IT Explained

IT Explained:

SSH (Secure Shell)

What is SSH?




SSH is an acronym for Secure Shell. It is a generic term that refers to versions of SSH protocols, for example SSH-1 and SSH-2, among other things like OpenSSH. While it is often referred to as a version of SSH, it is, strictly speaking, a suite that consists of networking utilities that are based on the SSH protocol.

SSH protocols specify standards for operating network services securely between untrusted hosts over unsecured networks. Communications between a client and server using SSH are encrypted, so it is ideal for use on unsecure networks.

Originally, the word shell in SSH referred to a program that processed Unix commands. Over time, the term has been increasingly applied to the user interfaces of servers that make them more user friendly to interact with. An example of another commonly used shell is Windows Command Prompt (cmd.exe), which provides access to Windows operating system tools. SSH itself is not a shell, like the Unix Bourne shell or C shell; instead, it creates a channel for running a shell on a remote computer.

SSH manages more than half the world’s web servers, on-premise and in the cloud. SSH is used to secure, configure, manage, maintain, and operate network servers, routers, firewalls, switches, operating systems, and applications. SSH protocols cover authentication, encryption, and data integrity. SSH is so popular that, like Google, it is often used as a verb, for example SSH-ing.


There are two main versions of SSH: SSH-1 and SSH-2. A fourth type of SSH, SSH-1.9, was defined in 2006. It is used to identify servers that are backwards compatible with SSH versions, specifically that a server supports SSH-2 as well as previous versions of SSH.

SSH is most commonly used by variants of Unix operating systems, for example Linux and macOS. It is also used with Microsoft Windows, for example Windows 10 uses OpenSSH as its default SSH client and SSH server.

In comparison to SSH-1, SSH-2 comes with security and feature improvements but it is not compatible with SSH-1. One of the security improvements of SSH-2 is the use of the Diffie-Hellman key exchange. The Diffie-Hellman key exchange is a method of exchanging cryptographic keys over a public channel like the internet. SSH-2 also added additional message authentication codes to improve data integrity.

Because of design flaws, SSH-1 is generally considered obsolete. Most modern systems support SSH-2.



SSH was developed by Tatu Ylonen, a researcher at Helsinki University of Technology, in 1995. Ylonen created the first version of the protocol after the university’s network was hacked and thousands of usernames and passwords were breached. Ylonen's goal was to develop a solution that he could use to remotely log in to the internet securely.

Ylonen first spent some time studying cryptography, the backbone of SSH. After getting SSH standardized by the Internet Engineering Task Force (IETF), he designed the SSH File Transfer Protocol (SFTP) and then founded SSH Communications Security Corporation to provide commercial support for the paid versions of SSH.

Designed to replace Telnet (port 23) and FTP (port 21), Tatu Ylonen was able to get SSH allocated to port 22 by the Internet Assigned Numbers Authority (IANA).

What is an SSH client?


SSH is based on a client-server architecture model. In this model, a host is any computer that is connected to a network; clients and servers are programs that run on a host.

A user uses their computer (the client) to connect to a remote computer (the server). Using a graphical user interface (GUI) or command-line tool, a user can transfer data between the client and server. Both the client and server must have SSH enabled.

The SSH client is a program on the computer that makes a request that uses SSH to connect to a remote system. For Unix-type operating systems, the SSH functionality is built-in. For non-Unix-type operating systems, there are also external clients available, for example PuTTY, EasySSH, and Cyberduck. For Windows operating systems, there are also numerous SSH clients, for example PuTTY, Solar-PuTTy, WinSCP, and MobaXterm.

Most SSH clients provide more functionality than traditional SSH command-line execution, for example the ability to run multiple sessions simultaneously, to highlight keywords across sessions, to use other connection types like Telnet, and to save credentials.

Where is SSH used?



SSH is often used in conjunction with various other internet protocols. SFTP is a secure alternative to the traditional FTP and Secure Copy (SCP) protocols that support file transfers between hosts on a network. SFTP allows fast, dynamic encryption and decryption.

Automated secure connections

In corporate environments, automated SSH connections are commonly used for encrypted file transfers and automated authentication for machine-to-machine (M2M) processes. Automated tasks include data backup and archiving, reporting, database cleanups, system backups, and network maintenance.

Manual secure connections

Businesses can use SSH tunnels to securely share files with customers.

Remote network administration

SSH enables secure logins to remote computers. It is routinely used by network administrators and webmasters to secure file transfers, automate data transfers using SSH scripts, establish VPNs, test applications, reboot systems, change file permissions, and manage user access. Most administrators routinely use an SSH client to securely access remote servers, switches, routers, virtualization platforms, and operating systems. Tasks include streaming video using SFTP, creating a single authenticated session for multiple connections, performing remote backups, connecting remote folders to a local directory, and using an encryption key for multiple accounts instead of different passwords.

Application security

Usually, TCP/IP applications use a dedicated port to communicate. With port forwarding, multiple applications can use a single port, namely port 22.

Core SSH features



To establish an SSH connection, the remote computer must run an SSH daemon (sshd), which is a program that listens for connection requests, typically on port 22, authenticates connection requests, and triggers connections.

The SSH daemon enables the encrypted exchange of data between untrusted hosts over an unsecure network using the SSH protocol. A daemon is an application that runs in the background and, like any other application, it is coded and configured to perform specific tasks for a specific application.


