How SSH Secures Remote Access: Ports, Handshakes, and Key Authentication Explained

What is the SSH Port Number?

The default SSH port is 22 for protocols such as STelnet, SFTP, and SCP. For NETCONF the port can be 22 or 830. The port can be changed, which causes existing connections to drop and the server to listen on the new port.

How Does SSH Work?

Connection Establishment

The SSH server listens on the configured port for client connection requests. When a client initiates a connection, a TCP connection is established between client and server.

Version Negotiation

SSH has two major versions: SSH1.X (pre‑SSH2.0) and SSH2.0. SSH2.0 expands the protocol structure, supporting more authentication and key‑exchange methods, and provides greater capabilities. The client and server negotiate to agree on the final protocol version.

Algorithm Negotiation

Both sides advertise supported algorithms and negotiate the key‑exchange algorithm, the encryption algorithm for data, the public‑key algorithm for signatures, and the HMAC algorithm for integrity protection.

Key Exchange

Using the negotiated key‑exchange algorithm, the client and server dynamically generate a shared session key and a session ID, establishing an encrypted channel. The session key encrypts subsequent data, while the session ID identifies the connection during authentication.

User Authentication

The client requests authentication and the server verifies the client. SSH supports several authentication methods:

Password authentication: the client sends encrypted username and password, which the server validates.

Public‑key authentication: the client proves identity using a public‑key/private‑key pair.

Password‑public‑key authentication: both password and key are required.

All authentication: either password or key is sufficient.

Session Request

After successful authentication, the client requests a specific type of session from the server, such as a shell or command execution.

Session Interaction

Once the session is established, the client and server exchange data over the encrypted channel.

Using PuTTY and OpenSSH

PuTTY is a classic free SSH client for Windows, commonly used for remote login. The latest version can be downloaded from the official PuTTY website.

OpenSSH is the open‑source implementation of the SSH protocol, available on Unix‑like systems. Windows 10 includes OpenSSH client and server as optional features.

SSH Keys

Symmetric and Asymmetric Encryption

Encryption protects data by converting plaintext into ciphertext using keys. SSH combines symmetric and asymmetric encryption: symmetric keys encrypt the data stream, while asymmetric keys are used during key exchange and authentication. The following diagrams illustrate the processes.

Symmetric encryption uses the same key for encryption and decryption. The session key generated during the SSH handshake is a symmetric key, enabling fast encryption of large data volumes.

Asymmetric encryption relies on a key pair: a public key and a private key. The private key remains secret, while the public key can be shared. Data encrypted with the public key can only be decrypted with the corresponding private key, providing secure authentication.

SSH uses asymmetric encryption in two stages: during key exchange, both sides generate temporary key pairs to compute the shared session key; during user authentication, the server encrypts a challenge with the client’s public key, and the client proves possession of the private key by decrypting and responding.

Key Authentication

SSH supports password authentication and key‑based authentication. Key authentication uses a public‑key/private‑key pair to achieve password‑less login. The server stores the client’s public key; during login, the server encrypts a random challenge with this public key, and the client decrypts it with its private key to prove identity.

Before connecting, the client generates a public‑key/private‑key pair and places the public key on the server.

The client sends a login request; the server looks up the public key and encrypts a random number with it, sending it back.

The client decrypts the random number with its private key and returns the result.

The server verifies the response; if correct, authentication succeeds.