Understanding SSH: How Secure Shell Works and Why It Matters

SSH Port

The default listening port for SSH, SFTP, SCP and Telnet is 22 . For NETCONF the port may be 22 or 830 . The port can be reconfigured; when changed all existing connections are terminated and the server starts listening on the new port.

SSH Protocol Operation

Connection establishment

The SSH server listens on the configured port. A client initiates a TCP connection to that port, establishing a reliable transport channel.

Version negotiation

Both sides advertise the protocol version they support (SSH‑1.x or SSH‑2.0). They agree on the highest common version; SSH‑2.0 is the modern standard and adds more authentication and key‑exchange methods.

Algorithm negotiation

Each side sends a list of supported algorithms for:

Key‑exchange (e.g., diffie‑hellman‑group14‑sha1, ecdh‑sha2‑nistp256)

Encryption (e.g., aes256‑ctr, chacha20‑poly1305)

Public‑key (e.g., rsa‑sha2‑256, ecdsa‑sha2‑nistp256)

Message authentication (HMAC) (e.g., hmac‑sha2‑256)

The first algorithm that appears in both lists for each category is selected for the session.

Key exchange

Using the agreed key‑exchange algorithm, the client and server compute a shared secret. From this secret they derive a session key (used to encrypt all subsequent traffic) and a session ID (used to bind authentication to the specific connection).

User authentication

After the encrypted channel is established, the client requests authentication. SSH supports several methods:

Password authentication – the client sends an encrypted username and password.

Public‑key authentication – the client proves possession of a private key that matches a public key stored on the server.

Password‑public‑key authentication – both password and key must succeed.

Any authentication – either password or key is sufficient.

Session request

When authentication succeeds, the client asks the server to start a specific service (e.g., a shell, exec command, or subsystem).

Session interaction

The client and server exchange data over the encrypted channel for the lifetime of the session.

Client implementations

PuTTY is a free SSH client for Windows. It can be downloaded from the official PuTTY website.

OpenSSH is the open‑source reference implementation. It is available on most Unix‑like systems and is included as an optional feature in recent Windows 10 releases.

SSH Keys and Encryption

Symmetric and asymmetric encryption

SSH combines fast symmetric encryption (using the session key) with asymmetric encryption (using a public‑private key pair) to protect data during the handshake and authentication phases.

Public‑key authentication flow

The typical password‑less login proceeds as follows:

The client generates a ssh-keygen key pair and copies the public key to ~/.ssh/authorized_keys on the server.

The client initiates a connection; the server looks up the public key for the supplied username.

The server encrypts a random challenge with the stored public key and sends it to the client.

The client decrypts the challenge using its private key and returns the result.

The server verifies the response; if it matches, authentication succeeds.