seriesOrder: 3 prerequisites: [] resources:
- title: “OpenSSH Official Documentation” url: “https://www.openssh.com/manual.html” type: “docs”
- title: “SSH Academy by SSH.com” url: “https://www.ssh.com/academy/ssh” type: “docs”
What if you could control any computer in the world from your couch?
That’s exactly what SSH lets you do. Securely.
Whether it’s a server in a data center 5,000 miles away or a Raspberry Pi in your closet, SSH gives you a secure tunnel to control it as if you were sitting right in front of it.
By the end of this guide, you’ll:
- ✅ Understand what SSH is (and why it matters)
- ✅ Connect to your first remote server
- ✅ Set up secure key-based authentication
- ✅ Never type a password again
Let’s begin.
The Analogy: Your Secret Telephone Booth
Imagine a magical telephone booth that appears only for you.
When you step inside:
- Nobody can hear your conversation (it’s encrypted)
- Only you have the key to enter (that’s authentication)
- You can talk to any telephone booth in the world (that’s the server)
SSH is that booth. It creates a secret, encrypted tunnel between your computer and another computer. Anyone watching the network sees only scrambled nonsense.
The Big Picture: How SSH Works
Here’s what happens when you type ssh user@server:
- Your computer (the “client”) knocks on the server’s door (port 22)
- The server responds with its identity (host key)
- You verify the server is who it claims to be
- Authentication happens (password or key)
- Encrypted tunnel is established
- You’re in! Everything you type is encrypted
How SSH Encryption Actually Works
Most tutorials skip this part — but understanding the crypto is what separates someone who uses SSH from someone who truly understands it.
SSH uses a two-phase encryption strategy:
Phase 1: The Handshake (Asymmetric Encryption)
When you first connect, SSH needs to securely agree on a shared secret — without ever sending it over the network. It uses ECDH (Elliptic Curve Diffie-Hellman):
| Step | What Happens |
|---|---|
| 1. Client Hello | Your machine announces the SSH version and supported algorithms |
| 2. Server Identity | Server sends its host key (its permanent public identity) |
| 3. Key Exchange | Both sides independently compute the same session key using ECDH math |
| 4. Verification | Your client checks the host key against ~/.ssh/known_hosts |
| 5. Tunnel Opens | The shared session key is activated — encrypted tunnel is live |
Both sides compute the same session key without ever transmitting it across the network. Even if someone recorded every byte of your connection, they cannot derive the key. This is called perfect forward secrecy — each session uses a unique, temporary key that is discarded after the session ends.
Phase 2: The Session (Symmetric Encryption)
Once the tunnel is open, SSH switches to symmetric encryption (typically AES-256-CTR or ChaCha20). Why the switch?
- Asymmetric (ECDH): Secure key exchange, but ~1,000x slower
- Symmetric (AES-256): Requires a pre-shared key, but blazing fast
The result: asymmetric crypto secures the handshake. Symmetric crypto handles every keystroke, every file, every command — efficiently.
Both use the same two-phase approach. The key difference: SSH permanently records the server’s host key in ~/.ssh/known_hosts on first connect, so you’d be warned if it ever changes. HTTPS trusts any certificate from a recognised CA. SSH’s server identity verification is actually stricter.
Prerequisites
Before we start, you need:
| Requirement | Why | How to Check |
|---|---|---|
| A terminal | To type commands | Open Terminal (Mac/Linux) or PowerShell (Windows) |
| A server to connect to | Something to SSH into | AWS free tier, DigitalOcean, home Raspberry Pi |
| SSH installed | Usually pre-installed | Run ssh -V to check |
No worries! You can practice with:
- Free: AWS EC2 free tier (12 months)
- Cheap: DigitalOcean droplet ($4/month)
- Free + Fun: Raspberry Pi at home
Step 1: Your First SSH Connection
Let’s connect to a server. This is the moment you become a remote wizard.
Connect to a remote server
ssh [username]@[server-ip-or-hostname]ssh admin@192.168.1.100Welcome to Ubuntu 24.04.1 LTS Last login: Sat Feb 9 10:15:32 2026 admin@server:~$
- •Replace 'admin' with your actual username
- •Replace the IP with your server's address
- •First connection will ask you to verify the host
What Happens Next?
The first time you connect, you’ll see something like:
The authenticity of host '192.168.1.100' can't be established.
ED25519 key fingerprint is SHA256:xYz123...
Are you sure you want to continue connecting (yes/no)?This message means your computer doesn’t recognize this server yet.
Type yes if:
- You trust the server (it’s yours or your company’s)
- You’re on a secure network
Be careful if:
- You’re on public WiFi
- You’re connecting to an unknown server
This protects you from “man-in-the-middle” attacks where someone pretends to be your server.
After typing yes, it’s saved. You won’t see this again for this server.
🎉 Congratulations! You just made your first SSH connection!
Step 2: SSH Keys — Never Type a Password Again
Passwords are annoying. And risky. Let’s upgrade to SSH keys.
Think of SSH keys like:
- Public key = A lock you put on the server’s door
- Private key = The unique key only you have
You give the server your lock (public key). Only your key (private key) can open it. Even if someone steals the lock, they can’t open the door without your key.
