Secure shell uses multiple encryption and authentication techniques. On the one hand, this ensures that data streams cannot be read or manipulated. On the other hand, only authorized participants can contact each other.

The first step is that the SSH server and client authenticate themselves to one another. The server sends a certificate to the client to verify that it is the correct server. When making contact, there is the risk that a third party will get between the two participants and therefore intercept the connection. Since the certificate itself is also encrypted, it cannot be imitated. Once the client knows what the correct certificate is, no third parties can contact the relevant server.

After server authentication, however, the client must also identify itself as being authorized to access the server. A password can be used for this purpose. This (or the encrypted hash value of it) is stored on the server. As a result, users must enter their password each time they log onto the different server during the same session. For this reason, there is an alternative method of client-side authentication using the key pair public key and private key.

The private key is created individually for your own computer and secured with a passphrase that should be longer than a typical password. The private key is stored exclusively on your own computer and always remains secret. If you want to establish an SSH connection, just enter the passphrase and you will gain access to the private key.

There are also public keys on the server (just like on the client itself). The server creates a cryptographic problem with its public key and sends this to the client. The server then decrypts the problem with its own private key, sends the solution back, and informs the server that it is allowed to establish a legitimate connection.

During a session, you only need to enter the passphrase once to connect to any number of servers, At the end of the session, users should log off from their local computers to ensure that no third party with physical access to the local computer can connect to the server.

After mutual authentication, the two communication participants establish an encrypted connection. To do this, a key is generated for the session, which expires when the session is over. This is not to be confused with the public/private key pairs, which are only used for key exchange. The key used for symmetric encryption is only valid with this one session. Both client and server have the same key, so any messages that are exchanged can be encrypted and decrypted. Client and server create the key simultaneously, but independently of one another. In the so-called key change algorithm, both parties use certain public and secret information to create the key.

Another form of encryption takes place in SSH through hashing. A hash is a form of signature for the transmitted data. An algorithm generates a unique hash from the data. If data is manipulated, the hash value changes automatically. This way the recipient can know whether data has been changed by third parties along the way. The hash values are designed in such a way that they cannot be easily simulated. It’s not possible to create two different transmissions with the same hash – this is known as collision protection.

TCP ports are endpoints that open servers and clients to enable communication. As with a port, the communication partners receive and send the data packets via these ports. TCP has an address space of 16 bits and therefore 65535 ports are available. However, the internet assigned numbers authority (IANA) has assigned a number of ports (exactly 1024) for certain applications, including the SSH port. By default, all SSH connections run on port 22.

With SSH, port forwarding is also possible: The SSH port of a client or server is used by another participant within a local network to create a secure connection via the internet. The participants create a tunnel for this: The data is received via port 22 and then forwarded to the client in the local network.

The SSH client is usually your own PC that you want to use to establish a connection to the server. To achieve this, you can or must (depending on the operating system) install separate software that establishes an SSH connection. These programs are also usually called SSH clients. The fee-based Tectia SSH comes from SSH communication security and additionally contains a server software. But there are also numerous free alternatives, such as the open source software, PuTTy for Windows and Linux, or lsh, which works on all operating systems based on Unix.

The SSH server is the counterpart to the client. The term is also used here for the software. Much of the client software also works on servers. In addition, there is software designed exclusively for SSH servers. It is normal to start SSH on servers when you start up the computer. This guarantees that you can access the server from outside at any time via SSH.

Strictly speaking, it isn’t necessary for the SSH server to be located in a remote data center. Users can also install an SSH server on their own PC at home to benefit from the advantages of port forwarding, for example.