Secure Shell

In computer networking, there's a need to log into a remote computer. Historically, this was done using telnet (since late 1960s) and rlogin (since 1980s). However, these early programs were not secure. Secure Shell (SSH) is a protocol created to address these deficiencies. It basically establishes a secure connection over an insecure network.

SSH adopts a client-server architecture. Client refers to the machine attempting to connect to a remote server. SSH authenticates both the client and the server. It specifies how client and server can agree on a shared secret for subsequent encryption of packets. Finally, it also provides data integrity protection.

SSH has two versions: SSH-1 and SSH-2. SSH-2 was standardized by the IETF.

SSH has wide adoption. Modern operating systems come with built-in SSH clients. OpenSSH is a popular open source implementation. Commercial implementations are also available.


  • What are the applications of SSH?
    Port forwarding is one application of SSH. Source: Barrett and Silverman 2001, fig. 9-1.
    Port forwarding is one application of SSH. Source: Barrett and Silverman 2001, fig. 9-1.

    A common application of SSH is to remote login. In the early days of computer networking, trusted users within a corporate or university network had access to mainframes. For such trusted users, telnet was good enough. As networking expanded to WANs and the Internet, there was a need for a more secure protocol. This is what SSH provides. Once remotely logged into a computer, the user can execute programs via a terminal.

    Port forwarding or SSH tunnelling is another useful application of SSH. TCP/IP traffic is encrypted and tunnelled through an SSH connection. This is also useful to bypass firewalls. Telnet, SMTP, NNTP, IMAP and other insecure protocols can be tunnelled through SSH. X forwarding is a special case of port forwarding.

    SSH can be used to transfer or copy files via SFTP and SCP. SSH can automate server access and therefore enables process automation by cloud-based services. SSH keys can also offer Single Sign-On (SSO) so that users need not repeatedly type passwords.

  • What are main features of SSH?
    User on client machine is prompted to authenticate the server. Source: Villanueva 2022.
    User on client machine is prompted to authenticate the server. Source: Villanueva 2022.

    SSH has the following main features or purposes:

    • Authentication: Client can authenticate the server and vice versa. Algorithms include RSA and DSA (such as Ed25519 and Ed448).
    • Key Exchange: Client and server agree on what keys to use for encryption. Algorithms include Diffie-Hellman and RSA.
    • Encryption: SSH can encrypt it's payload, packet length, padding length and padding bytes. Algorithms include chacha-poly1305, aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm, aes256-gcm, arcfour128 and arcfour256.
    • Data Integrity: By including a Message Authentication Code (MAC) field to each packet, the receiver can check that the packet hasn't been tampered with. MAC is calculated from a sequence number field (not transmitted) and unencrypted bytes. Algorithms include hmac-sha2-256 and hmac-sha2-512.
    • Compression: Payload going into an SSH packet can be optionally compressed. Algorithms include zlib.
  • How does SSH differ from SSL?

    Both SSH and SSL (Secure Sockets Layer) are about secure communications. However they differ in terms the sort of applications they enable. The main use of SSH is remote login and providing secure tunnels for insecure programs. System administrators or tech savvy users use SSH. SSL focuses on securing communications between a web browser and a web server. SSL powers websites and e-commerce.

    Like SSH, SSL does authentication, data integrity checks and encryption. While SSH has many ways to authenticate clients, SSL authentication uses certificates. Though SSL offers both server and client authentication, the latter is impractical and rarely used.

    For secure file transfer, SSH enables SFTP. SSL provides a similar service via File Transfer Protocol over SSL (FTPS).

  • Which are the components of SSH?
    SSH-2 architecture. Source: Barrett and Silverman 2001, fig. 3-4.
    SSH-2 architecture. Source: Barrett and Silverman 2001, fig. 3-4.

