How SSH Secures Remote Logins: From Basics to Practical Setup

1. First Encounter with SSH

SSH is a protocol standard designed for secure remote login and other secure network services.

SSH is only a protocol standard; many implementations exist, the most widely used being the open‑source OpenSSH.

2. How SSH Works

Why do we need SSH? Compared with telnet, ftp, etc., SSH provides security, which is achieved through encryption.

Encryption can be symmetric (same key for encryption and decryption) or asymmetric (public‑key encryption).

Symmetric encryption (secret‑key encryption)

Asymmetric encryption (public‑key encryption)

Symmetric encryption uses the same key on both client and server, but storing the key securely is difficult. Asymmetric encryption introduces a public key and a private key.

The property of the two keys: data encrypted with the public key can only be decrypted with the corresponding private key, and deriving the private key from the public key is practically impossible.

Login flow using asymmetric encryption:

1. The remote server sends its public key to the client.

2. The client encrypts the password with this public key.

3. The client sends the encrypted password to the server.

4. The server decrypts the password with its private key and validates it.

5. The server responds to the client.

The server’s private key is unique to the server, so even if the encrypted data is intercepted, it cannot be decrypted without the private key.

Potential man‑in‑the‑middle attack: an attacker could replace the server’s public key with its own, allowing decryption of the client’s data.

SSH mitigates this by verifying the server’s host key fingerprint on first connection.

<code>The authenticity of host 'ssh-server.example.com (12.18.429.21)' can't be established.
RSA key fingerprint is 98:2e:d7:e0:de:9f:ac:67:28:c2:42:2d:37:16:58:4d.
Are you sure you want to continue connecting (yes/no)?
</code>

If the user answers “yes”, the host key is added to the

known_hosts

file.

Fingerprint is a short hash of the long public key, making comparison feasible.

<code>Warning: Permanently added 'ssh-server.example.com,12.18.429.21' (RSA) to the list of known hosts.
Password: (enter password)
</code>

Two authentication methods:

1. Password‑based authentication

Client must verify the server’s public key; the first‑time prompt shows the fingerprint.

2. Public‑key authentication

Client stores its public key on the server (

authorized_keys

). During login the server generates a random number R, encrypts it with the client’s public key, and sends it back. The client decrypts R, creates a digest with the session key, and the server verifies the digest.

Key generation commands:

<code>$ ssh-keygen -t rsa -P '' -f ~/.ssh/id_rsa
$ cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
$ chmod 0600 ~/.ssh/authorized_keys
</code>

Explanation of options:

-t: key type (rsa, dsa, ecdsa, …)

-P: passphrase for the private key

-f: file path for the key pair

Typical files in

~/.ssh

:

id_rsa – private key

id_rsa.pub – public key

authorized_keys – list of authorized client public keys

known_hosts – list of verified server host keys

Login commands:

<code># login as user to host
ssh user@host
# if local and remote usernames are the same
ssh host
# specify a non‑default port
ssh -p 2017 user@host
</code>

4. Summary

The article explains SSH principles (focused on remote login), the role of asymmetric encryption, and practical steps for key generation and authentication.

1. What is stored in known_hosts?

It stores the authenticated remote host’s host key.

2. When is a host key added to known_hosts?

When the client connects to a server for the first time and confirms the fingerprint.

3. Why is known_hosts needed?

It enables the client to verify the server’s identity, preventing man‑in‑the‑middle attacks.