Rate this post

What is SSH?

SSH, or Secure Shell, is a remote management protocol that allows users to control and modify their remote servers over the Internet. The service was created as a secure replacement for the unencrypted Telnet and uses cryptographic techniques to ensure that all communications to and from the remote server are performed in an encrypted manner. It provides a mechanism for authenticating a remote user, transferring client entries to the host, and retransmitting the output to the client.

The following figure shows a typical SSH window. Any Linux or macOS user can SSH on their remote server directly from the terminal window. Windows users can take advantage of SSH clients like Putty. You can execute shell commands in the same way you would if you were physically operating the remote computer.

Example of SSH connection showing how SSH works
This SSH tutorial will cover the basics of how ssh works, along with the underlying technologies used by the protocol to offer a secure method of remote access. It will cover the different layers and types of encryption used, along with the purpose of each layer.

How does SSH work?

If you are using Linux or Mac, then using SSH is very simple. If you use Windows, you will need to use an SSH client to open SSH connections. The most popular SSH client is PuTTY, about which you can get more information here.

For Mac and Linux users, go to your terminal Program and then follow the procedure below:

The SSH command consists of 3 different parts:

ssh {user} @ {host}

The SSH key command tells your system that you want to open an encrypted secure shell connection. {user} represents the account you want to access. For example, you may want to access the root user, who is also basically a system administrator with full rights to modify anything in the system. {host} it refers to the computer you want to access. This can be an IP address (for example, or a domain name (for example, www.xyzdomain.com).

When you press Enter, you will be asked to enter the password for the requested account. When you type it, nothing will appear on the screen, but your password, in fact, is being transmitted. Once you have finished typing, hit enter one more time. If your password is correct, you will be greeted with a remote terminal window.

If you want more information about other SSH commands, look them up here.

Understanding the different encryption techniques

The important advantage that SSH offers over its predecessors is the use of encryption to ensure the secure transfer of information between the host and the client. Host refers to the remote server that you are trying to access, while client is the computer you are using to access the host. There are three different encryption technologies used by SSH:

  1. Symmetric encryption
  2. Asymmetric encryption
  3. Hashing

Symmetric encryption

Symmetric encryption is a form of encryption where a secret key it is used both for encryption and decryption of a message by the client and the host. Indeed, anyone who has the key can decipher the message that is being transferred.

SSH Tutorial - symmetric encryption

Symmetric encryption is often called shared key or shared secret encryption In general, only one key is used or, sometimes, a pair of keys where one key can be easily calculated using the other key.

Symmetric keys are used to encrypt all communication during an SSH session. Both the client and the server derive the secret key using an agreed method, and the resulting key is never disclosed to third parties. The process of creating a symmetric key is carried out by a key exchange algorithm. What makes this algorithm particularly secure is the fact that the key is never transmitted between the client and the host. Instead, the two computers share public data and then manipulate it to independently calculate the secret key. Even if another machine captures publicly shared data, it can not calculate the key because the key exchange algorithm is not known.

However, it must be taken into account that the secret token is specific to each SSH session and generated prior to client authentication. Once the key has been generated, all packets that move between the two machines must be encrypted by the private key. This includes the password written by the user in the console, so the credentials are always protected against the network packet sniffer.

There is a variety of symmetric encryption ciphers, including, among others, AES (Advanced Encryption Standard), CAST128, Blowfish, etc. Before establishing a secure connection, the client and the host decide which encryption to use, by publishing a list of supported Cyphers in order of preference. The preferred encryption of the clients admitted to the encryption that is present in the host list is used as the bidirectional encryption.

For example, if two Ubuntu 14.04 LTS machines communicate with each other through SSH, they will use aes128-ctr as its default encryption.

Asymmetric encryption

Unlike symmetric encryption, asymmetric encryption uses two separate keys for encryption and decryption. These two keys are known as the Public key and the private key. Together, both keys form a pair of public-private keys.

Asymmetric encryption

The public key, as the name suggests, is openly distributed and shared with all parties. While it is closely linked to the private key in terms of functionality, the private key can not be calculated mathematically from the public key. The relationship between the two keys is highly complex: a message that is encrypted by the public key of a machine can only be deciphered by the private key of the same machine. This unidirectional relationship means that the public key can not decrypt its own messages, nor can it decrypt anything encrypted by the private key.

The private key must remain private, that is, for the connection to be secure, no third party should know it. The strength of the whole connection lies in the fact that the private key is never revealed, since it is the only component capable of deciphering messages that were encrypted with their own public key. Therefore, any party that has the ability to decrypt publicly signed messages must have the corresponding private key.

Unlike general perception, asymmetric encryption is not used to encrypt the entire SSH session. Instead, it is only used during the key exchange algorithm of the symmetric encryption. Before starting a secure connection, both parties generate temporary public and private key pairs, and share their respective private keys to produce the shared secret key.

