SSH, or Secure Shell, is a remote administration protocol that allows users to control and modify their remote servers over the Internet. The service was created as a secure replacement for unencrypted Telnet, and uses cryptographic techniques to ensure that all communication to and from the remote server occurs in an encrypted manner. It provides a mechanism to authenticate a remote user, forward input from the client to the host, and relay output to the client.

The image below shows a typical SSH window. Any Linux or MacOS user can SSH into their remote server directly from the terminal window. Windows users can use  SSH clients like Putty . You can execute shell commands the same way you would if you were physically using the remote computer.

Example SSH connection showing how SSH works

This SSH tutorial will cover the basics of how SSH works, as well as the underlying technologies used by the protocol to provide a secure method of remote access. It will cover the different layers and types of encryption used, as well as the purpose of each layer.

How SSH works

If you are using Linux or Mac, then using SSH is very simple. If you’re using Windows, you’ll need to use an SSH client to open SSH connections. The most popular SSH client is PuTTY, which you  can learn more about here .

For Mac and Linux users, switch to your  terminal program , then follow the steps below:

The SSH command consists of 3 distinct parts:

ssh {user}@{host}

The SSH key command tells your system that you want to open an encrypted Secure Shell connection. {user}  represents the account you want to access. For example, you might want to access the user  root , which basically stands for system administrator with full rights to modify everything on the system. {host}  refers to the computer you want to access. This can be an IP address  (eg  or a domain name (eg

When you press Enter, you will be prompted to enter the password for the requested account. When you enter it, nothing is displayed on the screen, but your password is in fact transmitted. When you are done typing, press Enter once. If your password is correct, you will be greeted with a remote terminal window.

If you want to know more about some SSH commands,  find them here .

Understand different encryption techniques

The significant advantage offered by SSH over its predecessors is the use of encryption to ensure the secure transfer of information between host and client. Host refers to the remote server you are trying to access, while  client  is the computer you use to access the host. There are three different encryption technologies used by SSH:

  1. Symmetric encryption
  2. Asymmetric encryption
  3. Hashing.

Symmetric encryption

Symmetric encryption is a form of encryption where a  secret key   is used for encryption and decryption of a message by both client and host. Indeed, anyone with the key can decrypt the transferred message.

SSH tutorial - Symmetric Encryption

Symmetric encryption is often referred to as  shared key or shared secret  encryption . There is usually only one key that is used, or sometimes a pair of keys where one key can easily be calculated using the other key.

See also  CrowdSec lands on OPNsense

Symmetric keys are used to encrypt all communication during an SSH session. The client and server derive the secret key using an agreed method, and the resulting key is never disclosed to a third party. The process of creating a symmetric key is done by a  key exchange algorithm What makes this algorithm particularly secure is the fact that the key is never transmitted between client and host. Instead, the two computers share public data and then manipulate it to independently calculate the secret key. Even if another machine captures the publicly shared data, it will not be able to calculate the key because the key exchange algorithm is not known.

Note, however, that the secret key is specific to each SSH session and is generated before client authentication. Once the key is generated, all packets that travel between the two machines must be encrypted by the private key. This includes the password typed into the console by the user, so the credentials are always protected from network packet sniffers.

There are a variety of symmetric ciphers, including but not limited to AES (Advanced Encryption Standard), CAST128, Blowfish, etc. Before establishing a secure connection, the client and a host decide which cipher to use, by publishing a list of compatible ciphers, in order of preference. The preferred cipher of the supported cyber clients on the host’s list is used as the two-way cipher.

For example, if two Ubuntu 14.04 LTS machines communicate with each other over SSH, they will use  aes128-ctr  as their default cipher.

Asymmetric encryption

Unlike symmetric encryption, asymmetric encryption uses two separate keys for encryption and decryption. These two keys are called public key  and private key . Together, these two keys form a  public-private key pair .

Asymmetric Encryption

The public key, as the name suggests, is distributed and shared openly with all parties. Although closely related to the private key in terms of functionality, the private key cannot be mathematically calculated from the public key. The relationship between the two keys is very complex: a message encrypted by a public key of a machine can only be decrypted by the private key of the same machine. This one-way relationship means that the public key cannot decrypt its own messages, nor decrypt anything encrypted by the private key.

The private key must remain private, i.e. the connection must be secure, no third party must ever know it. The strength of the whole connection is that the private key is never revealed, as it is the only component capable of decrypting messages encrypted using its own public key. Therefore, any party with the ability to decrypt publicly signed messages must possess the corresponding private key.

Contrary to popular belief, asymmetric encryption is not used to encrypt the entire SSH session. Instead, it is only used during the symmetric encryption key exchange algorithm. Before initiating a secure connection, both parties generate temporary public-private key pairs and share their respective private keys to produce the shared secret key.

