Home » Blog » What is Secure Shell (SSH) and how does it work?

What is Secure Shell (SSH) and how does it work?

Secure Shell (SSH) is a network protocol used to securely communicate in an unsecured network.

SSH is the protocol that most people choose to use for remote login and tunneling. There are many client applications available in different operating systems, such as:

Notice that for you to connect via SSH to another computer, the remote computer needs to have the SSH server installed.

As a security measure, remember to always verify the installer’s signature before installing software on your computer. Find the guide on how to verify the signature, and as a rule of thumb don’t install any software that you cannot verify.

Table of Contents

A deep loop into the SSH protocol

The SSH protocol is divided into three other protocols:

  • Transport layer protocol.
  • User authentication protocol.
  • Connection protocol.

These three protocols usually run on top of TCP.

The transport layer protocol provides user authentication, data confidentiality, and data integrity. The last two are part of the CIA triad.

The user authentication protocol is used to authenticate a user on a server. For this task, the server must process a private/public key pair. The server can use several asymmetric algorithms for authentication. One host can have multiple keys and several hosts can share the same key.

As a practical example, think about a person who has two GitHub accounts, one for personal projects and the other one for company projects. Usually, there have to be two sets of private/public keys so the person can authenticate on GitHub depending on what type of project is working on.

On the other hand, a person can have multiple computers, so when it connects to GitHub from different computers, should use the same key pair.

The connection protocol handles multiple logical communications channels using one SSH connection.

The first part of the information exchange happens when a TCP connection is established. After this, the client and server negotiate what encryption algorithm they are going to use. When they finish the negotiation, they encrypt all data, except the Message Authentication Code (MAC). You can read more about MACs using this link.

SSH encryption algorithms

The algorithms are defined in the specification for the SSH transport layer protocol:

  • 3des-cbc, REQUIRED, three-key 3DES in CBC mode
  • blowfish-cbc, OPTIONAL, Blowfish in CBC mode
  • twofish256-cbc, OPTIONAL, Twofish in CBC mode, with a 256-bit key
  • twofish-cbc, OPTIONAL, alias for “twofish256-cbc”
  • twofish192-cbc, OPTIONAL, Twofish with a 192-bit key
  • twofish128-cbc, OPTIONAL, Twofish with a 128-bit key
  • aes256-cbc, OPTIONAL, AES in CBC mode, with a 256-bit key
  • aes192-cbc, OPTIONAL, AES with a 192-bit key
  • aes128-cbc, RECOMMENDED, AES with a 128-bit key
  • serpent256-cbc, OPTIONAL, Serpent in CBC mode, with a 256-bit key
  • serpent192-cbc, OPTIONAL, Serpent with a 192-bit key
  • serpent128-cbc, OPTIONAL, Serpent with a 128-bit key
  • arcfour, OPTIONAL, the ARCFOUR stream cipher with a 128-bit key
  • idea-cbc, OPTIONAL, IDEA in CBC mode
  • cast128-cbc, OPTIONAL, CAST-128 in CBC mode

Notice some of the ciphers are required, while others are optional and recommended.

Now is the time for the key exchange.

SSH key exchange algorithms

Key exchange is an important aspect of asymmetric cryptography.

The specification has two required methods for key exchange:

  • diffie-hellman-group1-sha1
  • diffie-hellman-group14-sha1

The two methods are described here.

You can also read about What is the Diffie-Hellman Key exchange? In the previous link, you will find detailed information on how the key is exchanged between two parties.

Lastly, after a service request, all information is protected by an encryption algorithm and a Message Authentication Code.

Port forwarding, a.k.a. SSH tunneling, is another use of SSH. This consist of converting an unsecured TCP connection to a secured SSH connection. SSH is configured in such a way that, when a client sends traffic using a certain port, that traffic is redirected to an SSH connection.  In that way, the data is transferred using a secured channel, the SSH tunnel. This one is a great application of SSH allowing us to easily secure communications.

SSH application example

If you are a software developer, you probably have a GitHub account and used SSH to connect to GitHub.

If not, you should know that you can establish a secured connection to GitHub (and other platforms) using SSH.

You can see a guide on how to connect to GitHub using SSH here.

I just will give here the main steps that you have to take:

  • First, check for SSH keys. You can use this command in Linux and Mac: ls -al ~/.ssh
  • If you still don’t have any SSH keys, you can generate one. You can use this command in Linux and Mac: $ ssh-keygen -t ed25519 -C your_email@example.com. You must use your GitHub email address after the ‘-C’ option. And ed25519 is the algorithm you want to use, there are also other algorithms available. For a list of all the options and the algorithms available you can use the command “ssh-keygen –help”.
  • Add the key to the ssh-agent.
  • Test the SSH connection.


Is SSH still used?

Yes! network administrators commonly use SSH to remotely connect to servers.


No! SSH is not a VPN. Using a VPN encrypts all the traffic. Using SSH encrypts specific application traffic. Read more details about a VPN and the protocols it implements in this post.

Is SSH safe over public WIFI?

Yes, it is safe. Just make sure that you have the right keys in place, to avoid the MITM attack.

What is SSH used for?

We can use SSH to have a secured connection in an unsecured network.