SSH — Secure Shell Protocol

> History

SSH was created by Tatu Ylönen at Helsinki University of Technology, Finland in 1995, after a password-sniffing attack on the university network. It was designed as a secure replacement for insecure protocols — rsh, rlogin, and telnet — which transmitted all data including passwords in plaintext.

SSH-1 was released as freeware. In 2006, SSH-2 was standardized as RFC 4251–4256. OpenSSH, the most widely deployed implementation, is maintained by the OpenBSD project and ships with virtually all Linux distributions and macOS.

Port 22 RFC 4251–4256 OpenSSH 9.x Finland, 1995 Replaces: telnet, rsh, rlogin

SSH Architecture ═══════════════════════════════════════════════════════════ ┌─────────────────┐ ┌────────────────────┐ │ SSH Client │ │ SSH Server │ │ (ssh command) │ │ (sshd daemon) │ └────────┬────────┘ └─────────┬──────────┘ │ │ │ 1. TCP Connection (port 22) │ │ ──────────────────────────────────────▶│ │ │ │ 2. Version Exchange │ │ ◀──────────────────────────────────────│ │ ──────────────────────────────────────▶│ │ │ │ 3. Key Exchange (Diffie-Hellman) │ │ ◀──────────────────────────────────────│ │ ──────────────────────────────────────▶│ │ [Encrypted channel established] │ │ │ │ 4. Server Authentication │ │ ◀── Host key fingerprint ──────────────│ │ │ │ 5. User Authentication │ │ ──── pubkey / password ───────────────▶│ │ │ │ 6. Session / Tunnel / Port Forward │ │ ◀══════════════════════════════════════│ │ [Encrypted Shell / SCP / SFTP] │ ═══════════════════════════════════════════════════════════

> Encryption

All traffic encrypted end-to-end. Modern OpenSSH defaults: ChaCha20-Poly1305 or AES-256-GCM authenticated encryption. No plaintext ever on the wire.

> Authentication

Public key (preferred), password, keyboard-interactive, GSSAPI/Kerberos, certificate-based. Supports multi-factor authentication via PAM or authenticator apps.

> Tunneling

Local port forwarding (-L), remote port forwarding (-R), dynamic SOCKS5 proxy (-D). Forward any TCP service securely through an SSH connection.

> Port 22 Fun Fact

Tatu Ylönen requested port 22 from IANA in July 1995. It was assigned immediately between FTP (21) and Telnet (23) — a fitting symbolic placement for SSH's purpose.

> OpenSSH Project

Fork of the original SSH by OpenBSD in 1999. Open source, audited, and maintained by OpenBSD developers. Powers SSH on Linux, macOS, BSDs, and Windows (since 2019).

> SSH vs SFTP vs SCP

SSH: remote shell. SCP: secure copy (legacy). SFTP: SSH file transfer protocol (feature-rich, preferred). All use the SSH transport layer for encryption.

SSH-1 vs SSH-2

Feature	SSH-1	SSH-2
Status	Deprecated/Insecure	Current standard
MAC	CRC-32 (broken)	HMAC-SHA1/SHA2/SHA3
Key exchange	RSA only	DH, ECDH, curve25519
Channels	Single channel	Multiplexed channels
Interoperability	Protocol incompatible	RFC standardized
SFTP	No	Yes
Port forwarding	Limited	Full support
Vulnerabilities	Multiple critical CVEs	No known protocol flaws

SSH Command Reference

user@host:~$ ssh --help

OpenSSH_9.x, LibreSSL 3.x — Man pages: ssh(1), sshd(8), ssh-keygen(1), ssh-agent(1)

