What is Secure Shell (SSH) and How Does it Work?

What is Secure Shell (SSH) and How Does it Work?

SSH, also known as Secure Shell or Secure Socket Shell, is a network protocol that gives users, particularly system administrators, a secure way to access a computer over an unsecured network. In addition to providing secure network services, SSH refers to the suite of utilities that implement the SSH protocol.

Secure Shell provides strong password authentication and public key authentication, as well as encrypted data communications between two computers connecting over an open network, such as the internet. In addition to providing strong encryption, SSH is widely used by network administrators for managing systems and applications remotely, enabling them to log in to another computer over a network, execute commands and move files from one computer to another.

What is SSH?

SSH, or Secure Shell, is a remote administration protocol that allows users to control and modify their remote servers over the Internet through an authentication mechanism.

It provides a mechanism to authenticate a remote user, transfer input from the client to the host and relay the output back to the client. The service was created as a secure replacement for unencrypted Telnet and uses cryptographic techniques to ensure that all communications to and from the remote server happen in an encrypted manner.

The image below shows a typical SSH window. Any Linux or macOS user can SSH into their remote server directly from the terminal window. Windows users can take advantage of SSH clients such as Putty. You can execute shell commands in the same way as you would if you were physically operating the remote computer.

This SSH tutorial will cover the basics of how SSH works, along with the underlying technologies used by the SSH protocol to provide a secure method of remote access. It will cover the different layers and types of encryption used, along with the purpose of each layer.

Did you know that at Speed2Host we offer dedicated server hosting services with full ROOT and with dedicated resources?

How does SSH work?

If you use Linux or Mac, then using the SSH protocol is very easy. If you use Windows, you will need to use an SSH client to open SSH connections. The most popular SSH client is PuTTY, you can download it here.

For Mac and Linux users, go to your terminal program and follow this procedure:

The SSH command consists of 3 distinct parts:

ssh {user}@{host}

The SSH key command tells your system that you want to open an encrypted Secure Shell Connection. {user} represents the account you want to access. For example, you may want to access the root user, which is basically for the system administrator with full rights to modify anything on the system. {host} refers to the computer you want to access. This can be an IP address (e.g., or a domain name (e.g., www.mydomain.com).

When you press enter, you will be prompted to enter the password for the requested account. As you type it, nothing will appear on the screen, but your password is, in fact, being transmitted. Once you have finished typing, press enter once more. If your password is correct, you will see a remote terminal window.

Understanding the different encryption techniques

The significant advantage offered by the SSH protocol over its predecessors is the use of encryption to ensure the secure transfer of information between the host and the client. Host refers to the remote server you are trying to access, while the client is the computer you are using to access the host. There are three different encryption technologies used by SSH:

  • Symmetric encryption
  • Asymmetrical Encryption
  • Hashing

Symmetrical Cipher ( Encryption )

Symmetric encryption is a form of encryption in which a secret key is used for both encryption and decryption of a message by both the client and the host. Effectively, anyone who has the key can decrypt the message being transferred.

Symmetric encryption is often called shared key or shared secret encryption. Usually, there is only one key used, or sometimes a key pair where one key can be easily calculated with the other key.

Symmetric keys are used to encrypt all communication during an SSH session. Both the client and the server derive the secret key using an agreed method, and the resulting key is never revealed to third parties. The process of creating a symmetric key is carried out using a key exchange algorithm.

What makes this algorithm particularly secure is the fact that the key is never transmitted between the client and the host. Instead, the two machines share public data and then manipulate it to independently calculate the secret key. Even if another machine captures the publicly shared data, it will not be able to calculate the key because the key exchange algorithm is not known.

It should be noted, however, that the secret token is specific to each SSH session, and is generated prior to client authentication. Once the key is generated, all packets moving between the two machines must be encrypted by the private key. This includes the password typed into the console by the user, so the credentials are always protected from network packet snoopers.

Several symmetric ciphers exist, including, but not limited to, AES (Advanced Encryption Standard), CAST128, Blowfish, etc. Before establishing a secure connection, the client and a host decide which cipher to use, publishing a list of supported ciphers in order of preference. The preferred cipher from among those supported by the clients that is present in the host’s list is used as the bidirectional cipher.

For example, if two Ubuntu 14.04 LTS machines communicate with each other via SSH, they will use aes128-ctr as their default cipher.

Asymmetrical Encryption

Unlike symmetric encryption, asymmetric encryption uses two separate keys for encryption and decryption. These two keys are known as the public key and the private key. Together, these keys form the public-private key pair.

The public key, as the name suggests, is openly distributed and shared with all parties. While it is closely linked to the private key in terms of functionality, the private key cannot be mathematically computed from the public key. The relationship between the two keys is highly complex: a message encrypted by a machine’s public key can only be decrypted by the same machine’s private key. This one-way relationship means that the public key cannot decrypt its own messages or decrypt anything encrypted by the private key.

The private key must remain private, i.e. for the connection to be secure, no third party must know it. The strength of the entire connection lies in the fact that the private key is never revealed, since it is the only component capable of decrypting messages that were encrypted using its own public key. Therefore, any party with the ability to decrypt publicly signed messages must possess the corresponding private key.

