Most developers use SSH every day:
ssh user@server
β¦but very few know whatβs actually happening under the hood.
Letβs break it down π
π 1. TCP Connection
Everything starts with a basic TCP connection between client and server.
At this stage:
- No encryption yet
- Just a raw connection
π€ 2. Negotiation Phase
The client and server exchange:
- SSH protocol versions
- Supported encryption algorithms
- Key exchange methods
They agree on a secure configuration before continuing.
π 3. Session Key Generation
SSH uses a key exchange algorithm (e.g. Diffie-Hellman) to generate a shared session key.
Client -------- Key Exchange -------- Server
-> shared secret key <-
π This session key is used for encrypting all communication.
π 4. Authentication (Public Key)
If you're using SSH keys:
Generate SSH key
ssh-keygen -t rsa -b 4096 -C "your_email@example.com"
Copy public key to server
ssh-copy-id user@server
Or manually:
cat ~/.ssh/id_rsa.pub
Paste into:
~/.ssh/authorized_keys
π The server checks if your public key exists there.
β 5. Verification
The server sends an encrypted challenge.
The client decrypts it using its private key.
π If successful β authentication is complete.
π 6. Encrypted Communication
Now everything is encrypted using the session key:
- Commands
- Responses
- Data
Example:
ls -la
π Sent encrypted β executed β returned encrypted
β‘ 7. Command Execution Flow
Client -> (encrypted command) -> Server
Server -> (execute command)
Server -> (encrypted response) -> Client
Client -> (decrypt response)
π Bonus: SSH Tunneling (Port Forwarding)
SSH can create secure tunnels.
Example:
ssh -L 3000:localhost:5432 user@remote-server
π Now you can connect to the remote DB via:
localhost:3000
π§ Why SSH Is So Powerful
- Uses asymmetric cryptography (public/private keys)
- Establishes a fast symmetric session key
- Protects against eavesdropping and MITM attacks
π Best Practices
# Disable password authentication (server-side)
PasswordAuthentication no
# Set correct permissions
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
# Use SSH agent
eval "$(ssh-agent -s)"
ssh-add ~/.ssh/id_rsa
π Question
Do you use password authentication or SSH keys in your setup?
Top comments (0)