Officially requesting that "Oh No! Am I going to have to do some work, Veronica?!" becomes a regular line in your show.

@VeronicaExplains

6 ай бұрын

I might make it work!

@kahnzo

6 ай бұрын

oh, no...

@cbscbs

6 ай бұрын

+ also "Linux is awesome, and so are you."

@abandoninplace2751

6 ай бұрын

Ringtone. That is all.

@LunaLorea

6 ай бұрын

I read that comment exactly at the moment this sentence fell.

It’s never a bad idea to update SSH keys regularly - even better when there is a more secure algorithm. 🙂

@VeronicaExplains

6 ай бұрын

I try to replace mine every two years or so. Sometimes with dev/play servers I let them go a little longer, but those usually aren't even on most of the time when not in use!

@Johan.Molenberghs

6 ай бұрын

Hi @@VeronicaExplains. Great vid. However NIST is recommending to rotate your keys every 1 to 12 months now ;)

@VeronicaExplains

6 ай бұрын

Oooo, I don't see that in their last whitepaper I read. Is this new? (Note, any link you share here might get auto-blocked but I'll hopefully see it, vet it, and then allow it through.)

@dingokidneys

6 ай бұрын

@@Johan.Molenberghs I'd think that this would only be necessary if you have really bad security hygiene; dropping your keys onto every machine that you touch. If you manage your keys well I can't see how changing them like you change your underpants actually helps. (1 to 12 months: yes, I'm a dirty old man :)

@Montegasppa

6 ай бұрын

Good to know, @@Johan.Molenberghs. I usually do the same as @VeronicaExplains does, updating my keys every couple of years.

I'm so happy I subscribed to this channel. Love the content.

@Centomila

6 ай бұрын

I subscribed when I read "no paid product placement"

@codeartha

6 ай бұрын

Xana, so many good memories

@Maverick_Mad_Moiselle

3 ай бұрын

Woohoo!! Code Lyoko!! \o/

so great to see you back! Set looks like it's coming along well, and I hope things are turning for the better across the board for you!!

Great video again. You can really see how much time, creativity and effort you put into editing your videos. This 10m videos must have taking a day to make.

Love the TLDR right after 5 seconds 😀

@VeronicaExplains

6 ай бұрын

Doing my part to reduce clickbait! :P

I always like to describe public keys like locks and private keys like ... keys. I find this works well

@RAN-os5gz

6 ай бұрын

Yeah, I think this is the best analogy. They are tied together in the same way

@GSBarlev

6 ай бұрын

I mean, I guess? It's basically, "Here, I'm going to hand you this lock so that the next time we meet, you'll know it's me, because I'm the only one who can unlock it."

@Gornius

6 ай бұрын

Public key is smart card reader, private key is your smart card. You can register your smart card to any amount of readers.

@LaughingOrange

6 ай бұрын

@@Gornius You can also pin any amount of locks to fit a given key.

Damn, pitching out other channels is great! but also adding those in the description as well is a sign you are the best!! This channel is pure gold. The topics you cover are not my everyday needs but the most useful when I'm in trouble, which would be my everyday if not for you. Also the script is clear and well delivered, good amounts of comedy and plenty of well researched information distilled with great filmmaking and awesome animations. In any case, I'll recommend this channel as an example of how to do things properly. Even the captions are corrected! Great effort, great results. Thanks for sharing.

@VeronicaExplains

6 ай бұрын

This comment brightened my day. Thank you so much!

@SRG-Learn-Code

6 ай бұрын

@@VeronicaExplains

OpenSSH is awesome, and so are you! This was a good bit of SSH info, and I found it nicely informative. It also reminded me to go clean up and regenerate my keys!

Thank you for another excellent video, Veronica. Yesterday I discovered sshfs. It seamlessly mounts a remote directory to your local system using ssh. It made life on my multi-OS home network much easier. Have a great day!

5:15: That was incredibly well done! Wow! :) Great video. Thoroughly enjoyable.

your videos always have such a good vibe

Love SSH... fast, secure, can do file transfers easily multiple ways... and can trivially be centrally managed with a key server. That might be an idea for a vid too: Key servers. Edited to add: I mean e.g. LDAP vs universal key managers vs simple inotify to copy pub keys to servers that kind of thing. More than one way to skin SSH. :)

@Andrath

6 ай бұрын

Uhm no. The whole point of the SSH key system is to easily create and distribute keys. The ed25519 keys are short so they are perfect, Look into ssh-copy-id. There is probably a manpage. You can just publish those keys pretty much anywhere. Hey, you could piggyback them on the GnuPG keyservers as a comment.