Command	Description	Example
ssh user@host	Connect to remote host as user	ssh alice@192.168.1.10
ssh -p PORT	Connect on non-standard port	ssh -p 2222 user@host
ssh -i keyfile	Use specific private key file	ssh -i ~/.ssh/id_ed25519 user@host
ssh -L local:host:remote	Local port forwarding (tunnel remote port to local)	ssh -L 8080:localhost:80 user@host
ssh -R remote:host:local	Remote port forwarding (expose local port on remote)	ssh -R 9090:localhost:3000 user@host
ssh -D port	Dynamic SOCKS5 proxy on local port	ssh -D 1080 user@host
ssh -J jump user@target	Jump through bastion/proxy host	ssh -J bastion.co user@10.0.0.5
ssh -N	No remote command — tunnel only, no shell	ssh -N -L 5432:db:5432 user@host
ssh -f	Go to background before command execution	ssh -fN -L 8080:host:80 user@host
ssh -v / -vvv	Verbose debug output (up to 3 levels)	ssh -vvv user@host 2>&1 \| head -50
ssh -t cmd	Force pseudo-TTY allocation for remote command	ssh -t user@host sudo bash
ssh-keygen -t ed25519	Generate Ed25519 keypair (recommended)	ssh-keygen -t ed25519 -C "me@host"
ssh-keygen -t rsa -b 4096	Generate RSA-4096 keypair (legacy compat)	ssh-keygen -t rsa -b 4096 -C "key"
ssh-keygen -p -f key	Change passphrase on existing key	ssh-keygen -p -f ~/.ssh/id_ed25519
ssh-keygen -l -f key	Show key fingerprint	ssh-keygen -l -f ~/.ssh/id_ed25519.pub
ssh-keygen -R host	Remove host key from known_hosts	ssh-keygen -R 192.168.1.10
ssh-copy-id user@host	Copy public key to remote authorized_keys	ssh-copy-id -i ~/.ssh/id_ed25519.pub user@host
ssh-agent bash	Start ssh-agent and spawn shell	eval "$(ssh-agent -s)"
ssh-add	Add private key to running agent	ssh-add ~/.ssh/id_ed25519
ssh-add -l	List keys loaded in agent	ssh-add -l -E sha256
scp src user@host:dst	Secure copy file (uses SSH transport)	scp file.tar.gz user@host:/tmp/
scp -r dir user@host:dst	Recursively copy directory	scp -r ./project user@host:~/
sftp user@host	Interactive SSH file transfer session	sftp -i key user@host
rsync -e ssh	Rsync over SSH (efficient sync)	rsync -avz -e ssh ./src user@host:dst/
ssh-keyscan -H host	Scan and collect host public keys	ssh-keyscan -H github.com >> known_hosts
ssh -o StrictHostKeyChecking=no	Skip host key verification (automation only)	ssh -o StrictHostKeyChecking=no user@host

SSH Key Types

Ed25519

256-bit (fixed)

RECOMMENDED

Edwards-curve DSA on Curve25519. Fastest operations, smallest keys, immune to timing side-channels. Requires OpenSSH 6.5+ (2014).

ECDSA

256 / 384 / 521-bit

ACCEPTABLE

Elliptic Curve DSA on NIST P-curves. Smaller than RSA. Concerns about NIST random number parameters — use Ed25519 instead if possible.

RSA

2048 / 4096-bit

LEGACY / COMPAT

Widely supported. Use 4096-bit minimum. Larger keys = slower operations. Needed for compatibility with older systems that don't support ed25519.

DSA

1024-bit (fixed)

DEPRECATED

Fixed 1024-bit key size is cryptographically weak. Disabled by default since OpenSSH 7.0 (2015). Do not use — regenerate all DSA keys immediately.

Key File Locations

File	Description
~/.ssh/id_ed25519	Private key — NEVER share, chmod 600
~/.ssh/id_ed25519.pub	Public key — safe to copy to servers
~/.ssh/authorized_keys	Trusted public keys on the server, chmod 600
~/.ssh/known_hosts	Hashed fingerprints of known servers
~/.ssh/config	Client-side connection aliases and settings
/etc/ssh/ssh_host_*_key	Server host keys (private), root-owned 600
/etc/ssh/sshd_config	SSH server daemon configuration

Key Fingerprint

A SHA256 fingerprint uniquely identifies a host key. Verify on first connection to prevent MITM attacks:

SHA256:uNiVztksCsDhcc0u9e8BujQXVUpKZIDTMczCvj3tD2s (Ed25519) SHA256:nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8 (RSA-4096)

Key Exchange Algorithms

> curve25519-sha256

ECDH over Curve25519. OpenSSH default and recommended. Forward secrecy guaranteed — session keys discarded after use.

