What is SSH?

Table of Contents

    Cybersecurity 101 Categories

    Access Control

    48 Posts

    Application Security

    17 Posts

    Authentication

    73 Posts

    Compliance

    9 Posts

    Cyber Threats

    61 Posts

    Endpoint Security

    11 Posts

    General Security

    33 Posts

    IoT Security

    17 Posts

    Network Security

    51 Posts

    Networking

    28 Posts

    Zero Trust

    27 Posts
    Back to Cybersecurity Center

    What is SSH and How Does It Work?

    SSH, or Secure Shell, is a cryptographic network protocol that allows secure communication between devices over an unsecured network. Originally developed as a replacement for insecure login protocols like Telnet, SSH provides a secure channel through which users can log into another computer, transfer files, or run commands remotely—all while protecting data from eavesdropping, spoofing, or tampering.

    How SSH Works

    At its core, SSH uses public-key cryptography to authenticate the remote computer and optionally allow the remote computer to authenticate the user. When a user initiates an SSH connection, the SSH client (usually from their local machine) requests a secure session with the SSH server (typically on the remote machine).

    There are two primary layers in the SSH protocol:

    1. Transport Layer – Establishes a secure and encrypted channel over an insecure network.

    2. Authentication Layer – Authenticates the client to the server using credentials such as passwords or cryptographic keys.

    The encryption ensures that any intercepted data is unreadable to attackers. Common encryption algorithms used include AES, Blowfish, and ChaCha20.

    Key Features of SSH

    • Encryption: Ensures all data transmitted between the client and server is unreadable to anyone else.

    • Authentication: Can be done using passwords or, more securely, SSH keys.

    • Integrity: Uses hashing algorithms like SHA-2 to verify that data hasn’t been tampered with.

    • Compression: Optional data compression helps improve performance over slow networks.

    SSH Sessions and Ports

    By default, SSH operates on port 22, though this can be changed for added security through a configuration file (sshd_config). Once a session is established, users can:

    • Access shell prompts remotely

    • Execute commands as if they were local

    • Securely transfer files using tools like SCP or SFTP

    Real-World Applications

    • System administration: Sysadmins use SSH to manage remote servers without being physically present.

    • Development workflows: Developers use SSH to push/pull code from Git repositories, such as GitHub.

    • Tunneling and port forwarding: SSH allows secure access to internal systems behind firewalls.

    Conclusion

    SSH is a foundational tool in modern IT and cybersecurity practices. Whether you’re a developer deploying code or a system administrator managing fleets of servers, understanding how SSH works—and how it protects communication—is essential for secure operations. It replaces older, insecure protocols and offers a scalable, flexible solution for secure remote access.

    How Do I Generate SSH Keys and Set Up Key-Based Authentication?

    SSH key-based authentication is a secure and convenient way to log into remote systems without using passwords. Instead of relying on credentials that can be guessed or stolen, SSH keys provide cryptographic proof of identity. This setup is commonly used by developers, system administrators, and cloud engineers for secure remote access.

    What Are SSH Keys?

    SSH keys come in pairs:

    • Private key: Stored on your local machine and kept secret.

    • Public key: Uploaded to the remote server.

    The private key acts as your identity. When you attempt to connect to a remote system, the SSH protocol verifies that your private key matches the corresponding public key on the server.

    Step-by-Step: Generating SSH Keys

    To generate an SSH key pair on most Unix-like systems (including macOS and Linux), open your terminal and run:

    bash
    ssh-keygen -t rsa -b 4096 -C "[email protected]"

    Here’s what each flag means:

    • -t rsa: Specifies the key type (RSA). You can also use ed25519, which is newer and faster.

    • -b 4096: Sets the key size (bits). Larger = more secure.

    • -C: Adds a comment to identify the key.

    You’ll then be prompted to choose a location to save the key:

    • Default path: ~/.ssh/id_rsa

    • Also prompted for a passphrase (optional, but recommended for extra security)

    This command creates two files:

    • id_rsa (private key)

    • id_rsa.pub (public key)

    Copying the Public Key to the Server

    To use key-based authentication, you must copy the public key to the remote server. This can be done manually or with the ssh-copy-id command:

    bash
    ssh-copy-id user@remote-host

    Alternatively, you can manually copy the public key to the server’s ~/.ssh/authorized_keys file:

    bash
    cat ~/.ssh/id_rsa.pub | ssh user@remote-host 'mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys'

    Ensure that the .ssh directory and authorized_keys file have the correct permissions:

    bash
    chmod 700 ~/.ssh
    chmod 600 ~/.ssh/authorized_keys

    Logging In with Your SSH Key

    Once your public key is in place, connect to the server with:

    bash
    ssh user@remote-host

    If everything is set up correctly, you won’t be asked for a password—only a passphrase if you set one.

    Security Tips

    • Use a passphrase: Adds a layer of security if your private key is stolen.

    • Don’t share your private key: Ever.

    • Use key agents: ssh-agent can store your passphrase securely during a session.

    • Disable password login: After setting up SSH keys, you can harden security by disallowing password authentication in the server’s sshd_config.

    Conclusion

    SSH key-based authentication is a powerful and secure alternative to password-based logins. Once configured, it not only improves security but also streamlines access to servers and development environments.

    What Does “Permission Denied (Publickey)” Mean and How Do I Fix It?