SSH is defined by a number of Request For Comments (RFCs) publications. An RFC describes standards, protocols, and technologies that are relevant to the internet, like SSH. For example, there are standard documents for all SSH layers, SSH cryptographic algorithms, and SSH security certificates. There is also an RFC that specifies that the SSH transport layer must allow perfect forward secrecy (PFS). Perfect forward secrecy ensures that if a server’s private key is compromised, a hacker would not be able to access previously transmitted data.

SSH layers

SSH is made up of three layers: transport, user authentication, and connection layers.

The transport layer handles the encryption and decryption of the data exchanged. The transport layer also authenticates the server and establishes confidentiality and integrity.

The user authentication layer authenticates the identity of the client.

The connection layer manages channels through which data travels between authenticated parties in the data exchange process. There are channels, or data streams, for different kinds of communications, for example simultaneous connections to different remote terminals or services, or forwarded X11 sessions.

SSH encryption

The main advantage that SSH has over alternatives is the use of encryption. SSH encrypts all traffic between a client and a server while in transit. Anyone that eavesdrops on the traffic, for example by using a packet-sniffing program, will not be able to access or decrypt transmitted data.

SSH uses three encryption methods: symmetric encryption, asymmetric encryption, and hashing.

Symmetric encryption involves a secret key that is used for both the encryption and decryption of an entire SSH connection. The symmetric key is created using an agreed key exchange algorithm.

Asymmetric encryption involves two separate keys - a public-private key pair - for encryption and decryption. In an SSH session, asymmetric encryption is used to set up the symmetric encryption. In the symmetric encryption stage, the client and server produce temporary key pairs and exchange the public key in order to create the symmetric key. Asymmetric encryption is also used to authenticate the identity of the client to the server.

The hashing method converts the data being transmitted into another unique value. SSH uses hashing to verify the authenticity of messages.

Tunneling and port forwarding

SSH supports port forwarding and tunneling. The terms port forwarding and tunneling are often used interchangeably. However, tunneling is a more inclusive term that describes three types of port forwarding: local port forwarding, remote port forwarding, and dynamic port forwarding.

SSH tunneling can be used to transfer unencrypted traffic on a network via an encrypted channel. For example, an encrypted SSH tunnel can be created to transmit data between an FTP server and a client even though the FTP protocol is not encrypted. SSH tunnels can also be used to access geo-restricted content and to bypass firewalls.

X11 forwarding

SSH enables X11 forwarding, which can be used when a user wants to connect to a remote server and also needs a GUI to view the application running or the data. X11 forwarding allows a user to start up a remote application and then transmit the application’s output to a local Windows machine.


Benefits of SSH


SSH was designed to replace unsecured remote shell protocols, like Telnet, FTP, rsh, rlogin, and rexec. These protocols are inherently unsecure as they exchange information, including passwords, in plaintext, which is vulnerable to security breaches. The main advantage of SSH is the use of encryption to ensure the secure transfer of information between the client and the server.

SSH allows users to execute shell commands on a remote computer in the same way as if they were sitting in front of the physical computer. Using SSH commands and scripts, administrators can view, remove, or move files, create new folders, files, and directories, and download files.

The SSH connection layer allows multiple data streams through a single TCP connection. This ability is called multiplexing and means fewer TCP connections are needed, which allows scarce resources to be shared and also reduces overhead.

The ability of SSH to use port tunneling and forwarding can be used to bypass restrictive firewalls.

SSH allows network administrators to remotely limit user access to a network.

SSH keys, instead of usernames and passwords, can be used to authenticate users that log in to a system. An SSH agent is a program that stores private keys in memory and provides authentication services. SSH keys are more difficult to hack than passwords although the SSH authentication process is a bit more difficult to set up than using usernames and passwords. Using SSH keys mitigates the success of brute force password attacks.

SSH tunnels are used in cloud computing to solve connectivity problems and avoid security vulnerabilities where cloud-based virtual machines are exposed directly to the internet. SSH tunnels provide a secure path over the internet and through a firewall to a virtual machine.

Drawbacks to using SSH



SSH-2 is generally considered to be secure. However, all security implementations have vulnerabilities.

SSH supports tunneling, used for example by administrators to tunnel into a network from remote locations. However, unrestricted outbound SSH transactions may result in security vulnerabilities. Tunneling may create backdoors for hackers and may also violate some security regulations like PCI and HIPAA. Inbound SSH transactions can be controlled more easily than outbound SSH transactions, for example by redirecting port 22 (SSH) connections to a specific IP address.

SSH keys – often used by users to log in instead of passwords – never expire. In large organizations, there may be hundreds of SSH keys on multiple servers. Poor SSH user key management can result in key sprawl, which could provide a backdoor for hackers. SSH tunneling may allow an attacker to use these SSH keys to bypass firewalls. However, tunneling attacks are not specific to systems that use SSH.

Some hosts may share the same key because it was preconfigured in a device. Private keys to these devices may be accessible through reverse engineering. Older, short-length keys may also allow an attacker to derive the values of private keys.

SSH can be slow to respond to high-bandwidth commands over slow connections.

Some studies suggest that the majority of SSH security failures have been due to the mismanagement of SSH by IT departments.