Once a secure symmetric communication has been established, the server uses the client's public key to generate it, challenge it and transmit it to the client for authentication. If the client can decrypt the message correctly, it means that it contains the private key required for the connection. Then the SSH session begins.


Unidirectional hashing is another form of cryptography used in Secure Shell Connections. The unidirectional hash functions differ from the two previous forms of encryption in the sense that they should never be deciphered. They generate a single value of a fixed length for each entry that does not show a clear trend that can be exploited. This makes them practically impossible to reverse.


It is easy to generate a cryptographic hash from a given entry, but it is impossible to generate the hash entry. This means that if a client has the correct entry, it can generate the cryptographic hash and compare its value to verify if it has the correct entry.

SSH uses hashes to verify the authenticity of messages. This is done using HMACs, or Hbased on ashes SUBWAYessage Aauthentication doAll this ensures that the received command is not tampered with in any way.

While selecting the symmetric encryption algorithm, an appropriate message authentication algorithm is also selected. This works in a similar way to how encryption is selected, as explained in the symmetric encryption section.

Each message that is transmitted must contain a MAC, which is calculated using the symmetric key, the packet sequence number and the content of the message. It is sent out of the encrypted data symmetrically as the final section of the communication packet.

How does SSH work with these encryption techniques?

The way SSH works is through the use of a client-server model to allow the authentication of two remote systems and the encryption of the data that passes between them.

SSH operates on TCP port 22 by default (although this can be changed if necessary). The host (server) listens on port 22 (or any other port assigned by SSH) for incoming connections. Organize the secure connection by authenticating the client and opening the correct shell environment if the verification is successful.

Client and SSH server

The client must start the SSH connection by initiating the TCP link protocol with the server, ensuring a secure symmetric connection, verifying if the identity displayed by the server matches the previous records (normally registered in an RSA key storage file) and presenting the required user credentials To authenticate the connection.

There are two stages to establish a connection: first, both systems must agree on encryption standards to protect future communications, and second, the user must authenticate. If the credentials match, then the user is granted access.

Negotiation of session encryption

When a client tries to connect to the server through TCP, the server presents the encryption protocols and the respective versions that it supports. If the client has a couple of similar protocol and version, an agreement is reached and the connection starts with the accepted protocol. The server also uses an asymmetric public key that the client can use to verify the host's authenticity.

Once this is established, the two parties use what is known as a Diffie-Hellman key exchange algorithm to create a symmetric key. This algorithm allows both the client and the server to reach a shared encryption key that will be used from now on to encrypt the entire communication session.

Here is how the algorithm works at a very basic level:

  1. Both the client and the server agree on a very large prime number, which of course has no factor in common. This prime number value is also known as seed value.
  2. Next, the two parties agree on a common encryption mechanism to generate another set of values ​​by manipulating the seed values ​​in a specific algorithmic manner. These mechanisms, also known as encryption generators, perform large operations on the seed. An example of a generator of this type is AES (Advanced Encryption Standard).
  3. Both parties independently generate another prime number. This is used as a secret private key for the interaction.
  4. This newly generated private key, with the shared number and the encryption algorithm (for example, AES), is used to calculate a public key that is distributed to the other computer.
  5. The parties then use their personal private key, the shared public key of the other machine, and the original prime number to create a final shared key. This key is calculated independently by both computers, but will create the same encryption key on both sides.
  6. Now that both sides have a shared key, they can symmetrically encrypt the entire SSH session. The same key can be used to encrypt and decrypt messages (read: section on symmetric encryption).

Now that the secure session has been established symmetrically encrypted, the user must be authenticated.

Authenticating the user

The final stage before the user accesses the server is to authenticate their credentials. For this, most SSH users use a password. The user is asked to enter the username, followed by the password. These credentials pass securely through the encrypted tunnel symmetrically, so there is no possibility of them being captured by a third party.

Although passwords are encrypted, it is still not recommended to use passwords for secure connections. This is because many bots can simply force simple or predetermined passwords and gain access to your account. In contrast, the recommended alternative is SSH Key Pairs.

These are a set of asymmetric keys that are used to authenticate the user without the need to enter a password.


Gaining a deep understanding of how SSH works can help users understand the security aspects of this technology. Most people think that this process is extremely complex and incomprehensible, but it is much simpler than most people think. If you're wondering how long it takes a computer to calculate a hash and authenticate a user, well, this happens in less than a second. In fact, the maximum amount of time is spent on the transfer of data over the Internet.

Hopefully, this SSH tutorial has helped you see how different technologies can be grouped together to create a robust system in which each mechanism plays a very important role. Also, now you know why Telnet became a thing of the past as soon as SSH appeared.

For more Linux tutorials, be sure to check out our VPS tutorials section.