Master SSH: Understand Its Principles, Configuration, and Password‑less Login
This guide explains what SSH (Secure Shell) is, details its underlying handshake process, shows how to log in via the command line, outlines key server configuration options in /etc/ssh/sshd_config, and demonstrates setting up password‑less authentication with key pairs.
What is SSH
SSH (Secure Shell) is a network protocol that provides secure remote login and command execution over an insecure network. It encrypts the communication channel to protect data from eavesdropping or tampering, supports various authentication methods (password, public key, certificates), and also offers file transfer and port forwarding.
SSH Principle
The client connects to the server's SSH port (default 22) and sends a random number, a list of supported encryption algorithms, and the SSH version.
The server selects an encryption and hash algorithm, generates its public key, and sends it to the client.
The client verifies the server's public key, generates a session key, encrypts it with the server's public key, and sends it to the server.
The server decrypts the session key with its private key and validates it.
Both sides derive a new key from the session key, hash algorithm, and encryption algorithm for subsequent data encryption.
After this handshake, encrypted data transmission can begin.
SSH Login
Typical command syntax: ssh [user]@[host] -p [port] -l [login_name] -l specifies the login name; -p specifies a non‑default port.
[root@localhost named]# ssh 192.168.10.20
The authenticity of host '192.168.10.20 (192.168.10.20)' can't be established.
ECDSA key fingerprint is SHA256:KtaBKXckd5FGPVjjbVKvTH7FlTeo5/gNAXFWe9UlBlY.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.10.20' (ECDSA) to the list of known hosts.
[email protected]'s password:
Last login: ...Server SSH Configuration
The main configuration file is /etc/ssh/sshd_config. Editing this file changes SSH behavior. Example directives:
ListenAddress 0.0.0.0 # Bind to all interfaces; change to internal IP if public access not needed
LoginGraceTime 2m # Time to wait before disconnecting after failed login attempts
PermitRootLogin yes # Allow root login (default may be disabled)
StrictModes yes # Check ownership and permissions of .ssh files
MaxAuthTries 6 # Maximum authentication attempts
MaxSessions 10 # Maximum concurrent sessions per connection
PubkeyAuthentication yes
PermitEmptyPasswords no
PasswordAuthentication yes
GatewayPorts no
ClientAliveInterval 10
ClientAliveCountMax 3
UseDNS yes # Set to no to speed up DNS lookups
GSSAPIAuthentication yes
# Change default port
Port 9527Password‑less SSH Login
Generate a key pair and copy the public key to the remote host:
[root@localhost ~]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
... (key generation output) ...
[root@localhost ~]# ssh-copy-id -i /root/.ssh/id_rsa.pub [email protected]
Number of keys added: 1After copying the key, you can log in without a password:
[root@localhost ~]# ssh [email protected]
Last login: ...Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Raymond Ops
Linux ops automation, cloud-native, Kubernetes, SRE, DevOps, Python, Golang and related tech discussions.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.