    SSH-2 includes three distinct protocol components:

    • Transport Layer Protocol (SSH-TRANS): This is a low-level protocol by which client and server negotiate their support for SSH version and algorithms. Key exchange and server authentication are performed.
    • Authentication Protocol (SSH-AUTH): This does client authentication. Client can attempt any authentication method supported by the server. The client may send "none" method to trigger the server to send a list of supported methods.
    • Connection Protocol (SSH-CONN): From a single connection multiple logical channels are setup. For example, one channel might be an interactive user session while another might be an SSH tunnel for an insecure application.
  • Could you describe the SSH protocol handshaking?
    SSH key-based client authentication. Source: Peiyue and Yuanyuan 2021.
    SSH key-based client authentication. Source: Peiyue and Yuanyuan 2021.

    When a client contacts the server, a TCP connection is established. As the next step, client and server negotiate on two things based on their capabilities: (a) the version of SSH to use; (b) the algorithms to use.

    The Key Exchange (kex) procedure follows. This includes explicit or implicit server authentication. This outputs a shared secret K and an exchange hash H. Encryption and authentication keys are derived from these. H from the first key exchange serves as the session identifier. RFC 4253 recommends that keys be re-exchanged every hour or after 1 GB of data transfer.

    Next, the client makes a service request. The service request can be either SSH-AUTH, SSH-CONN or SSH-AUTH followed with SSH-CONN. With SSH-TRANS, a password could be used for client authentication. A more popular method is use pubic-private key pair, called key-based authentication. Another method is host-based authentication where server allows connections from specific hostnames. Once authenticated, client and server can establish a channel and exchange data.

  • How is SSH-2 different from SSH-1?

    SSH-1 is a monolithic protocol whereas SSH-2 is designed as three separate components: SSH-TRANS, SSH-AUTH and SSH-CONN. With this modular approach, SSH-2 improves on many aspects: algorithm negotiation, multiple methods of key exchange, certificates for public keys, more flexible authentication, stronger integrity checks, and periodic renewal of session key.

    For client/server authentication, DSA works with only SSH-2 whereas RSA works with both versions of SSH. Mathematically, DSA is based on the discrete logarithm problem whereas RSA is base on the prime factorization problem. SSH-2 is extensible, that is, it can work with any public-key signature algorithm. For password-based authentication, SSH-2 allows users to change password.

    SSH-2 doesn't support DES and IDEA encryption algorithms, either due to their weakness or licensing restrictions. SSH-2 adds SFTP to the SSH suite.

    Unlike SSH-1, SSH-2 supports multiple interactive sessions. Many channels can be multiplexed over the same SSH connection. Thus, X or port forwarding can be done without opening separate terminal sessions for each.

    As per RFC 4253, servers that support both versions are required to identify the protoversion as SSH-1.99.

  • What tools are available for using SSH?
    A selection SSH servers. Source: Stackscale 2021.
    A selection SSH servers. Source: Stackscale 2021.

    Two common tools that run on top of SSH are SFTP for secure file transfer and SCP for secure file copy. These are secure counterparts of earlier UNIX/Linux programs FTP and RCP. Popular implementations include OpenSSH, PuTTY and Tectia SSH. Built-in SSH clients are available on Windows, Linux and Mac. SFTP programs include WinSCP (Windows), gFTP (Linux) and Fetch (Mac).

    SSH requires key generation and management. The tool ssh-keygen generates public-private key pairs. Once generated, the client's public key needs to be copied to the server. This is aided by the ssh-copy-id tool. On the server, the clients' public keys are stored at ~/.ssh/authorized_keys.

    When initiating an SSH connection, the user will be prompted for the passphrase. The tool ssh-agent stores the client's private key so that the user need not enter the passphrase for subsequent SSH connections. The tool ssh-add adds the key to the agent once the correct passphrase is supplied.

  • What are some limitations of SSH?