> diffie-hellman-group16-sha512

Classic DH with 4096-bit group and SHA-512. NIST-compliant alternative to curve25519. Slower but widely supported.

> SSH Certificate Authority (CA)

Sign user and host keys with a CA key. Eliminates per-server known_hosts management. Ideal for large fleets. Expiry dates enforced cryptographically.

SSH Configuration Files

~/.ssh/config — Client Settings

Host	Alias for connection block
HostName	Actual hostname or IP
User	Username for connection
Port	Remote SSH port (default 22)
IdentityFile	Path to private key
ProxyJump	Bastion host to jump through
ServerAliveInterval	Keepalive interval in seconds
ServerAliveCountMax	Max missed keepalives before disconnect
Compression	Enable gzip compression
ForwardAgent	Forward ssh-agent to remote host
StrictHostKeyChecking	yes / no / accept-new
ControlMaster	Enable connection multiplexing
ControlPath	Socket path for shared connections

# Example ~/.ssh/config Host bastion HostName bastion.example.com User deploy Port 22 IdentityFile ~/.ssh/id_ed25519 Host prod-db HostName 10.0.0.42 User postgres ProxyJump bastion IdentityFile ~/.ssh/id_ed25519 ServerAliveInterval 60 ServerAliveCountMax 3 Host * AddKeysToAgent yes IdentityFile ~/.ssh/id_ed25519 ServerAliveInterval 30 Compression yes

/etc/ssh/sshd_config — Server Settings

Port	Listen port (default 22)
PermitRootLogin	no / prohibit-password / yes
PasswordAuthentication	no (disable) / yes
PubkeyAuthentication	yes (enable key auth)
AuthorizedKeysFile	Path to authorized_keys
AllowUsers	Whitelist specific users
AllowGroups	Whitelist specific groups
MaxAuthTries	Max auth attempts per connection
MaxSessions	Max open sessions per connection
ClientAliveInterval	Keepalive interval to client
ClientAliveCountMax	Max missed keepalives
X11Forwarding	Enable/disable X11 forwarding
UsePAM	Enable PAM for auth modules
Banner	Display file before login prompt
Subsystem sftp	SFTP subsystem path

# Hardened /etc/ssh/sshd_config Port 22 PermitRootLogin no PasswordAuthentication no PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys AllowUsers deploy alice bob MaxAuthTries 3 MaxSessions 10 LoginGraceTime 30 ClientAliveInterval 120 ClientAliveCountMax 3 X11Forwarding no AllowTcpForwarding yes Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com MACs hmac-sha2-512-etm@openssh.com KexAlgorithms curve25519-sha256

Security Best Practices

✗

Disable password authentication
Set PasswordAuthentication no in sshd_config. Eliminates brute-force password attacks. Require public key auth only. This single change stops ~99% of automated attacks.
✓

Use Ed25519 keys exclusively
Generate: ssh-keygen -t ed25519 -C "user@host". Strongest algorithm, fastest, smallest. No legacy RSA unless required for old system compatibility.
✓

Protect private keys with strong passphrases
Passphrases encrypt the private key at rest. Use ssh-agent for convenience without compromising security — the passphrase is entered once per session.
✓

Set PermitRootLogin no
Never allow direct root login via SSH. Use a normal user account and sudo/su. If absolutely necessary, use PermitRootLogin prohibit-password.
✓

Restrict users with AllowUsers / AllowGroups
Explicitly whitelist which users may connect via SSH. AllowUsers deploy alice bob. All other users are denied even with valid credentials.
⚠

Change default port (with caveats)
Moving from port 22 reduces automated scanner noise but provides no real security — security through obscurity. Still useful to reduce log spam. Must update firewalls and DNS records.
✓