@billschrimpf6814

5 ай бұрын

using signed keys and KRL is part pf this

Favorite tech channel on KZread. Love your content Veronica

Thank you for being an awesome smart woman! and for linking my channel :) !

@VeronicaExplains

6 ай бұрын

Thank YOU for making awesome videos which help all of us learn more! :)

1. Couldn't agree more about the Macintosh Librarian- one of my favorites 2. Thank you, this is exactly the kind of fun yet informative content that is so hard to find. Hitting the patron.

@broimnotyourbro

6 ай бұрын

Ok, ko-fi not patron. 🤷‍♂️

This is the first video of yours that I've seen and I am immediately struck by how clearly you communicate! Both in terms of your script, and in terms of literally enunciating clearly. You stress the tricky consonants enough that my autistic brain can pick them out, but without going so far that it's just silly. That's such an awesome skill for a teacher to have and I'm so glad you enjoy what you do!

I love your videos! Great tips and very positive energy, you ALWAYS make my day 😁, by the way, the C=64 and Amiga Boing reminded me of all the fun. Thanks and Greetings from Northwest Mexico.

@VeronicaExplains

6 ай бұрын

Thank you! Your comment made my day!

That is why i love MikroTik network equipment. even after over twenty years their switches and APs still get firmware updates to support the newest tech.

First post "I quit COBOL" video and I love it. From one old-timer engineer to another, "great job, keep it up!"

Lover your stuff. Keep doing it❤

i want to set up a home network and ssh into my wife's laptop. so i really have to breakdown and learn ssh. thanx for your excellent videos. you always give details. i like that.

Oh that ending. LOL!! Thank you for another wonderful and informative video.

@VeronicaExplains

6 ай бұрын

I'm glad you stayed until the end! It was a lot of fun. :)

Thanks for this. More please! More of everything please!

Great news. I am happy about the change. The length of the public keys make a practical difference. The new keys fit on one line, and are easy to copy and paste.

I also switche dto ed25519 keys years ago, and I'm glad it's now the default. It took me years to remember the digits.

It would probably take a while for me to stop using the `-t ed25519` parameter 😁

One thing that might be cool to cover in the future is SSH certificates. They're built in to OpenSSH, with commands for managing them built in to ssh-keygen. But they're useful because they allow you to essentially create auto-trusted, but auto-expiring keys for any user on the system. You can limit the authorization for the certificate to specific dates/times, specific users, even specific uses of SSH. One benefit is not needing to reconfigure the target system with an updated authorization when a new key is created. As long as a new cert is generated, and signed by a key trusted by the target, the new cert will be accepted, without needing to update authorized_keys. And the "CA key" trust can be specified by the authorized_keys file or by a config option in sshd_config.

@dieselbaby

6 ай бұрын

Yup, you can combine this kind of thing with something like Keybase and use it to manage your own custom CA for key management, it's fantastic.

Thanks for the explanation, and yes - the Macintosh Librarian channel is a _bunch_ of fun!

I didn't even know this was a thing! Thanks Veronica for your explanation!

Great video, great reminder. Un saludo desde Bogotá

This is so good. Finally, someone is addressing topics like these.

Nice to see you back making videos!

@VeronicaExplains

6 ай бұрын

Thank you! Hopefully now the cadence picks up a bit!

Incredibly well made video

I always smile when I see your smiling face 😄, (and learn from your explanations.)

Been loving Macintosh Librarian. She really hits you right in the nostalgia button, assuming you used old Apple and Macintosh computers in school. It’s also really neat to see the things people have come up with to keep old tech running or even expand it’s capabilities, far beyond what was possible when it was new.

I love your retro visuals!

Thanks. I just watched this as my 1st video from you. Good job as all my instructions always have -T option. I did run into this issue with Hadoop I think that needed RSA keys vs ed25519, the newer modern one that you and I use.

Absolutely fantastic config file at 8:35. 👍🏼the Brian May reference!

Love your videos, Thank you.