    SSH works well in low-latency environments. In high-latency environments such as 4G connections or satellite links, making an SSH connection or relaying user commands can be slow. Mobile Shell (Mosh) has come up as an alternative for these scenarios. It uses SSH for the initial connection but subsequently uses UDP rather than TCP.

    SSH keys don't expire. SSH key mismanagement is an issue. Stolen keys, hardcoded root authorized keys, and host key copied from one host to another are all problems. The Sony breach of 2014 was achieved with stolen SSH keys.

    Port forwarding occurs at the application layer, not at the network layer. Hence, it's not completely transparent to the application. Some configuration may be needed to get it working. For example, FTP data channels are hard to forward. For complete transparency, alternatives such as IPSec or VPN may be more suitable.

  • How can I make SSH connections more secure?

    There are a few things system administrators can do on the server side to make SSH more secure. Hackers may try brute-force password attacks. This can be avoided by disabling password-based authentication. Disable remote login for the root user. Be restrictive, that is, allow SSH only for some users. SSH by default uses port 22. Configure the server to use a non-default port.

    When creating public-private key pair, use a strong passphrase. Key generation requires randomness. Use a hardware random number generator. Update the seed file after generating the SSH host key.

    In large organizations, SSH key management solutions are needed. SSH Communications Security's Universal SSH Key Manager and Venafi's SSH Protect are examples. SSH keys should be at locations accessible by only the root user.

    Though SSH sessions are encrypted, traffic analysis can still yield may clues as to what's happening. This could be mitigated by including random amount of padding.

  • Which are the RFCs that specify SSH?

    The Secure Shell (SECSH) Working Group of the IETF defined a number of documents for SSH. We note the following as essential reading:

    • RFC 4250: The Secure Shell (SSH) Protocol Assigned Numbers
    • RFC 4251: The Secure Shell (SSH) Protocol Architecture
    • RFC 4252: The Secure Shell (SSH) Authentication Protocol
    • RFC 4253: The Secure Shell (SSH) Transport Layer Protocol
    • RFC 4254: The Secure Shell (SSH) Connection Protocol

    The above documents refer to further RFCs that update them: 6668, 8268, 8308, 8332, 8709, 8758, 9141, 9142.

    Two online sources have published useful lists of RFCs pertaining to SSH: OmniSecu and OpenSSH.



Ylönen, a researcher at the Helsinki University of Technology, discovers a password-sniffing attack. Plain-text communication protocols are inadequate and underscore the necessity of secure communication. To address these, Ylönen creates Secure Shell (SSH) with a focus on security and encryption. Ylönen releases the first version of SSH, named SSH-1. Internet Assigned Numbers Authority (IANA) assigns port number 22 to SSH. By the year's end, about 20,000 users from 50 countries are using SSH. Given this popularity, in December 1995, Ylönen commercializes the technology under the name SSH Communications Security, Ltd.


Ylonen publishes an IETF Internet-Draft that details SSH. This is the first formal description of the protocol. The draft expires in May 1996.


SSH Communications Security, Ltd. releases SSH-2. SSH-1 had evolved in an ad hoc manner and had limitations and flaws. SSH-2 introduces more secure algorithms. It improves session identifier and key exchange. However, SSH-2 is incompatible with SSH-1. The last free version of SSH-1 is 1.2.12.


The use of SSH-2 (as released by SSH Communications Security, Ltd.) has licensing restrictions. At the IETF, a new Working Group named Secure Shell, aka SECSH, is formed. It's mandate is to standardize SSH that can also be used openly. The first IETF Internet-Draft of SSH-2 comes out in February 1997.


OpenBSD developers need a secure communication protocol. A few members work to modify and enhance OSSH, a fork of SSH created by Swedish programmer Groenvall. OpenBSD releases the first version of OpenSSH. In subsequent years, OpenSSH gains wide adoption, particularly in all POSIX-compliant operating systems.