Deploy fail2ban or similar
Automatically ban IPs after repeated auth failures. Configure: maxretry=5, bantime=3600, findtime=600. Reduces brute force load significantly.
✓

Set MaxAuthTries 3
Limit authentication attempts per connection to 3. Combined with fail2ban, this makes brute force attacks impractical.
✓

Two-factor authentication (2FA/TOTP)
Add time-based one-time passwords via libpam-google-authenticator or similar. Configure PAM for keyboard-interactive auth. Even if key is compromised, attacker needs the TOTP token.
✓

Use SSH certificate authority for fleets
Instead of managing per-server authorized_keys, issue signed certificates. Set expiry dates, add principals, and revoke centrally. Eliminates known_hosts maintenance at scale.
✓

Harden cipher suites
Restrict to modern algorithms: Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com. Remove weak MACs and old key exchange algorithms (diffie-hellman-group1-sha1).
✓

Use bastion/jump hosts for internal access
Only expose one bastion host to the internet. Internal servers only accept connections from the bastion IP. Use ProxyJump in client config for seamless access.
✓

Enable audit logging
Configure LogLevel VERBOSE in sshd_config to log key fingerprints. Forward logs to a remote SIEM. Monitor for failed auth, unusual source IPs, and off-hours logins.

Common Attack Vectors

Brute Force / Dictionary Attack

Automated tools try thousands of username/password combinations per second. Bots constantly scan port 22 worldwide.

Defense: Disable password auth, use fail2ban, AllowUsers restriction

Man-in-the-Middle (MITM)

Attacker intercepts the connection before the encrypted channel is established, serving a fake host key to capture credentials.

Defense: Verify host key fingerprints, use SSH CA certificates

Stolen Private Key

If an attacker gets access to the private key file (e.g., via compromised workstation or insecure backup), they can authenticate as the key owner.

Defense: Passphrase-protect keys, use ssh-agent, hardware security keys (FIDO2)

SSH Agent Hijacking

On a compromised intermediate host, an attacker may use the forwarded ssh-agent socket to authenticate to other hosts as the victim.

Defense: Disable ForwardAgent by default; use ProxyJump instead

Compromised known_hosts

Modifying a client's known_hosts to remove legitimate host keys allows MITM attacks to succeed silently on first reconnect.

Defense: Use SSH CA, protect known_hosts with file integrity monitoring

Old Protocol/Cipher Downgrade

Attackers may attempt to force use of SSH-1 or weak ciphers (DES, RC4, MD5) that have known cryptographic weaknesses.

Defense: Explicit Ciphers/MACs/KexAlgorithms in sshd_config, disable SSH-1

SSH History — Encrypted Shell Since 1995

1993

The Plaintext Era — Telnet, rlogin, rsh, rcp

Unix remote access relied entirely on Telnet, rlogin, rsh, and rcp. Every byte — including passwords — was transmitted in plaintext over the network. On shared university and corporate LANs, a packet sniffer could trivially capture credentials from any active session.

February 1995

The Attack That Changed Everything

A password-sniffing attack at Helsinki University of Technology compromises thousands of accounts across the university network. Finnish researcher Tatu Ylönen witnesses the fallout firsthand and decides to build a cryptographically secure replacement for the plaintext remote-access tools everyone relied on.

April–July 1995

SSH-1 Born — Tatu Ylönen Writes It in Weeks

Ylönen designs and implements SSH-1 over a few weeks in spring 1995 and publishes it as freeware in July 1995. Within two months it has 20,000 users; within a year it has two million. The IETF forms the SECSH working group to standardize the protocol.

1996

SSH Communications Security Founded

Ylönen founds SSH Communications Security to commercialize SSH. Later versions carry commercial licensing restrictions, creating friction for universities and ISPs. This directly motivates the development of a fully free, open-source implementation. SSH-1.5 and the OSSH forks appear during this period.