Love the video, thanks!

Oh No!! Am I going to have to do some work Veronica?? 😄🤗 Your videos are so enjoyable to watch!

Veronica is BACK!!!!!!!!!!!!!!!!!!!!!!

I just checked my FreeBSD-14.0 system and needed to update the config. Thanks for this info!

Informative video. I will update my procedures to use the newer type of keys. I will watch the other video for information about the catalog to see if it will help me. I have multiple key pairs which results in ssh giving up on login attempts before finding the right key. I made some shell scripts to tell ssh which identify to use when I want to access certain systems.

Great video! Thanks :)

I'm looking behind you and I see you're on top of things

The intro fakeout was fantastic, glad I had set my coffee down

Hi, new subscriber, but ooold S/W guy here. Coupla things: I work for a contractor at a US Gov't agency known throughout the solar system (ahem). The servers on one of my projects don't accept ed25519... they insist on ECDSA, which has, shall we say, a controversial history. Given a choice, I'll use ed25519 key pairs; I trust djb a whole lot more than I do NIST. The other thing: My spouse and I had Power Computing machines in the brief window when Apple allowed clones, before the Second Coming of Jobs. They were pretty cool machines, and the company had an Attitude that I found refreshing. Thanks, looking forward to more of your content!

Hi from the patreon crowd! Using ssh since 1997, this was new to me!

There's also different curves or curve parameters. As I understand it, ECDSA uses some curves published by NIST, where they say "Use these curve parameters" without any particular justification, and people speculate the NSA may be involved in getting them to endorse those particular parameters. The Curve25519 curve used by Ed25519 is also allegedly maybe more secure when it comes to side-channel attacks? But at this point I'm beyond my ability to assertively repeat that information.

@ben_spiller

6 ай бұрын

The NIST curves are suspect because some of the parameters are randomly generated. NIST publishes the seeds used for the random number generator, but no explanation how they came up with the seeds (they look random). They could have used a nothing-up-my-sleeve number but they didn't.

Thank you for saving me from having to find this out. Pausing my recovery for a moment, I can imagine this breaking things at my old workplace, perhaps on OpenVMS stuff. But as they are not paying me, I'm going to watch a cat video.

Can't explain why but your style reminds me of such of the Beakman's Science Show, great synergy between info and entertainment. I really like your production style. Thanks for sharing.

@SRG-Learn-Code

6 ай бұрын

It might be the fingerless gloves...

Nice news on the SSH updates. While there's no problem if both client and server run a modern version of openssh, it could be confusing to connect from modern to legacy system (e.g. an OpenWrt router which hasn't been sysupgraded for years), but all can be done with some knowledge and google-fu. Hey, nice to see the creator shoutout! Who knows, maybe I'll end up there someday :D

@autohmae

6 ай бұрын

Also: if you allow password login, you should still be able to login with password.

Abloy and SSH, two well-known Finnish invention for security. I am old fashioned and still prefer 3072 bit RSA keys for SSH and Abloy Protec² for mechanical locks.

Awesome 😎

The edge cases I usually seem to hit in the past with ssh keys were related to software that used ssh internally. Like some kind of niche software for a company. There would usually be some code that specified the type of key and I couldn't use newer types of keys with it.

It's awesome ed keys are the default now, been using them for a while just so the authorized_keys entries would look neater

Oh I love Mac Librarian! Her vids are so good.

Love the content! One question I keep pondering watching your videos is that are you and the Technology Connections person connected in any way? Your jokes and style feel very similar to me and I am having an absolute blast yours and his videos!

Thanks for the video! Somewhere in enterprise RSA is still requirement, on modern systems too. "Azure currently supports SSH protocol 2 (SSH-2) RSA public-private key pairs with a minimum length of 2048 bits. Other key formats such as ED25519 and ECDSA are not supported."

@davidjohnston4240

6 ай бұрын

Enterprise deployments tend to chase FIPS compliance and Ed25519 is not quite there yet with NIST. The NIST curves like P256 are trusted by no one but still used as the least bad option unless you consider RSA the least bad option. Everyone is annoyed with NIST about them taking so long to get the whole Ed25519 certification cake baked.

@aysnov

6 ай бұрын

RSA *is* the least bad option. Even if you're willing to use crypto parameters from a three-letter agency, non-ed ECDSA is a giant footgun.

