SSH: all about the Secure Shell protocol

SSH, or Secure Shell, is a remote administration protocol that allows users to control and modify their remote servers over the Internet. The service was created to securely replace the unencrypted Telnet.

A tutorial to cover the basics of how SSH works

SSH uses cryptographic techniques to ensure that all communications to and from the remote server are figures. It provides a mechanism for authenticating a remote user, transferring input from the client to the host, and relaying output to the client.

All Linux or macOS user can access its remote server directly from the terminal’s SSH window. The users Windows can take advantage of SSH clients such as PuTTY. You can execute shell commands in the same way you would if you were physically using the remote computer.

This SSH tutorial will cover the basics of how SSH works, as well as the underlying technologies used by the protocol to provide a secure method of remote access. It will cover the different layers and the types of encryption usedas well as the need for each layer.

How does SSH work?

The SSH command consists of 3 distinct parts: SSH {user} ?[host].

  • The SSH key control tells your system that you want to open an encrypted Secure Shell connection.
  • {user} represents the account you wish to access. The root user, for example, is the equivalent of the system administrator with absolute rights to any changes to the system.
  • [host] refers to the computer you want to access. This can be an IP address (e.g. or a domain name (e.g.

For Mac and Linux users, access the program from your terminaland then follow the order. When you press Enter, you will be prompted to enter the password for the requested account. When you enter it, nothing appears on the screen, but your password is actually transmitted. When you have finished entering it, press Enter again. If your password is correct, you will be greeted by a remote terminal window.

Understand the different encryption techniques

Compared to its predecessors, SSH offers a significant advantage: the use of the encryption to ensure secure transfer of information between host and client. There are three different encryption technologies used by SSH :

  • Symmetric encryption
  • Asymmetric encryption
  • Hashing.

Symmetric encryption

The symmetrical encryption is a form of encryption in which A secret key is used for both encryption and decryption of a message by the client and host.. Anyone with the key can decrypt the message being transferred. Symmetric encryption is often called shared key or shared secret encryption. Usually only one key is used, or sometimes a key pair where one key can easily be calculated using the other key.


Symmetric keys are used to encrypt the entire communication during an SSH session. Both the client and the server derive the secret key using an agreed method, and the resulting key is never disclosed to a third party. The process of creating a symmetric key is performed by a key exchange algorithm.

The fact that the key is never transmitted between the client and host makes this algorithm particularly useful for secured. The two computers share public data and then manipulate it to independently calculate the secret key. Even if another machine captures the publicly shared data, it will not be able to calculate the key because the key exchange algorithm is unknown.

It should be noted, however, that the secret token is specific to each SSH session and is generated before client authentication. Once the key is generated, all packets circulating between the two machines must be encrypted with the private key. This includes the password entered by the user, so that credentials are always protected against network packet sniffers.

Symmetrical encryption

There are a variety of symmetrical ciphersincluding, but not limited to, AES (Advanced Encryption Standard), CAST128, Blowfish, etc. Before establishing a secure connection, the client and a host decide which encryption to use, publishing a list of supported cyphers in order of preference.

The privileged encryption of the cyphers supported by the clients that is present on the host list is used as bi-directional encryption. For example, if two Ubuntu 14.04 LTS machines are communicating with each other via SSH, they will use aes128-ctr as the default encryption.

Asymmetric encryption

Unlike symmetric encryption, asymmetric encryption uses two separate keys for encryption and decryption. These two keys are called public key and private key. Together, these two keys form a public-private key pair.

Openly distributed public key

The public key, as the name suggests, is openly distributed and shared with all parties. Although closely related to the private key in terms of functionality, the private key cannot be mathematically calculated from the public key. The relationship between the two keys is very complex. A message encrypted by the public key of a machine can only be decrypted by the private key of the same machine. This one-way relationship means that the public key cannot decrypt its own messages, nor can it decrypt anything encrypted by the private key.

The private key must remain private. In other words.., for the connection to be secure, no third party must ever know it.. The strength of the whole connection lies in the fact that the private key is never revealed, as it is the only component capable of decrypting messages that have been encrypted using its own public key. Therefore, any party with the ability to decrypt publicly signed messages must have the corresponding private key.


Contrary to the general perception, the asymmetric encryption is not used to encrypt the entire SSH session. It is only used during the symmetric encryption key exchange algorithm.. Before launching a secure connection, both parties generate temporary public-private key pairs and share their respective private keys to produce the shared secret key.

Once a secure symmetric communication has been established, the server uses the client’s public key to generate it and transmit it to the client for authentication. If the client is able to decrypt the message, it means that the client has the private key required for the connection. The SSH session then begins.

The hashing

Unidirectional hashing is another form of cryptography. used in Secure Shell connections. The one-way hash functions differ from the two forms of encryption above in that they are never intended to be decrypted. They generate a unique value of a fixed length for each input. that shows no clear pattern that could be exploited. This makes them virtually impossible to reverse.

Generating a cryptographic hash

It is easy to generate a cryptographic hash from a given input, but impossible to generate the input from the hash. This means that if a client has the correct input, it can generate the cryptographic hash and compare its value to see if it has the correct input.

SSH uses hashes to verify the authenticity of messages.. This is done using HMAC or hash-based message authentication codes. This ensures that the received command is not altered in any way.

While the symmetric encryption algorithm is selected, an appropriate message authentication algorithm is also selected. This works in the same way as the encryption selection, as explained in the Symmetric Encryption section.

Each message transmitted must contain a MACwhich is calculated using the symmetric key, the packet sequence number and the message content. It is sent outside the symmetrically encrypted data as the final section of the communication packet.

How does SSH work with these encryption techniques?

SSH works by using a client-server model to allow the authentication of two remote systems and the encryption of the data passing between them.

SSH runs on TCP port 22 by default (although this can be changed if necessary). The host (server) listens on port 22 (or any other port assigned by SSH) for incoming connections. It organizes the secure connection by authenticating the client and opening the correct shell environment if the verification is successful.

The client must start the SSH connection in :

  • initiating TCP contact with the server
  • ensuring a secure symmetrical connection
  • Checking whether the identity displayed by the server matches previous records (usually stored in an RSA keystore file).
  • with the user credentials required to authenticate the connection.

There are two steps to making a connection. First, thehe two systems must agree on encryption standards. to protect future communications. Second, the user must authenticate. If the credentials match, access is granted to the user.

Session Encryption Negotiation

When a client attempts to connect to the server via TCP, the server presents the encryption protocols and the respective versions it supports. If the client has a similar protocol and version pair, an agreement is reached and the connection is initiated with the accepted protocol. The server also uses an asymmetric public key that the client can use to verify the authenticity of the host.

Once this is established, both parties use what is called a Diffie-Hellman key exchange algorithm to create a symmetric key. This algorithm allows both the client and the server to arrive at a shared encryption key that will now be used to encrypt the entire communication session.

User Authentication

Authentication of credentials is the last step before the user is authorized to access the server.. Most SSH users use a password for this. The user is prompted to enter the username, followed by the password. This credentials pass securely through the symmetrically encrypted tunnel. So there is no chance that it could be captured by a third party.

Although passwords are encrypted, it is still not recommended to use passwords for secure connections. This is because many bots can simply brute force easily guessed or default passwords and access your account. Experts recommend SSH key pairs. This is a set of asymmetric keys used to authenticate the user without having to enter a password.

Be the first to comment

Leave a Reply

Your email address will not be published.