A vulnerability is discovered in the CBC mode block cipher. One suggested solution is to use more secure cipher modes. Systems could disable weak ciphers (3des-cbc, aes128-cbc, aes256-cbc, des-cbc), weak key exchange algorithms (diffie-hellman-group-exchange-sha1, diffie-hellman-group1-sha1) and weak MAC algorithms (hmac-md5, hmac-md5-96, hmac-sha1-96). For example, HP switches can be configured to block these weak options.


IETF publishes the main RFCs that standardize SSH-2: 4250, 4251, 4252, 4253 and 4254. In October, the Working Group SECSH is closed.


IETF publishes RFC 4432 that specifies RSA Key Exchange. IETF's SSH-2 uses Diffie-Hellman key exchange, which can take tens of seconds on slow devices. RSA-based key exchange is therefore proposed. The latter was supported in the original SSH-1 protocol.


IETF publishes RFC 6668 that specifies the use of SHA-2 for data integrity verification. Specifically, it defines hmac-sha2-256 (recommended) and hmac-sha2-512 (optional). This comes as a response to SHA-1 and MD5 algorithms that are now considered weak. In March 2018, RFC 8332 is published. This adds public key algorithms rsa-sha2-256 (recommended) and rsa-sha2-512 (optional).


IETF publishes RFC 8709 that formalizes the use of Ed25519 and Ed448 algorithms. These are Digital Signature Algorithms (DSAs) used for authenticating clients and servers. In SSH, they're not used for encryption. OpenSSH 6.5 (released in 2014) introduced support for Ed25519. This RFC formalizes this and adds Ed448.


IETF publishes RFC 8758 that deprecates RC4. RC4 encryption with its 128-bit key has known weaknesses. It's replacement are "arcfour128" (128-bit key) and "arcfour256" (256-bit key) that are specified in RFC 4345 (January 2006). In both algorithms, the first 1536 bytes generated by the cipher are discarded.


IETF publishes RFC 9142 that recommends which key exchange methods are safe and which ones should be avoided. Specifically, SHA-1 hash should be avoided. It also states, "A key exchange method is considered weak when the security strength is insufficient to match the symmetric cipher or the algorithm has been broken."

Sample Code

  • # Source:'Reilly%20-%20SSH%20The%20Secure%20Shell%20The%20Definitive%20Guide-2.pdf
    # Examples here are adapted from sec. 1.4
    # Accessed: 2023-04-18
    # Login as user smith on
    ssh -l smith
    # Login as user smith on
    # Run command 'ls -l' on a remote computer after logging in
    ssh ls -l
    # Port forwarding: local port 3002 is connected to remote port 119
    ssh -L 3002:localhost:119
    # Copy local file abc.mp4 to path uploads/videos on remote computer
    scp abc.mp4


