cybersecurity protocols

SSH (SSH)

ssh remote-access encryption protocols
Plain English

SSH is a secure tunnel between your computer and a remote server. It encrypts everything you type and everything the server sends back, so nobody snooping on the network can see your passwords, commands, or data. It replaced older tools like Telnet, which sent everything in plain text. If you have ever typed a command on a server that is not physically in front of you, you almost certainly used SSH.

Technical Definition

Secure Shell (SSH), defined in RFC 4253, is a cryptographic network protocol for secure remote administration, command execution, and file transfer. It operates over TCP port 22 by default.

SSH protocol layers:

  1. Transport layer: negotiates encryption (AES-256-GCM, ChaCha20-Poly1305), key exchange (Curve25519, ECDH), and server authentication (host key verification)
  2. User authentication layer: verifies client identity via password, public key, certificate, or keyboard-interactive (MFA)
  3. Connection layer: multiplexes the encrypted tunnel into logical channels (shell session, port forwarding, file transfer)

Authentication methods (ordered by security):

  • Public key (recommended): client holds a private key (Ed25519 or RSA 4096-bit); server holds the matching public key in ~/.ssh/authorized_keys
  • Certificate-based: SSH CA signs short-lived certificates; no need to distribute public keys to every server
  • Password: encrypted during transit but vulnerable to brute force; should be disabled in production
  • Keyboard-interactive: supports MFA prompts (TOTP, hardware keys)

Key features:

  • Port forwarding: tunnel other protocols through SSH (local, remote, and dynamic/SOCKS proxy)
  • SCP/SFTP: secure file transfer over the SSH channel
  • SSH agent forwarding: use local keys on remote servers without copying private keys
  • ProxyJump / bastion hosts: chain SSH connections through intermediate servers

Common SSH operations 

# Generate an Ed25519 key pair
$ ssh-keygen -t ed25519 -C "mokey@bytesnation.com"

# Copy public key to a server
$ ssh-copy-id -i ~/.ssh/id_ed25519.pub user@10.0.0.5

# Connect to a server
$ ssh user@10.0.0.5

# SSH through a bastion/jump host
$ ssh -J bastion@jump.example.com user@internal-server

# Local port forward (access remote DB locally)
$ ssh -L 5432:db-server:5432 user@bastion

# Harden SSH: /etc/ssh/sshd_config
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
MaxAuthTries 3
AllowUsers deploy admin
In the Wild

SSH is the primary tool for managing every Linux server, network device, container host, and cloud instance. GitHub, GitLab, and Bitbucket use SSH for secure Git operations. In production environments, SSH access is typically restricted to bastion/jump hosts, with key-based authentication only (passwords disabled), fail2ban blocking brute force attempts, and audit logging of all sessions. Modern alternatives like Teleport and Boundary add session recording, SSO integration, and short-lived certificates on top of SSH. SSH port 22 is one of the most scanned ports on the internet; any server exposed to the public internet sees hundreds of brute-force login attempts per hour.

← Back to Dictionary