Unlike the general perception, asymmetric encryption is not used to encrypt the entire SSH session. Instead, it is only used during the symmetric encryption key exchange algorithm. Before initiating a secure connection, both parties generate temporary public-private key pairs and share their respective private keys to produce the shared secret key.

Once a secure symmetric communication has been established, the server uses the clients’ public key to generate and challenge and transmit it to the client for authentication. If the client can successfully decrypt the message, it means that it contains the private key needed for the connection. And then the SSH session begins.


One-way hashing is another form of cryptography used in Secure Shell Connections. One-way hash functions differ from the previous two forms of encryption in that they are never intended to be decrypted. They generate a unique value of a fixed length for each entry that shows no clear trend that can be exploited. This makes them virtually impossible to reverse.

what is ssh

It is easy to generate a cryptographic hash of a given input, but impossible to generate the input hash. This means that if a client has the correct input, they can generate the cryptographic hash and compare its value to verify if they have the correct input.

SSH uses hashes to verify the authenticity of messages. This is done using HMACs, or hash-based message authentication codes. This ensures that the received command is not altered in any way.

While selecting the symmetric encryption algorithm, an appropriate message authentication algorithm is also selected. This works similarly to how the cipher is selected, as explained in the section on symmetric encryption.

Any transmitted message must contain a MAC, which is calculated using the symmetric key, the packet sequence number and the message content. It is sent outside the symmetrically encrypted data as the final section of the communications packet.

Now that you know how encryption techniques work, you may be interested in our cheap dedicated server hosting services with maximum speed and stability.

How does the SSH protocol work with these encryption techniques?

The way SSH works is by using a client-server model to allow authentication of two remote systems and encryption of data passed between them.

SSH operates on TCP port 22 by default (although this can be changed if necessary). The host (server) listens on port 22 (or any other assigned SSH port) for incoming connections. It arranges the secure connection by authenticating the client and opening the correct shell environment if the verification is successful.

what is ssh stand for

The client must initiate the SSH connection by initiating the TCP protocol with the server, ensuring a secure symmetric connection, verifying whether the identity displayed by the server matches the previous records (usually recorded in an RSA keystore file) and presents the user credentials required to authenticate the connection.

There are two stages to establishing a connection: first, both systems must agree on encryption standards to protect future communications, and second, the user must authenticate. If the credentials match, the user is granted access.

Negotiating session encryption

When a client attempts to connect to the server via TCP, the server presents the encryption protocols and the respective versions it supports. If the client has a similar protocol and version pair, an agreement is reached and the connection is initiated with the accepted protocol. The server also uses an asymmetric public key that the client can use to verify the authenticity of the host.

Once this is established, the two parties use what is known as the Diffie-Hellman Key Exchange Algorithm to create a symmetric key. This algorithm allows both the client and server to arrive at a shared encryption key that will be used going forward to encrypt the entire communication session.

Here is how the algorithm works at a very basic level:

  • Both the client and the server agree on a very large prime number, which of course has no common factor. This prime number value is also known as the seed value.
  • The two parties then agree on a common encryption mechanism to generate another set of values by manipulating the seed values in a specific algorithmic manner. These mechanisms, also known as cipher generators, perform large operations on the seed. An example of such a generator is AES (Advanced Encryption Standard).
  • Both parties independently generate another prime number. This is used as a secret private key for the interaction.
  • This newly generated private key, with the shared number and encryption algorithm (e.g., AES), is used to calculate a public key that is distributed to the other computer.
  • The parties then use their personal private key, the shared public key of the other machine, and the original prime number to create a final shared key. This key is calculated independently by both machines but will create the same encryption key on both sides.
  • Now that both parties have a shared key, they can symmetrically encrypt the entire SSH session. The same key can be used to encrypt and decrypt messages (read: section on symmetric encryption).

Now that the symmetrically secure encrypted session has been established, the user must be authenticated.

User authentication

The final step before the user is granted access to the server is to authenticate their credentials. To do this, most SSH users use a password. The user is prompted to enter the username, followed by the password. These credentials pass securely through the symmetrically encrypted tunnel, so there is no chance of them being captured by a third party.

Although passwords are encrypted, it is still not recommended to use passwords for secure connections. This is because many bots can simply perform brute force attack to crack easy or default passwords to gain access to your account. Instead, the recommended alternative is an SSH key pair.

It is a set of asymmetric keys used to authenticate the user without the need to enter a password.


Gaining an in-depth understanding of the underlying way SSH works can help users understand the security aspects of this technology. Most people consider this process extremely complex and not very understandable, but it is much simpler than most people think.

If you’re wondering how long it takes a computer to calculate a hash and authenticate a user, well, it happens in less than a second. In fact, the most time is spent transferring data over the Internet.

Hopefully, this SSH tutorial has helped you see how different technologies can be combined to create a robust system in which each mechanism has a very important role to play. Plus, now you know why Telnet became a thing of the past as soon as SSH came along.