  1. Altaqi, Wael. 2021. "The What, Why & How of SSH Protocol." Blog, Keyfactor, August 11. Accessed 2023-04-19.
  2. Barrett, D. J. and R. E. Silverman. 2001. "SSH, The Secure Shell: The Definitive Guide." First Edition, O'Reilly Media, Inc. Accessed 2023-04-18.
  3. Baushke, M. 2022. "Key Exchange (KEX) Method Updates and Recommendations for Secure Shell (SSH)." RFC 9142, IETF, January. Accessed 2023-04-18.
  4. Bider, D. 2018. "Use of RSA Keys with SHA-256 and SHA-512 in the Secure Shell (SSH) Protocol." RFC 8332, IETF, March. Accessed 2023-04-18.
  5. Bider, D. and M. Baushke. 2012. "SHA-2 Data Integrity Verification for the Secure Shell (SSH) Transport Layer Protocol." RFC 6668, IETF, July. Accessed 2023-04-18.
  6. ComodoSSLStore. 2018. "What is SSL/TLS Client Authentication? How does it work?" Blog, ComodoSSLStore, June 5. Updated 2022-02-17. Accessed 2023-04-21.
  7. Dai, W. 2002. "An attack against SSH2 protocol." Narkive Mailing List Archive, February 6. Updated 2002-02-14. Accessed 2023-04-18.
  8. Ellingwood, J. 2014. "Understanding the SSH Encryption and Connection Process." Tutorial, Digital Ocean, October 23. Updated 2022-04-01. Accessed 2023-04-21.
  9. Geerling, Jeff. 2014. "A brief history of SSH and remote access." Blog, April 15. Accessed 2023-04-19.
  10. HPE. 2023. "SSH2 Scan Shows SSH Server CBC Mode Ciphers Key Exchange Items and Other SSH Weak MAC Algorithms." Support Center, HPE. Accessed 2023-04-18.
  11. Harris, B. 2006a. "RSA Key Exchange for the Secure Shell (SSH) Transport Layer Protocol." RFC 4432, IETF, March. Accessed 2023-04-18.
  12. Harris, B. 2006b. "Improved Arcfour Modes for the Secure Shell (SSH) Transport Layer Protocol." RFC 4345, IETF, January. Accessed 2023-04-20.
  13. Harris, B. and L. Velvindron. 2020. "Ed25519 and Ed448 Public Key Algorithms for the Secure Shell (SSH) Protocol." RFC 8709, IETF, February. Accessed 2023-04-18.
  14. Hernandez, A. 2022. "Most Common SSH Vulnerabilities & How to Avoid Them." Blog, Venafi, December 2. Accessed 2023-04-19.
  15. Hill, R. 2011. "Getting started with SSH security and configuration." IBM, January 31. Updated 2014-05-08. Accessed 2023-04-18.
  16. IETF. 2006. "Secure Shell (secsh): Group history." Datatracker, IETF. Accessed 2023-04-18.
  17. IETF. 2022. "Secure Shell (secsh): Documents." Datatracker, IETF. Accessed 2023-04-18.
  18. Kinsta. 2022. "SSH vs SSL: What's the Difference?" Knowledge base, Kinsta, September 20. Accessed 2023-04-19.
  19. Lehtinen, S. and C. Lonvick (ed). 2006. "The Secure Shell (SSH) Protocol Assigned Numbers." RFC 4250, IETF, January. Accessed 2023-04-18.
  20. Loshin, P. and M. Chapple. 2022. "SSH2 vs. SSH1 and why SSH versions still matter." Part 5 of: How to securely use Secure Shell (SSH), TechTarget, July 27. Accessed 2023-04-18.
  21. Microsoft. 2022. "Tutorial: SSH in Windows Terminal." Windows Terminal, Microsoft, March 11. Accessed 2023-04-20.
  22. N-able. 2019. "How Does SSH Protocol Work?" Blog, N-able, August 8. Updated 2021-04-01. Accessed 2023-04-18.
  23. Noble, O. 2020. "RSA vs DSA certificates: who wins in a fight?" Blog, NordLocker, January 17. Accessed 2023-04-20.
  24. OmniSecu. 2023. "Important RFCs related with SSH protocol." OmniSecu. Accessed 2023-04-18.
  25. OpenSSH. 2022. "OpenSSH Project History." History of Open SSH, Open SSH. Accessed 2023-04-19.
  26. OpenSSH. 2023. "OpenSSH Specifications." OpenSSH. Accessed 2023-04-18.
  27. Peiyue, G. and F. Yuanyuan. 2021. "What Is SSH?" Info-Finder, Huawei, July 22. Updated 2021-12-14. Accessed 2023-04-18.
  28. Red Hat. 2023. "Red Hat Enterprise Linux 7: System Administrator's Guide." Documentation, Red Hat, April 12. Accessed 2023-04-18.
  29. SSH Academy. 2019. "SSH Port." SSH Communications Security, September 24. Accessed 2023-04-19.
  30. SSH Communications Security. 2019a. "SSH Keys for SSO: Usage, ssh-add Command, ssh-agent." SSH Communications Security, August 27. Updated 2023-01-03. Accessed 2023-04-21.
  31. SSH Communications Security. 2019b. "How to Use ssh-keygen to Generate a New SSH Key?" SSH Communications Security, August 27. Updated 2023-02-09. Accessed 2023-04-20.
  32. Stackscale. 2021. "SSH protocol: usage, versions and implementations." Blog, Stackscale, September 7. Updated 2022-08-24. Accessed 2023-04-18.
  33. Thakkar, Jay. 2020. "SSH vs SSL: Exploring the Similarities and Differences." Blog, Infosec Insights, October. Updated 2022-09-20. Accessed 2023-04-19.
  34. Trisul. 2017. "Traffic analysis of Secure Shell (SSH)." Blog, Trisul, Unleash Networks, July 7. Accessed 2023-04-18.
  35. University of Pittsburg. 2017. "Secure Shell (SSH) and SFTP." Information Technology, University of Pittsburg, February 14. Updated 2019-08-30. Accessed 2023-04-20.
  36. Velvindron, L. 2020. "Deprecating RC4 in Secure Shell (SSH)." RFC 8758, IETF, April. Accessed 2023-04-18.
  37. Villanueva, J. C. 2022. "The SSH / SFTP Key Fingerprint And Its Role In Server Authentication." Blog, JScape, December 11. Accessed 2023-04-21.
  38. Ylonen, Tatu. 1995. "The SSH (Secure Shell) Remote Login Protocol." Internet-Draft, Internet Engineering Task Force, November 16. Accessed 2023-04-19.
  39. Ylonen, T. and C. Lonvick (ed). 2006a. "The Secure Shell (SSH) Protocol Architecture." RFC 4251, IETF, January. Accessed 2023-04-18.
  40. Ylonen, T. and C. Lonvick (ed). 2006b. "The Secure Shell (SSH) Authentication Protocol." RFC 4252, IETF, January. Accessed 2023-04-18.
  41. Ylonen, T. and C. Lonvick (ed). 2006c. "The Secure Shell (SSH) Transport Layer Protocol." RFC 4253, IETF, January. Accessed 2023-01-17.
  42. Ylonen, T. and C. Lonvick (ed). 2006d. "The Secure Shell (SSH) Connection Protocol." RFC 4254, IETF, January. Accessed 2023-04-18.
  43. gwideman. 2018. "SSH authentication sequence and key files : explain." serverfault, StackExchange, October 15. Accessed 2023-04-18.

