'm an embedded software developer, and this stuff is becoming required constantly.

ah! ubuntu 8.04 was my introduction to Linux