Understanding SSH: Ports, Workflow, and Key Authentication Explained

SSH (Secure Shell) is a network security protocol that provides encrypted and authenticated remote login, file transfer, and other services, replacing insecure protocols like Telnet and FTP.

What is the SSH Port Number?

The default SSH port is 22 for protocols such as SSH, SFTP, and SCP; NETCONF can use 22 or 830. The port can be changed, causing existing connections to drop and the server to listen on the new port.

How Does SSH Work?

SSH consists of a client and a server. Establishing a secure SSH channel involves several stages:

Connection Establishment

The server listens on the configured port, and the client initiates a TCP connection.

Version Negotiation

SSH supports SSH‑1.x and SSH‑2.0. The client and server negotiate the protocol version, with SSH‑2.0 offering more authentication and key‑exchange methods.

Algorithm Negotiation

Both sides agree on a key‑exchange algorithm, an encryption algorithm, a public‑key algorithm, and an HMAC algorithm for data integrity.

Key Exchange

Using the agreed key‑exchange algorithm, the client and server generate a shared session key and session ID, establishing an encrypted channel.

User Authentication

The client requests authentication; SSH supports password, public‑key, password‑public‑key, and “any” (either password or key) methods.

Session Request

After successful authentication, the client requests a specific service, establishing a session.

Session Interaction

The client and server exchange data within the established session.

Using PuTTY and OpenSSH

PuTTY is a free SSH client for Windows, while OpenSSH is the open‑source implementation available on Unix‑like systems and included in Windows 10 as an optional feature.

SSH Keys

Symmetric and Asymmetric Encryption

SSH combines symmetric encryption for fast data transfer with asymmetric encryption for secure key exchange and authentication. Symmetric keys encrypt and decrypt data using the same secret, while asymmetric keys use a public‑private pair.

Key Authentication

SSH supports password and public‑key authentication. Public‑key authentication uses a client‑generated key pair; the public key is stored on the server, and the server encrypts a challenge with it. The client decrypts the challenge with its private key and returns the result, proving its identity.

Generate a public‑key/private‑key pair on the client and place the public key on the server.

The client sends a login request; the server encrypts a random number with the stored public key and sends it back.

The client decrypts the number with its private key and returns it.

The server verifies the response; if correct, authentication succeeds.