1999

OpenSSH — The Free Implementation

OpenBSD developers fork the last free SSH release (OSSH 1.2.12) and create OpenSSH. Markus Friedl, Niels Provos, and Theo de Raadt lead the effort. OpenSSH 1.0 ships with OpenBSD 2.6, then is rapidly ported to Linux and every other major Unix. It becomes the dominant SSH implementation on earth within two years.

2000

OpenSSH Ported Everywhere; SSH-2 Draft Begins

OpenSSH is ported to Linux, Solaris, HP-UX, AIX, and other platforms, rapidly displacing proprietary SSH clients and servers. The IETF SECSH working group begins drafting the SSH-2 protocol — a clean redesign with modular transport, authentication, and connection layers, plus Diffie-Hellman key exchange.

2006

RFC 4251–4256 — SSH-2 Standardized

SSH-2 is formally standardized as RFC 4251–4256 by the IETF. SSH-2 is backward-incompatible with SSH-1 but far more secure: modular architecture, Diffie-Hellman key exchange, stronger MACs, and SFTP support. RFC 4251 defines the architecture; RFC 4252 authentication; RFC 4253 the transport layer.

2008

SFTP Widely Adopted; SCP Deprecation Begins

OpenSSH adds a widely-used SFTP subsystem, providing a proper file-transfer protocol over SSH-2. SCP — which was based on the older SSH-1 era rcp protocol — begins its long deprecation journey in favor of SFTP and rsync over SSH, both of which handle edge cases more correctly.

2013

Ed25519 — Modern Elliptic Curve Keys

OpenSSH 6.5 adds support for Ed25519 curve keys — much faster and more secure than RSA, with smaller key sizes and stronger security guarantees. Ed25519 quickly becomes the recommended key type for new deployments, replacing aging 2048-bit RSA and 1024-bit DSA keys.

2014

SSH-1 Deprecated

OpenSSH 6.6 formally deprecates SSH-1. By 2017, most production servers have disabled SSH-1 entirely. The 20-year-old protocol, plagued by CRC-32 attacks and weak cryptography, is finally retired from active use across the internet.

2019

SHA-1 Deprecated; SCP Officially Deprecated

OpenSSH 8.0 begins deprecating SHA-1 signatures, replacing them with SHA-256 and SHA-512. SCP is officially deprecated in favor of SFTP and rsync. The security community shifts to recommending sftp and rsync for all file transfer work.

2020s

FIDO2/U2F Hardware Keys; Enterprise SSH Certificates

OpenSSH 8.2 adds FIDO2/U2F hardware security key support via sk-ecdsa and sk-ed25519 key types — enabling phishing-resistant SSH authentication with YubiKeys and similar devices. SSH certificates (CA-signed) become the standard for enterprise-scale key management, replacing per-host authorized_keys sprawl.

SSH vs. Predecessors

Protocol	Port	Encryption	Auth	Status
Telnet	23	None — plaintext	Password in plaintext	Obsolete
rlogin	513	None — plaintext	Trusted host + username	Obsolete
rsh	514	None — plaintext	No real authentication	Obsolete
SSH	22	Strong — AES, ChaCha20	Key-based or password over TLS	Current standard

Key People

Tatu Ylönen

Creator of SSH. Finnish researcher at Helsinki University of Technology who designed and wrote SSH-1 in 1995 after witnessing a password-sniffing attack on his university network. Founded SSH Communications Security to commercialize the protocol.

Markus Friedl

OpenSSH core developer. One of the primary architects of OpenSSH from its earliest days in 1999. Led implementation of SSH-2 protocol support in OpenSSH and contributed extensively to the cryptographic core.

Theo de Raadt

OpenBSD project founder and OpenSSH co-founder. Led the OpenBSD team that forked OSSH 1.2.12 in 1999 to create OpenSSH. Drives the project's security-first philosophy and aggressive deprecation of weak cryptography.

Niels Provos

OpenSSH co-developer. Part of the original OpenBSD team that created OpenSSH in 1999. Also known for developing the bcrypt password hashing algorithm and Systrace, a system call policy enforcement tool.