    Few error messages are as frustrating as:

    bash
    Permission denied (publickey)

    This cryptic message typically appears when trying to log into a remote server using SSH key authentication—and it fails. The server is expecting an authorized public key, but something’s wrong: the client hasn’t presented a matching private key, or the server can’t verify it. Let’s break down what this means and how to troubleshoot it effectively.

    What This Error Really Means

    The error indicates that:

    • Password authentication is disabled (or not attempted).

    • The server only allows authentication via public key.

    • The client either isn’t offering a key or the offered key doesn’t match the server’s expectations.

    In short, SSH says: “I looked for your key, didn’t find a match, and now I’m locking the door.”

    Common Causes and Fixes

    1. Your SSH Agent Isn’t Loaded with the Right Key

    The SSH agent manages private keys during your session. If it’s not loaded, your key won’t be offered.

    Fix:

    bash
    ssh-add ~/.ssh/id_rsa

    Check loaded keys:

    bash
    ssh-add -l

    2. Wrong File Permissions

    SSH is picky about security. If the key or directory permissions are too open, it will reject the connection.

    Fix:

    bash
    chmod 700 ~/.ssh
    chmod 600 ~/.ssh/authorized_keys

    3. Wrong Username

    SSH won’t magically know if you’re trying to log in as the wrong user.

    Fix: Explicitly specify the correct user:

    bash
    ssh correct-user@hostname

    4. Public Key Not on the Server

    Maybe the key never made it, or you copied the private key instead of the public one.

    Fix: Re-copy the public key:

    bash
    ssh-copy-id user@host

    Or manually:

    bash
    cat ~/.ssh/id_rsa.pub | ssh user@host 'cat >> ~/.ssh/authorized_keys'

    5. Server Not Looking in the Right Place

    The server’s SSH configuration might not be pointing to the right authorized_keys file.

    Fix: Check the file path and permissions. Also review /etc/ssh/sshd_config for:

    bash
    AuthorizedKeysFile .ssh/authorized_keys

    If it’s changed or missing, SSH won’t know where to look.

    6. Private Key Missing or Named Incorrectly

    If you renamed your private key or placed it in a nonstandard location, the SSH client won’t find it.

    Fix: Specify the key explicitly:

    bash
    ssh -i ~/.ssh/custom_key user@host

    How to Debug More Verbosely

    If you’re still stuck, run:

    bash
    ssh -v user@host

    This verbose mode shows each authentication attempt and where it fails, making it easier to pinpoint the issue.

    Conclusion

    “Permission denied (publickey)” is a frustrating but solvable error. With a little investigation—checking keys, permissions, agents, and configurations—you can usually resolve it in a few minutes. And once it’s working, you’ll have secure, password-free access at your fingertips.

    How Do I Use SSH to Connect to a Remote Server or Tunnel Traffic?

    SSH is most commonly used to securely connect to remote servers, but it’s far more versatile than just a remote login tool. From secure file transfers to encrypted tunnels and even VPN-like traffic forwarding, SSH is the Swiss Army knife of network security. Let’s start with the basics and move into some of the more advanced (and surprisingly cool) tricks.

    Basic Remote Connection with SSH

    At its core, SSH allows you to connect to a remote system like this:

    bash
    ssh user@hostname

    Replace:

    • user with the remote username

    • hostname with the server’s IP address or domain name (e.g., 192.168.1.100 or myserver.com)

    If you’re using a non-default port (other than port 22), specify it with -p:

    bash
    ssh -p 2222 user@hostname

    Once authenticated, you’ll get a shell session as if you were physically at the server.

    Transferring Files Securely

    SSH also enables encrypted file transfers using:

    • SCP (Secure Copy)

    • SFTP (Secure FTP)

    Example with SCP:

    bash
    scp myfile.txt user@hostname:/remote/path/

    Example with SFTP:

    bash
    sftp user@hostname
    sftp> put myfile.txt

    SFTP is interactive, while SCP is great for scripting.

    SSH Tunneling: Port Forwarding

    Tunneling lets you forward network traffic through an encrypted SSH session. There are two common types:

    1. Local Port Forwarding

    Redirects traffic from your local machine to a destination reachable from the remote host.

    Example:

    bash
    ssh -L 8080:internal-server:80 user@bastion-host

    Now, accessing http://localhost:8080 on your local machine sends traffic securely to internal-server:80 via bastion-host.

    Use Case: Access internal web apps, databases, or services behind firewalls.

    2. Remote Port Forwarding

    Makes a local service available to the remote host.

    Example:

    bash
    ssh -R 9090:localhost:3000 user@remote-host

    This allows remote-host to access your local port 3000 via localhost:9090.

    Use Case: Letting a remote user view your local dev server or app.

    3. Dynamic Port Forwarding (SOCKS Proxy)

    Turns SSH into an encrypted proxy.

    Example:

    bash
    ssh -D 1080 user@host

    Then configure your browser or system to use a SOCKS5 proxy at localhost:1080.

    Use Case: Browse the internet securely or bypass content restrictions.

    Useful SSH Options

    • -i ~/.ssh/custom_key: Use a specific private key

    • -v: Verbose output (great for debugging)

    • -N: Don’t execute commands (useful for just forwarding)

    • -T: Disable pseudo-terminal (good for automation)

    Conclusion

    SSH is more than a tool for remote logins—it’s a powerful framework for secure communication. Whether you’re a sysadmin managing servers, a developer pushing code, or a security-minded traveler setting up a tunnel in a café, SSH gives you encrypted control, flexibility, and peace of mind. Master its features, and you’ll unlock some serious remote power.