I might make it work!

oh, no...

+ also "Linux is awesome, and so are you."

Ringtone. That is all.

I read that comment exactly at the moment this sentence fell.

I try to replace mine every two years or so. Sometimes with dev/play servers I let them go a little longer, but those usually aren't even on most of the time when not in use!

Hi @@VeronicaExplains. Great vid. However NIST is recommending to rotate your keys every 1 to 12 months now ;)

Oooo, I don't see that in their last whitepaper I read. Is this new? (Note, any link you share here might get auto-blocked but I'll hopefully see it, vet it, and then allow it through.)

@@Johan.Molenberghs I'd think that this would only be necessary if you have really bad security hygiene; dropping your keys onto every machine that you touch. If you manage your keys well I can't see how changing them like you change your underpants actually helps. (1 to 12 months: yes, I'm a dirty old man :)

Good to know, @@Johan.Molenberghs. I usually do the same as @VeronicaExplains does, updating my keys every couple of years.

I subscribed when I read "no paid product placement"

Xana, so many good memories

Woohoo!! Code Lyoko!! \o/

This comment brightened my day. Thank you so much!

@@VeronicaExplains

Thank YOU for making awesome videos which help all of us learn more! :)

Uhm no. The whole point of the SSH key system is to easily create and distribute keys. The ed25519 keys are short so they are perfect, Look into ssh-copy-id. There is probably a manpage. You can just publish those keys pretty much anywhere. Hey, you could piggyback them on the GnuPG keyservers as a comment.

using signed keys and KRL is part pf this

Doing my part to reduce clickbait! :P

Yeah, I think this is the best analogy. They are tied together in the same way

I mean, I guess? It's basically, "Here, I'm going to hand you this lock so that the next time we meet, you'll know it's me, because I'm the only one who can unlock it."

Public key is smart card reader, private key is your smart card. You can register your smart card to any amount of readers.

@@Gornius You can also pin any amount of locks to fit a given key.

Ok, ko-fi not patron. 🤷‍♂️

The NIST curves are suspect because some of the parameters are randomly generated. NIST publishes the seeds used for the random number generator, but no explanation how they came up with the seeds (they look random). They could have used a nothing-up-my-sleeve number but they didn't.

Yup, you can combine this kind of thing with something like Keybase and use it to manage your own custom CA for key management, it's fantastic.

Enterprise deployments tend to chase FIPS compliance and Ed25519 is not quite there yet with NIST. The NIST curves like P256 are trusted by no one but still used as the least bad option unless you consider RSA the least bad option. Everyone is annoyed with NIST about them taking so long to get the whole Ed25519 certification cake baked.

RSA *is* the least bad option. Even if you're willing to use crypto parameters from a three-letter agency, non-ed ECDSA is a giant footgun.

​@aysnov RSA is resource intensive compared to the others. It scales poorly too. NIST aren't even working on writing up the ed25519 specs which tells you that they are doing thier best to delay its adoption.

I'd argue "resource intensive" beats "leaks your private key if you ever use it with poor RNG". Key exchange performance shouldn't really matter on anything reasonably modern anyway, short of maybe some very constrained embedded systems.

​@aysnov A poor RNG is never going to be a problem for me (My job). But my primary concern is the side channel and fault injection properties. RSA sucks more than EC in that respect, but the side channel research changes pretty fast so it might be less true over time. Small devices (eg smart cards) have issues with computing large RSA operations. The intersection of good algorithms and NIST compliant algorithms is nothing.

I'm glad you stayed until the end! It was a lot of fun. :)

It might be the fingerless gloves...

My guy. She talks how she talks. This is not a reasonable request. She puts huge effort into the closed captioning for this reason.

That's not for her to say, not you. =) It is fair for me to say that I need to hear what she's saying. As mentioned, I do use the closed captioning and that does indeed help! You're right that I'm requesting reasonable accommodation, like asking a spouse to use a lower shelf in the kitchen, or a phone app to allow the setting of larger font sizes to ease readability. I'd like to think that we don't (yet) live in a world in which we tell others that they should just go buy a ladder or rely on screen readers. Veronica puts a great deal of effort in taking complex, detail oriented topics and delivering content that is both accurate and nuanced. She also certainly puts considerable thought into delivery style as well and modulates her voice to make the monologues more interesting. The only catch is that it can affect the comprehension for those with hearing loss if not moderated well.

Also: if you allow password login, you should still be able to login with password.

There's no need to so I'm pretty sure they won't do it. Also, I'd expect them to want gov certifications (FIPS, and the like), Ed25519 wasn't allowed in those until very recently (like 2023)

Thank you! Your comment made my day!

HAHA, I was getting ready to post about the ed209, but then I saw your post :P Cool that it is going default now

Ed25519 doesn’t care but don’t upset ED-209!

I've seen so many commercials when I hear ED, I only think of...commercials and blue pills haha

@@ironfist7789 "going default" I like that.

@@randomgeocacher sometimes 209 has minor glitches!

Thank you! Hopefully now the cadence picks up a bit!

Yup! That's a thing with a lot of old network equipment!

Same here! 😁

I don't know if it's trickled down to testing yet. Might be worth looking through the mailing list to see if they're planning it for this release or next?

WSL2 doesn't support ed25519 keys? Are you talking about someone SSHing into a Windows 11 machine remotely? I've been using ed25519 keys to SSH into remote servers FROM Windows 11 WSL2, no problem.

Here's a tip- in most terminals you can type `-t ed` and then hit tab. On the few I regularly use, it autofills the rest. :)

@@VeronicaExplains oh yeah auto-completions are standard now... 😅

Your avatar, clearly! :)

You can always specify encryption you want to use for key generation yourself with > ssh-keygen -t

@@bogdanrzheusski8115 Thanks, yes, as Veronica explained. That's what I wound up doing, as my ssh-keygen isn't yet the newest release (Ubuntu being downstream of Debian). Read the man page for it too, like every day with Linux, a learning exercise.

I believe I said RSA is "often" less secure, and I said I'm not a cryptographer. But please, if you know of any reputable cryptographers who feel RSA public/private keys are a more secure choice than Ed25519, I'd like to hear it. :)

@@VeronicaExplains I mean we could argue about it, but realistically speaking both (at the current default key sizes) are more than good enough for 99.99% of use cases. Many bank and government websites to this day use RSA 2048 in their SSL certs. It all depends on the threat model, and let's be honest, if you're dealing with an organization that has the capability to brute force these algorithms, they also have the capability to raid your house/data center and just grab the server directly, and they won't bother with trying to brute force the algorithm unless they absolutely have to. More secure defaults, smaller keys, why not, but realistically speaking, it doesn't really matter, your old rsa keys are fine just fine. It's far more likely that someone will find a pre-auth 0-day vulnerability in openssh than someone bruteforceing your RSA 2048 key. XKCD 538: Security