What Is SSH

SSH (Secure Shell) is a cryptographic network protocol for securely accessing remote computers over an unsecured network. It encrypts all communication, ensuring that passwords, commands, and data cannot be intercepted by third parties.

Before SSH, protocols like Telnet and rlogin transmitted data in plaintext, leaving them vulnerable to eavesdropping. In 1995, Finnish researcher Tatu Ylönen developed SSH, which later became the de facto standard through the OpenSSH project.

Today, SSH is used for server administration, cloud infrastructure management, Git repository access, automated deployment pipelines, and more. The default port number is 22.

Public Key Authentication

The most recommended SSH authentication method is public key authentication, which uses a mathematically linked pair of keys (public and private) instead of passwords.

Key pair generation: Run ssh-keygen on the client to create a public/private key pair. The private key stays on the client and must never be shared.
Public key registration: Add the public key to the server's ~/.ssh/authorized_keys file.
Authentication process: The server sends a random challenge, the client signs it with the private key, and the server verifies the signature using the public key. The private key never travels over the network.

Easy to set up but vulnerable to brute-force attacks. The password traverses the network (encrypted, but decrypted on the server side).

The private key never leaves the client, making interception useless. Brute-force attacks are virtually impossible. Adding a passphrase protects against stolen key files.

Ed25519 is the currently recommended key algorithm. RSA remains widely used but should be at least 4096 bits. DSA and ECDSA (nistp256) are deprecated due to security concerns.

Port Forwarding

SSH port forwarding (tunneling) securely routes other protocols' traffic through an encrypted SSH connection.

Local forwarding: Forwards connections to a local port through the SSH tunnel to a remote destination. Example: ssh -L 3306:db-server:3306 bastion connects to a database via a bastion host. Useful for reaching services behind a firewall.
Remote forwarding: Forwards connections to a remote port back through the tunnel to the client side. Used to expose services behind NAT to the outside.
Dynamic forwarding: Uses the SSH connection as a SOCKS proxy. ssh -D 1080 server routes all browser traffic through the tunnel when configured as a proxy, providing protection on public Wi-Fi.

Port forwarding is ideal when you need secure access to specific services without setting up a full VPN. Multi-hop SSH connections through bastion hosts can be configured concisely using the ProxyJump directive in ~/.ssh/config.

SCP and SFTP File Transfers

Simple one-command file copying: scp file.txt user@server:/path/. Cannot resume interrupted transfers. Since OpenSSH 9.0, SCP internally uses the SFTP protocol.

Interactive file operations including directory listing, deletion, renaming, and resumable transfers. Rich GUI client support (WinSCP, FileZilla, Cyberduck). Not to be confused with FTPS (FTP over TLS).

Legacy FTP transmits passwords and file contents in plaintext. SFTP should be the default choice for all new deployments unless legacy compatibility is required.

SSH Security Best Practices

Disable password authentication: Set PasswordAuthentication no in /etc/ssh/sshd_config to allow only public key authentication. This alone neutralizes most brute-force attacks.
Disable root login: Set PermitRootLogin no and use sudo for privilege escalation after logging in as a regular user.
Change the default port: Moving from port 22 to a non-standard port significantly reduces automated scanning attempts, though it is not a substitute for proper authentication controls.
Restrict source IPs: Use firewall rules or cloud security groups to limit SSH access to known IP addresses.
Deploy Fail2ban: Automatically blocks IP addresses after repeated authentication failures, providing effective brute-force protection.
Rotate keys regularly: Periodically update SSH keys and promptly remove keys of departed employees from authorized_keys.

Common Misconceptions

SSH is only for system administrators: Developers use SSH for Git access (git@github.com:...), CI/CD pipelines use it for deployment, and data scientists use it to connect to remote GPU servers. SSH is a daily tool for virtually anyone working in IT.
Changing the SSH port makes you secure: Port changes reduce automated scanning but are easily discovered through port scans. Proper security requires disabling password authentication, enforcing public key auth, and restricting source IPs.
SSH keys last forever once created: Keys should be rotated periodically. Risks include forgotten removal of departed employees' keys, potential private key leaks, and algorithm obsolescence.

SSH (Secure Shell)