Introduction
SSH (Secure Shell) is a cryptographic network protocol for operating network services securely over an unsecured network. It provides secure authentication, encrypted data transmission, and is essential for system administration, DevOps, and secure communications.
This comprehensive guide covers SSH protocol mechanics, key authentication, port forwarding, and security best practices.
What is SSH?
SSH provides secure encrypted communication between two untrusted hosts over an insecure network. It has largely replaced telnet, rsh, and other remote access protocols.
Key Features
Encryption: All data is encrypted.
Authentication: Multiple methods (password, keys, MFA).
Integrity: Data integrity verification.
Port Forwarding: Tunnel TCP traffic.
File Transfer: SFTP and SCP.
Protocol Versions
| Version | Year | Status |
|---|---|---|
| SSH-1 | 1995 | Deprecated (vulnerabilities) |
| SSH-2 | 1998 | Current standard |
| SSH-1.99 | 1999 | Legacy compatibility |
Connection Flow
SSH-2 Handshake
Client Server
| |
|-------- SSH Version String ---------------------->|
|<------- SSH Version String ----------------------|
| |
|-------- Key Exchange Init ----------------------->|
|<------- Key Exchange Init -----------------------|
| |
|====== Diffie-Hellman Key Exchange ===============|
| |
|-------- NEWKEYS -------------------------------->|
|<------- NEWKEYS --------------------------------|
| |
|-------- SERVICE REQUEST ------------------------->|
|<------- SERVICE ACCEPT ---------------------------|
| |
|========== AUTHENTICATION ========================|
| |
|-------- CHANNEL OPEN --------------------------->|
|<------- CHANNEL OPEN CONFIRM -------------------|
| |
|================ SHELL/SESSION ===================|
Key Exchange
Algorithm Exchange
# Check supported algorithms
ssh -Q kex
ssh -Q cipher
ssh -Q mac
ssh -Q key
Curve25519
# Modern key exchange using Curve25519
# Recommended for all new deployments
# Faster than ECDH P-256
# Provides 128-bit security
Algorithm Priority
# /etc/ssh/sshd_config
KexAlgorithms curve25519-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp512
Authentication Methods
Password Authentication
# Basic but encrypts password
# Less secure than keys
# Enable in sshd_config
PasswordAuthentication yes
# Connect
ssh user@server
Public Key Authentication
# Generate key pair
ssh-keygen -t ed25519 -C "user@host"
# Copy to server
ssh-copy-id user@server
# Or manually
cat ~/.ssh/id_ed25519.pub | ssh user@server "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"
SSH Certificates
# Create CA key
ssh-keygen -f ca -C "SSH CA"
# Sign user key
ssh-keygen -s ca -I "user@host" -n username id_ed25519.pub
# Sign host key
ssh-keygen -s ca -h -I "server@host" -h ssh_host_ed25519_key.pub
MFA/2FA
# Install Google Authenticator PAM
# /etc/pam.d/sshd
auth required pam_google_authenticator.so
# /etc/ssh/sshd_config
ChallengeResponseAuthentication yes
AuthenticationMethods password,keyboard-interactive
Port Forwarding
Local Port Forwarding
# Forward local 8080 to remote service
ssh -L 8080:internal-service:80 user@jump-server
# Syntax: -L [local_port]:[remote_host]:[remote_port]
Remote Port Forwarding
# Allow remote host to connect to local service
ssh -R 8080:localhost:80 user@remote-server
# Remote can now access localhost:8080
Dynamic Port Forwarding
# Create SOCKS proxy on local port
ssh -D 1080 user@server
# Configure browser/proxy to use localhost:1080
SSH Tunnel
# Persistent tunnel with autossh
autossh -M 20000 -f -N -o "ServerAliveInterval=60" \
-L 3306:localhost:3306 user@database-server
File Transfer
SCP
# Copy file to server
scp file.txt user@server:/path/
# Copy file from server
scp user@server:/path/file.txt ./
# Recursive copy
scp -r directory/ user@server:/path/
SFTP
# Interactive SFTP
sftp user@server
# Commands:
# ls, cd, pwd, mkdir, rmdir
# put, get, mget, mput
# bye, exit
RSYNC over SSH
# Efficient file sync
rsync -avz -e ssh /local/ user@server:/remote/
Configuration
Client Configuration
# ~/.ssh/config
Host server1
HostName server1.example.com
User admin
Port 22
IdentityFile ~/.ssh/id_ed25519
Host *
ServerAliveInterval 60
ServerAliveCountMax 3
Host *
AddKeysToAgent yes
Server Configuration
# /etc/ssh/sshd_config
# Disable password auth (recommended)
PasswordAuthentication no
PermitRootLogin no
# Use strong key exchange
KexAlgorithms curve25519-sha256
# Use strong ciphers
Ciphers [email protected],[email protected]
# Use strong MACs
MACs [email protected],[email protected]
# Disable unused auth methods
ChallengeResponseAuthentication no
KerberosAuthentication no
GSSAPIAuthentication no
# Rate limiting
MaxAuthTries 3
MaxSessions 10
Security Best Practices
Key Management
# Use Ed25519 keys (recommended)
ssh-keygen -t ed25519 -a 100
# Add passphrase to key
ssh-keygen -p -t ed25519
# Use ssh-agent
eval "$(ssh-agent -s)"
ssh-add ~/.ssh/id_ed25519
Access Control
# Limit users
AllowUsers admin deploy
# Deny specific users
DenyUsers user1 user2
# Use AllowGroups
AllowGroups ssh-users
Monitoring
# View active sessions
who
# View login history
last
# Monitor failed attempts
grep "Failed password" /var/log/auth.log
SSH Jump Hosts
Configuration
# ~/.ssh/config
Host internal
ProxyJump admin@jump-server
User deploy
ForwardAgent yes
Command Line
# Using ProxyJump (recommended)
ssh -J admin@jump-server internal-server
# Using ProxyCommand (legacy)
ssh -o ProxyCommand="ssh -W %h:%p admin@jump-server" internal-server
SSH Certificates in Enterprise
Certificate Authority Setup
# Create CA
ssh-keygen -f ca -C "company-ca"
# Sign user certificate
ssh-keygen -s ca -I "[email protected]" \
-n username,devops \
-V +52w \
id_ed25519.pub
# Sign host certificate
ssh-keygen -s ca -h -I "prod-server" \
-V +26w \
ssh_host_ed25519_key.pub
Troubleshooting
Common Issues
# Connection refused
# Check service: systemctl status sshd
# Check firewall: ufw status
# Permission denied (publickey)
# Check key permissions: chmod 600 ~/.ssh/id_*
# Check authorized_keys on server
# Host key verification failed
# Remove old key: ssh-keygen -R hostname
# Connection timeout
# Check DNS: nslookup hostname
# Check network routes
Debug Mode
# Verbose output
ssh -v user@server
# More verbose
ssh -vv user@server
# Most verbose
ssh -vvv user@server
Conclusion
SSH remains essential for secure remote access in 2026. Its strong encryption, flexible authentication, and port forwarding capabilities make it indispensable for system administrators and developers.
Comments