OpenSSH is about to change. (For the better.)
(www.youtube.com)
from ademir@lemmy.eco.br to linux@lemmy.ml on 04 Dec 2023 00:22
https://lemmy.eco.br/post/2042378
from ademir@lemmy.eco.br to linux@lemmy.ml on 04 Dec 2023 00:22
https://lemmy.eco.br/post/2042378
OpenSSH’s ssh-keygen command just got a great upgrade.
New video from @vkc@mspsocial.net
Edit:
She has a peertube channel: !veronicaexplains@tinkerbetter.tube and it federatess as a Lemmy Community
The Peertube video in Lemmy.ml: lemmy.ml/post/8842820
Link to the video in your instance.
threaded - newest
Here is an alternative Piped link(s):
https://piped.video/tdfBbpJPTGc
Piped is a privacy-respecting open-source alternative frontend to YouTube.
I’m open-source; check me out at GitHub.
Woah peertube federating with lemmy is actually really cool!
right!? the fediverse is so cool!
DJB? Nice! Always been a fan.
Yeah, look at the curves on that guy.
It says that
So what changed recently? (I didn’t watch the video, in fairness).
ssh-keygennow defaults toed25519so you don’t have to dossh-keygen -t ed25519anymore. The default since 2014 is for key exchange when connecting.Got it, thank you!
tl;dw - ed25519 keys are now the default
Nice!
From the thumbnail I was wondering if it was this. Thanks for saving me the watch.
Thanks for reducing the click bait.
Oh nice! That’s the key type I use anyway, so nice to know I don’t have to pass as many options in now
Finally damnit
i don’t think I’ve created an RSA key since 2017
A surprising amount of services (including Azure last I tried) can only handle RSA keys, so after trying ecdsa only for a while I ended up adding a RSA key again.
With that said - it’s 2023, in almost all cases you should have your keys in a hardware module nowadays, in which case you’d use a different command for keygeneration.
ed25519 ≠ ecdsa
Actually it is the same story with TLS 1.3 and TLS 1.2. A bunch of sites still doesn’t support TLS 1.3 (e. g. arstechnica.com, startpage.com) and some of them only support TLS 1.2 with RSA (e. g. startpage.com).
You can try this yourself in Firefox by disabling ciphers (search for
security.ssl3inabout:config) or by setting the minimum TLS version to 1.3 (security.tls.version.min=4inabout:config).Strange enough TLS 1.3 still doesn’t support signed ed25519 certificates :| P‐256, NIST P‐384 or NIST P‐521 curves are known to be “backdoored” or having deliberately chosen mathematical weakness. I’m not an expert and just a noob security/selfhoster enthusiast but I don’t want to depend on curves made by NSA or other spy agencies !
I also wondering if the EU isn’t going to implement something similar with all their new spying laws currently discussed…
AFAIK, they’re not known to be backdoored, only suspected
Yeah wrong wording, but the fact that we have to depend mostly on NSA’s cryptographic schemes makes it very suspicious !
I had to create one this year after discovering that connectbot (ssh client on Android) didn’t support agent forwarding otherwise.
Probably a good idea to look for a different client, call me tinfoil but I wouldn’t want to touch a very old mechanism that is supported/pushed by a very recognisable 3 letter agency
I’ve just started using SSH inside of Termux, got tired of all the weird pitfalls SSH Clients for Android usually have
Probably. It’s in f-droid but increasingly looking not quite unmaintained, but not developed actively enough.
considered harmful
I delete them from the ssh config folder after installation, along with the DSA and ECDSA keys. No ed25519? No auth.
Also prevents a handful of bots from attempting SSH login into your cloud infra, a lot of them don’t support ed25519 kex
YouTube thumbnails are cancer
…mozilla.org/…/clickbait-remover-for-youtube/
DeArrow by the same developer as SponsorBlock seems to be actively developed and community contributions are fast.
YouTube titles, too :(
TL;DR: It’ll use a new, more secure key type.
Nice no ChatGPT anymore to remember how that damn Algorithm is spelled.
Why not just call it RSB ? People, really!