Step 2.1: Generate Your Key Pair
Generate a new SSH key pair
ssh-keygen -t ed25519 -C 'your_email@example.com'ssh-keygen -t ed25519 -C 'shekhar@shekharit.com'Generating public/private ed25519 key pair. Enter file in which to save the key (/home/you/.ssh/id_ed25519): Enter passphrase (empty for no passphrase): Your identification has been saved in /home/you/.ssh/id_ed25519 Your public key has been saved in /home/you/.ssh/id_ed25519.pub
- •Press Enter to accept the default location
- •Add a passphrase for extra security (recommended)
- •ED25519 is the most secure and modern algorithm
This creates two files:
~/.ssh/id_ed25519— Your private key (NEVER share this!)~/.ssh/id_ed25519.pub— Your public key (safe to share)
Step 2.2: Copy Your Public Key to the Server
Install your public key on a remote server
ssh-copy-id [username]@[server]ssh-copy-id admin@192.168.1.100Number of key(s) added: 1 Now try logging into the machine with: ssh admin@192.168.1.100
- •You'll need to enter your password one last time
- •This adds your key to ~/.ssh/authorized_keys on the server
Step 2.3: Test It!
Now connect again — no password needed:
ssh admin@192.168.1.100🎉 You’re in! No password prompt. Magic.
Troubleshooting: When Things Go Wrong
| Problem | Cause | Solution |
|---|---|---|
Connection refused | SSH server not running | Run sudo systemctl start sshd on server |
Permission denied | Wrong key or no access | Check key, verify user exists |
Connection timed out | Network/firewall issue | Check server’s firewall (port 22) |
Host key verification failed | Server changed its key | Remove old key with ssh-keygen -R [host] |
If someone steals your private key:
- Generate a new key immediately
- Remove the old public key from all servers
- Add your new public key to servers
Never share your private key with anyone. Ever.
Step 3: The SSH Config File — Your Shortcut System
Typing ssh ubuntu@54.23.88.101 -p 2222 -i ~/.ssh/id_production every time is painful. The SSH config file fixes this permanently.
Create ~/.ssh/config:
Host myserver
HostName 192.168.1.100
User admin
Port 22
IdentityFile ~/.ssh/id_ed25519
Host prod
HostName 54.23.88.101
User ubuntu
Port 2222
IdentityFile ~/.ssh/id_productionNow connecting is just:
SSH connects using all settings from ~/.ssh/config automatically
- •Tab-completion works for Host names in some shells
- •Use '*' as a wildcard to apply settings to all hosts
- •Run 'man ssh_config' to see all 60+ options
SSH will refuse to use your config file if permissions are too open:
chmod 600 ~/.ssh/config
File Transfers: SCP and SFTP
SSH isn’t only for terminal sessions — it also powers secure file transfers.
SCP (Secure Copy — Fast and Simple)
Copy files securely between local and remote machines
scp [source] [user@host:destination]scp report.pdf ubuntu@192.168.1.100:/home/ubuntu/- •Use -r to copy entire directories recursively
- •Reverse it to download: scp ubuntu@server:/path/file.txt .
- •Use -P (capital P) to specify a non-standard port
SFTP (SSH File Transfer Protocol — Interactive)
SFTP replaced FTP entirely — it runs over SSH so it is encrypted by default. Useful for interactive file browsing on a server:
Open an interactive encrypted file transfer session
- •Type 'help' for all available commands
- •'put file.txt' uploads, 'get file.txt' downloads
- •GUI tools like FileZilla and Cyberduck support SFTP
Hardening SSH (Security Best Practices)
Once keys are working, lock your server down further. Edit /etc/ssh/sshd_config:
1. Disable Password Authentication
# In /etc/ssh/sshd_config
PasswordAuthentication no
PermitRootLogin no
PubkeyAuthentication yes2. Restrict Which Users Can Log In
# Only 'ubuntu' and 'deploy' users can SSH in
AllowUsers ubuntu deploy3. Protect Against Brute Force with fail2ban
fail2ban automatically bans IPs that fail authentication repeatedly:
Install fail2ban — automatically blocks brute-force SSH attacks
- •After install, the SSH jail is active by default
- •Default: 5 failed attempts → 10-minute IP ban
- •Check bans with: sudo fail2ban-client status sshd
After editing sshd_config, restart SSH with sudo systemctl restart sshd, then open a second terminal and verify you can still connect. A misconfigured sshd can permanently lock you out of your server.
SSH Tunneling: Port Forwarding
SSH tunnels let you securely forward network traffic through an encrypted channel. This is one of SSH’s most powerful — and underused — features.
Local Port Forwarding — tunnel a remote service to your local machine:
Forward local port 8080 to port 80 on the remote server
- •After this, http://localhost:8080 connects to the server's port 80
- •Useful for accessing internal dashboards securely
- •Use -N to create the tunnel without opening a shell
🧠 Test Your Knowledge
SSH Mastery Check
Take a quick 4-question quiz to check your understanding.
Key Takeaways
- ✅ What SSH is: An encrypted tunnel for remote control, file transfers, and port forwarding
- ✅ Two-phase encryption: Asymmetric ECDH for the handshake → Symmetric AES-256 for the session
- ✅ Key-based auth:
ssh-keygen -t ed25519→ssh-copy-id user@server→ passwordless login - ✅ SSH config:
~/.ssh/configfor shortcuts;chmod 600 ~/.ssh/configfor safety - ✅ File transfers:
scpfor quick copies,sftpfor interactive sessions - ✅ Hardening: Disable passwords, restrict users, install
fail2ban - ✅ Port forwarding:
ssh -Lto tunnel remote services through the encrypted channel
Found this helpful? Explore more in the Linux Hub!