What is SSH (Secure Shell)?

Table of Contents 5 sections

What is SSH (Secure Shell)?

SSH, or Secure Shell, is a cryptographic network protocol that enables secure communication between two computers over an insecure network such as the internet. Developed in 1995 by Tatu Ylonen as a replacement for insecure protocols like Telnet, rlogin, and FTP, SSH provides strong authentication, data encryption, and integrity verification for remote administration, file transfers, and tunneling. SSH operates on port 22 by default and has become the standard protocol for managing servers and network infrastructure securely.

SSH is indispensable in modern server administration. System administrators use it to remotely access command-line interfaces on Linux and Unix servers, execute commands, manage configurations, and troubleshoot issues. Beyond interactive terminal sessions, SSH is the foundation for tools like SCP (Secure Copy) and SFTP (SSH File Transfer Protocol), and it powers version control operations through Git over SSH. Virtually every web server, cloud instance, and network appliance supports SSH as the primary secure remote access method.

How SSH Authentication Works

SSH supports multiple authentication methods, with password-based and public key authentication being the most common. In password authentication, the user provides their username and password, which are transmitted over the encrypted SSH channel. While this is straightforward, it is susceptible to brute-force attacks if weak passwords are used. Public key authentication is significantly more secure: the user generates a cryptographic key pair consisting of a private key (kept secret on the client) and a public key (placed on the server).

During public key authentication, the server sends a challenge encrypted with the user's public key, and the client proves its identity by decrypting the challenge with its private key. Because the private key never leaves the client machine and is typically protected with a passphrase, this method is resistant to brute-force attacks and credential theft. Certificate-based authentication extends this model by having a trusted Certificate Authority sign user and host keys, simplifying key management in large-scale environments.

SSH Security Hardening

Securing SSH is one of the most critical tasks in server hardening because it is the primary administrative access point. The first step is to disable password authentication entirely and require public key authentication, eliminating the risk of brute-force password attacks. Root login should be disabled (PermitRootLogin no), requiring administrators to log in as a regular user and escalate privileges using sudo. Changing the default SSH port from 22 to a non-standard port reduces the volume of automated scanning and attack attempts, though this is a security-through-obscurity measure and should not be the sole defense.

Implementing fail2ban or similar intrusion prevention tools automatically blocks IP addresses after a configurable number of failed authentication attempts. SSH access should be restricted to specific IP addresses or ranges using firewall rules when possible. The SSH configuration should specify strong cipher suites, key exchange algorithms, and MAC algorithms, disabling weak or deprecated options. AllowUsers or AllowGroups directives restrict SSH access to only those accounts that require it, following the principle of least privilege.

SSH Tunneling and Port Forwarding

SSH tunneling, also known as SSH port forwarding, is a powerful feature that creates encrypted tunnels through which other network traffic can be routed. Local port forwarding allows a user to access a remote service as if it were running locally, which is commonly used to securely connect to databases, internal web services, or administration panels that are not directly accessible from the internet. Remote port forwarding exposes a local service through the SSH server, making it accessible to other machines on the remote network.

Dynamic port forwarding creates a SOCKS proxy through the SSH connection, allowing the user to route arbitrary TCP traffic through the encrypted tunnel. This is often used as a lightweight alternative to a VPN for securing web browsing on untrusted networks. While SSH tunneling is an invaluable tool for legitimate administration, it can also be exploited by attackers to bypass firewalls and exfiltrate data, which is why monitoring SSH sessions and restricting tunneling capabilities to authorized users is important.

SSH Key Management Best Practices

Effective SSH key management is essential for maintaining server security at scale. Each user should have their own unique key pair rather than sharing keys between individuals or systems. Private keys should be protected with strong passphrases and stored securely, using SSH agent forwarding or hardware security keys (like YubiKeys with FIDO2 support) to avoid exposing private keys on intermediate systems. Keys should be rotated periodically, and revoked keys must be promptly removed from all authorized_keys files.

Organizations managing large numbers of servers should implement centralized SSH key management solutions or use SSH Certificate Authorities to issue time-limited certificates instead of static authorized keys. Auditing SSH key usage helps identify orphaned keys belonging to former employees or decommissioned systems. For WordPress server administration, ensure that SSH keys are generated with a minimum of 4096-bit RSA or Ed25519 algorithms, and never store private keys in web-accessible directories or version control repositories.