Further Reading

  1. Barrett, D. J. and R. E. Silverman. 2001. "SSH, The Secure Shell: The Definitive Guide." First Edition, O'Reilly Media, Inc. Accessed 2023-04-18.
  2. Hill, R. 2011. "Getting started with SSH security and configuration." IBM, January 31. Updated 2014-05-08. Accessed 2023-04-18.
  3. Poll, E. and A. Schubert. 2011. "Rigorous specifications of the SSH Transport Layer." CTIT technical report series, January. Accessed 2023-04-18.
  4. Cagalj, M. 2017. "The Secure Shell (SSH) Protocol." Slides, University of Split, FESB, May. Accessed 2023-04-18.
  5. Cisco. 2023. "Implementing Secure Shell." Accessed 2023-04-18.
  6. Kenlon, S. 2020. "A beginner's guide to SSH for remote connection on Linux." Opensource, September 7. Accessed 2023-04-18.

Article Stats

Author-wise Stats for Article Edits

No. of Edits
No. of Chats

Cite As

Devopedia. 2023. "Secure Shell." Version 9, April 21. Accessed 2023-11-12.
Contributed by
2 authors

Last updated on
2023-04-21 16:37:50
  • OpenSSH
  • SSH Tunnelling
  • SSH Packet Format
  • Transport Layer Security
  • Diffie-Hellman Key Exchange
  • Public Key Cryptography