@davidjohnston4240

6 ай бұрын

​@aysnov RSA is resource intensive compared to the others. It scales poorly too. NIST aren't even working on writing up the ed25519 specs which tells you that they are doing thier best to delay its adoption.

@aysnov

6 ай бұрын

I'd argue "resource intensive" beats "leaks your private key if you ever use it with poor RNG". Key exchange performance shouldn't really matter on anything reasonably modern anyway, short of maybe some very constrained embedded systems.

@davidjohnston4240

6 ай бұрын

​@aysnov A poor RNG is never going to be a problem for me (My job). But my primary concern is the side channel and fault injection properties. RSA sucks more than EC in that respect, but the side channel research changes pretty fast so it might be less true over time. Small devices (eg smart cards) have issues with computing large RSA operations. The intersection of good algorithms and NIST compliant algorithms is nothing.

Awesome retro feeel u give in ur videos, I date back to PC-XT days of Dos

You're insanely talented, and the information that you provide is so important to hear, so I say this with deep respect. My hearing isn't what it used to be, and sometimes it can be be a difficult to understand words when the pitch goes too high. Thankfully closed captioning helps, but if you could keep an ear on your pitch for the benefit of older listeners when you record your videos? Thanks again for all the great information!

@fractalMD

5 ай бұрын

My guy. She talks how she talks. This is not a reasonable request. She puts huge effort into the closed captioning for this reason.

@jblacktube

5 ай бұрын

That's not for her to say, not you. =) It is fair for me to say that I need to hear what she's saying. As mentioned, I do use the closed captioning and that does indeed help! You're right that I'm requesting reasonable accommodation, like asking a spouse to use a lower shelf in the kitchen, or a phone app to allow the setting of larger font sizes to ease readability. I'd like to think that we don't (yet) live in a world in which we tell others that they should just go buy a ladder or rely on screen readers. Veronica puts a great deal of effort in taking complex, detail oriented topics and delivering content that is both accurate and nuanced. She also certainly puts considerable thought into delivery style as well and modulates her voice to make the monologues more interesting. The only catch is that it can affect the comprehension for those with hearing loss if not moderated well.

That Commodore 128 I dreamt to have back in the day... Until I saw the Amiga 500. Got the 500 and I never regetted it!

@Darkk6969

6 ай бұрын

Same here! 😁

Thanks for making this video. I usually added the ed25519 type to generate my keys, seems my keygen command just got simpler. Would/could you do a video on proper ssh key management? That is something I still have issues with how to properly administrate them.

I like that your "Unix and linux system administration" is serving to raise your monitor height.

Very cool.

Commands in the description, this is why I come here! Well, one of the many reasons.

First time viewer, and I'm only 20 seconds in, but I like your intro! 🙂

I love the random Commodore 64 drops. I remember using that machine. Good times. :-)

Oh snap! This is a great change!

Fun fact. A week ago or so, I played a game called Scanner Sombre (awesome btw) which used a faulty OpenSSH feature code. Intel 10th+ generation CPUs apparently have a feature for better key generation and that faulty code caused the game to crash when attempting to use the CPU feature with it. Intel has posted an article about it "OpenSSL* SHA Crash Bug Requires Application Update." A game dev unrelated to this game has debugged the issue and made a tutorial to edit the executable to replace the OpenSSH commands by NOP and it fixed it. It was later found that just telling Windows not to use those features worked too, albeit not as fun. Perchance.

Being a fellow minnesotan, it's uncanny to hear what sounds exactly like my aunt schooling me in how to use OpenSSH, it's like I can't help but not pay attention.

I just finished changing all my keys over to ed25519 a couple of days ago. I had no idea they'd be changing the default so this is good news. I always had to either run '--help' or do a quick 'man ssh-keygen' cause I could never remember ed25519 and then because I had an old rsa key still hanging around I'd always have to specify the id file either on the command line or in a config file which was a bit of a drag.

I liked the fake-out on the exit music midway through the video.

Recently got a nice deal on a very old Cisco PoE switch. When attempting to SSH into it, I wasn't supersized that doing so required setting flags for algorithms no longer supported by default, like SHA1 and aes-256-cbc.

@VeronicaExplains

6 ай бұрын

Yup! That's a thing with a lot of old network equipment!

