View on GitHub


Harsh Kapadia's Computer Networking knowledge base.

Secure Shell (SSH)

(Back to Home)

Table of Contents


Authentication Methods

The Need for SSH

Generating Keys


Two ways in which generated SSH keys can be shared with the server:

  • Log in with a per-configured username and password and manually add the public key (or copy it over directly using something like SCP).
    • After the initial use of the password to transfer the public key to the remote server/instance, the password authentication method can be turned off in the remote server/instance settings to improve security and prevent brute force attacks, but if the user loses their private key, they permanently lose access to the remote server/instance.
  • A service pre-configures it for the user and just hands them the private key to directly connect with their remote instance.
    • Eg: AWS, GENI, etc.
    • The service obviously uses the first method to configure it for the user to reduce the hassle for them and to improve the service’s security as well, so that their infrastructure is not vulnerable due to the user’s miscalculations (if any).
    • If these pre-configured keys are lost though, then it usually results in a permanent loss.

Building Blocks of SSH

SSH uses an underlying reliable connection protocol or service over which it enables the secure communication and other services. The underlying connection protocol is almost always TCP, but other protocols like WebSocket can theoretically be used as well.

On top of TCP, SSH has three parts, namely the SSH Transport Layer Protocol, the SSH User Authentication Protocol and the SSH Connection Protocol

A SSH Connection


  • C = Client
  • S = Server
  • -> = Arrow indicating the direction of communication
  • ACK = TCP Acknowledgement flag
  • PSH = TCP Push flag


Algorithm Negotiation

Key Exchange Phase

Learn about Elliptic Curve Diffie-Hellman (ECDH).

End of Key Exchange

Subsequent Encrypted Communication

Connection Termination


(Back to Home)