See also  How to run ADB from your web browser

Once secure symmetric communication has been established, the server uses the clients public key to generate and challenge and pass authentication to the client. If the client can successfully decrypt the message, it means they have the private key required for the connection. The SSH session then begins.


One-way hashing is another form of cryptography used in Secure Shell connections. One-way-hash functions differ from the above two forms of encryption in that they are never meant to be decrypted. They generate a unique value of a fixed length for each entry, from which no clear trend can be exploited. This makes reversing virtually impossible.


It is easy to generate a cryptographic hash from a given input, but impossible to generate the hash input. This means that if a client has the correct input, it can generate the cryptographic hash and compare its value to check if it has the correct input.

SSH uses hashes to verify the authenticity of messages. This is done using HMAC, or  Hash-  based Message Authentication  C odes  This ensures that the order received is not modified in any way.

Even if the symmetric encryption algorithm is selected, an appropriate message authentication algorithm is also selected. This works similar to how encryption is selected, as explained in the section on symmetric encryption.

Each transmitted message must contain a MAC, which is calculated using the symmetric key, packet sequence number, and message content. It is sent apart from symmetrically encrypted data as the final part of the communication packet.

How SSH works with these encryption techniques

The way SSH works is that it uses a client-server model to allow authentication of two remote systems and encryption of data passing through them.

SSH runs on TCP port 22 by default (although this can be changed if needed). The host (server) listens on port 22 (or any other assigned SSH port) and listens for incoming connections. It organizes the secure connection by authenticating the client and opening the correct environment if the verification is successful.

SSH Client and Server

The client must initiate the SSH connection by initiating the TCP handshake with the server, ensuring a secure symmetric connection, checking whether the identity displayed by the server matches previous records (usually stored in an RSA keystore file), and presents the credentials required to authenticate the connection.

There are two steps to establishing a connection: first, the systems must agree on encryption standards to protect future communications, and second, the user must authenticate. If the credentials match, the user is granted access.

Session encryption negotiation

When a client attempts to connect to the server via TCP, the server presents the encryption protocols and respective versions it supports. If the client has a matching protocol and version pair, an agreement is reached and the connection begins with the accepted protocol. The server also uses an asymmetric public key that the client can use to verify the authenticity of the host.

Once this is established, both parties use what is called a  Diffie-Hellman key exchange algorithm  to create a symmetric key. This algorithm allows the client and the server to arrive at a shared encryption key which will now be used to encrypt the entire communication session.

See also  6 Free Screen Sharing and Remote Access Software

Here’s how the algorithm works at a very basic level:

  1. Client and server agree on a very large prime number, which of course has no common factor. This prime number value is also called  the seed value .
  2. Then both parties agree on a common encryption mechanism to generate another set of values ​​by manipulating the seed values ​​in a specific algorithmic way. These mechanisms, also called encryption generators, perform large operations on seed values. An example of such a generator is AES (Advanced Encryption Standard).
  3. The two parts independently generate another prime number. This is used as the secret private key for the interaction.
  4. This newly generated private key, together with the shared number and the encryption algorithm (eg AES), is used to calculate a public key which is distributed to the other computer.
  5. The parties then use their own private key, the other machine’s shared public key, and the original prime number to create a final shared key. This key is calculated independently by both computers, but will create the same encryption key on both sides.
  6. Now that both sides have a shared key, they can symmetrically encrypt the entire SSH session. The same key can be used to encrypt and decrypt messages (read: section on symmetric encryption).

Now that the symmetrically encrypted secure session has been established, the user must be authenticated.

User authentication

The final phase before the user has access to the server is authenticating their credentials. For this, most SSH users use a password. The user is prompted for the username, followed by the password. These credentials pass securely through the symmetrically encrypted tunnel, so it has no chance of being captured by a third party.

Although the passwords are encrypted, it is still not recommended to use passwords for secure connections. This is because many bots can simply force easy passwords, or default passwords, and gain access to your account. Instead, the recommended alternative is SSH Key Pairs.

It is a set of asymmetric keys used to authenticate the user without having to enter a password.


Getting a thorough understanding of the underlying workings of SSH can help users understand the security aspects of this technology. Most people consider this process extremely complex and incomprehensible, but it is much simpler than most people think. If you’re wondering how long it takes for a computer to calculate a hash and authenticate a user, it happens in less than a second. In fact, most of the time is spent transferring data over the internet.

I hope this SSH tutorial has helped you see how different technologies can be brought together to create a solid system where each mechanism has a very important role to play. Also, now you know why Telnet became a thing of the past when SSH arrived.

5/5 - (1 vote)

Tagged in:

About the Author

SAKHRI Mohamed

Founder & Editor

Passionate about the web, new technologies and IT, I share on tutorials, tips, advice, online tools and software for Windows, Mac and Linux. I'm the founder of this blog and I'm very interested in anything to do with technology, but I also love playing games. I was born in Constantine, but now I live in Algiers/Algeria

View All Articles