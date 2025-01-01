Copy article link

What is the Secure Shell (SSH) protocol?

The Secure Shell (SSH) protocol is a method for securely sending commands to a computer over an unsecured network. SSH uses cryptography to authenticate and encrypt connections between devices. SSH also allows for tunneling, or port forwarding, which is when data packets are able to cross networks that they would not otherwise be able to cross. SSH is often used for controlling servers remotely, for managing infrastructure, and for transferring files.

When traveling, the owner of a store might give their employees instructions from afar to ensure the store runs smoothly while they are gone. Similarly, SSH allows administrators to manage servers and devices from afar. Older remote management protocols like Telnet transported administrators' commands in a form that anyone could see. (Imagine if the employees put the store owner on speakerphone during a call; all the customers in the store could overhear private instructions.) Unlike Telnet, SSH is secure — hence the name Secure Shell.

What does SSH do?

Remote encrypted connections: SSH sets up a connection between a user's device and a faraway machine, often a server. It uses encryption to scramble the data that traverses the connection. An intercepting party would only find something like static — random data that means nothing unless it is decrypted. (SSH uses encryption methods that make decryption prohibitively difficult for outsiders.)

The ability to tunnel: In networking, tunneling is a method for moving packets across a network using a protocol or path they would not ordinarily be able to use. Tunneling works by wrapping data packets* with additional information — called headers — to change their destination. SSH tunnels use a technique called port forwarding to send packets from one machine to another. SSH port forwarding is explained in more detail below.

*All data that crosses a network is broken down into smaller chunks; these chunks are called "packets."

How does SSH work?

TCP/IP

SSH runs on top of the TCP/IP protocol suite — which much of the Internet relies upon. TCP/IP transports and delivers data packets. The use of TCP is one way that SSH is different from other tunneling protocols, some of which use the faster but less-reliable UDP instead.

Public key cryptography

SSH is "secure" because it incorporates encryption and authentication via a process called public key cryptography. Public key cryptography is a way to encrypt data, or sign data, with two different keys. One of the keys, the public key, is available for anyone to use. The other key, the private key, is kept secret by its owner. Because the two keys correspond to each other, establishing the key owner's identity requires possession of the private key that goes with the public key.

These "asymmetric" keys — so called because they have different values — also make it possible for the two sides of the connection to negotiate identical, shared symmetric keys for further encryption over the channel. Once this negotiation is complete, the two sides use the symmetric keys to encrypt the data they exchange.

In an SSH connection, both sides have a public/private key pair, and each side authenticates the other using these keys. This differentiates SSH from HTTPS, which in most implementations only verifies the identity of the web server in a client-server connection. (Other differences include that HTTPS usually does not allow the client to access the server's command line, and that firewalls sometimes block SSH but almost never block HTTPS.)

Authentication

While public key cryptography authenticates the connected devices in SSH, a properly secured computer will still require authentication from the person using SSH. Often this takes the form of entering a username and password.

Once authentication is complete, the person can execute commands on the remote machine as if they were doing so on their own local machine.

SSH port forwarding, or 'tunneling'

Port forwarding is like forwarding a message between two people. Bob may send a message to Alice, who in turn passes it to Dave. Similarly, port forwarding sends data packets directed at an IP address and port on one machine to an IP address and port on a different machine.

For example, imagine an administrator wants to make a change on a server inside a private network they manage, and they want to do so from a remote location. However, for security reasons, that server only receives data packets from other computers within the private network. The administrator could instead connect to a second server within the network — one that is open to receiving Internet traffic — and then use SSH port forwarding to connect to the first server. From the first server's perspective, the administrator's data packets are coming from inside the private network.

Using SSH

Linux and Mac operating systems come with SSH built in. Windows machines may need to have an SSH client application installed. On Mac and Linux computers, users can open the Terminal application and directly enter SSH commands.

What is SSH used for?

Technically, SSH can transmit any arbitrary data over a network, and SSH tunneling can be set up for a myriad of purposes. However, the most common SSH use cases are:

Remotely managing servers, infrastructure, and employee computers

Securely transferring files (SSH is more secure than unencrypted protocols like FTP)

Accessing services in the cloud without exposing a local machine's ports to the Internet

Connecting remotely to services in a private network

Bypassing firewall restrictions

What port is SSH?

Port 22 is the default port for SSH. Sometimes, firewalls may block access to certain ports on servers behind the firewall, but leave port 22 open. SSH is therefore useful for accessing servers on the other side of the firewall: packets directed to port 22 are not blocked, and can then be forwarded to any other port.

Are there any security risks associated with SSH?

Because SSH access typically comes with elevated privileges, such as the ability to install applications on a server or delete, alter, or extract data, SSH access can be harmful in the hands of an attacker — or even a well-intentioned insider. SSH has been used in a number of documented attacks in order to exfiltrate private data, open backdoor routes into a secure network, and gain root access on servers.

SSH can also pass through firewalls that leave port 22 unblocked (as many do), allowing attackers to slip inside of secure networks.

Attackers can also steal SSH keys in order to access private computers and servers. In fact, SSH key management is a major security problem for large organizations, as their many servers may use thousands or even millions of keys, and tracking and updating those keys manually is close to impossible. SSH keys do not expire unless they are explicitly revoked, so once an attacker gains a key, they may have persistent access for months or years.

How does SSH contrast with other protocols for tunneling?

One of the main differences between SSH and other tunneling protocols is the OSI layer at which they operate. GRE, IP-in-IP, and IPsec are all network layer protocols. As such, they are not aware of ports (a transport layer concept), instead operating between IP addresses. (SSH's exact OSI layer is not strictly defined, but most sources describe it as a layer 7/application layer protocol, like HTTP, FTP, and SMTP.)

Another difference is SSH's use of TCP. TCP, as described above, is a transport layer protocol, and one of the main ones used on the Internet. Another widely used transport layer protocol is UDP, the User Datagram Protocol. UDP is a "best-effort" transport protocol — sending packets without ensuring their delivery — which makes it faster but sometimes results in packet loss. Although TCP is slower than UDP, it guarantees delivery of all packets in order, and is therefore more reliable.

IPsec exclusively uses UDP instead of TCP in order to enable IPsec packets to pass through firewalls. Therefore, IPsec tunnels are typically faster than SSH tunnels, but can lose packets in transit. GRE and IP-in-IP can be used with either TCP or UDP.

Finally, SSH only encrypts one application at a time, not all traffic going to and from a device. This differentiates SSH from IPsec, which encrypts all network traffic, no matter which application it comes from. For this reason, SSH is not used for setting up VPNs.