Just yestarday I generated a new keypar for a fresh arch install and when I pasted the public key on my nas server, I noticed this weird new key that look nothing like my old ones. Thanks for the info 😅😊

Love the shirt!!!

@VeronicaExplains

6 ай бұрын

Thanks! It'll be available at vkc.sh/merch soon. :)

@fractalMD

6 ай бұрын

​@@VeronicaExplainsEVERYONE NEEDS IT

I can't recall ever seeing the ED25519 option whenever I've generated SSH keys on Cisco gear, so I'm guessing it either doesn't support it, or possibly calls it something else. The latter wouldn't surprise me, since Cisco seem to like having their own way of doing things. Also, Macintosh Librarian is a great channel! Maccy is so much fun!

@666Tomato666

6 ай бұрын

There's no need to so I'm pretty sure they won't do it. Also, I'd expect them to want gov certifications (FIPS, and the like), Ed25519 wasn't allowed in those until very recently (like 2023)

Oh finally we're using ecliptic curve ciphers by default.

Remember that SSH is the underpinning for SFTP, which is used by a few other user classes besides system admins and devops.

I do sysadmin in a "legacy" setting (so many stupid windows servers), we are just looking at transferring to ssh keypairs... Although somehow we run docker containers like they're going out of fashion. Gonna go watch the OpenSSH video now, cheers!

Oh great! I've been wondering why RSA is still so common as default. -- Edit -- I loved both the early intro and early outro!

Love your videos! Interesting. I've used linux since 1993.

@KeritechElectronics

6 ай бұрын

That's a lot! Real deal old guard.

If you want go further, you can set up hardware-based SSH key which usually stated as ed25519-sk or rsa-sk. So the hacker need to be a physical theft to penetrate :)

For Debian the oldest release that supports it is: Debian 8 Jessie from 2015 So in case of Debian, you had to be running software older than that, like Debian 7 Wheezy from 2013

7:45 Queen - 39, nice!

Great video o/

As a genXer I appreciate all of the commodore/amiga surprises in this

2:13 I saw that, and I will be checking it out. :3

So happy about this. It was so annoying to need to google it every time because who can remember ed2?????

@VeronicaExplains

6 ай бұрын

Here's a tip- in most terminals you can type `-t ed` and then hit tab. On the few I regularly use, it autofills the rest. :)

@wezzelinator

6 ай бұрын

@@VeronicaExplains oh yeah auto-completions are standard now... 😅

Clever intro! ;)

I always get Ed25519 and ED-209 mixed up. 👍

@ironfist7789

6 ай бұрын

HAHA, I was getting ready to post about the ed209, but then I saw your post :P Cool that it is going default now

@randomgeocacher

6 ай бұрын

Ed25519 doesn’t care but don’t upset ED-209!

@mrmotofy

6 ай бұрын

I've seen so many commercials when I hear ED, I only think of...commercials and blue pills haha

@GeordiLaForgery

6 ай бұрын

@@ironfist7789 "going default" I like that.

@GeordiLaForgery

6 ай бұрын

@@randomgeocacher sometimes 209 has minor glitches!

Oh, cool background!

heck yea

Yay, I needed to get sshd running under Ubuntu after doing a complete wipe/reinstall a few weeks ago, so this would be the perfect time to see if this improvement is in the changelogs, or whatever. I'm just accessing my PC from my Chromebook, so I'm no power user of sshd, but it's always fun to delve into a part of Linux that I normally just "set and forget". Thanks for the info.

@bogdanrzheusski8115

6 ай бұрын

You can always specify encryption you want to use for key generation yourself with > ssh-keygen -t

@AlanCanon2222

6 ай бұрын

@@bogdanrzheusski8115 Thanks, yes, as Veronica explained. That's what I wound up doing, as my ssh-keygen isn't yet the newest release (Ubuntu being downstream of Debian). Read the man page for it too, like every day with Linux, a learning exercise.

Nice boing-ball graphic you got there. Have you done any Amiga or AmigaDos videos?

I'll have to retrain my muscle memory - been doing it long enough that ssh-keygen -t rsa -b 4096 is a cliche, from the days of default dss 🙂

YEEEEEEEEEEEIIIIIIIIIIII VERÓNICA

Brian May IS an absolute genius!