SSH 101: A Beginner's Guide to Secure Shell

A beginner-friendly guide to SSH: what it is, how it works, and how to set up key-based authentication securely.

Whether you’re deploying code to a server, cloning a private Git repository, or managing infrastructure remotely, SSH (Secure Shell) is an essential tool for developers and system administrators. This guide introduces the basics of SSH — what it is, how it works, and how to get started with SSH key-based authentication. If you’re new to SSH or just need a refresher, this walkthrough will give you the foundational knowledge you need before diving into best practices and advanced configurations.

Introduction to SSH

SSH (Secure Shell) is a protocol that allows systems to communicate securely over an unsecured network. It establishes a one-way authenticated connection between a client and a server.

The process begins with the creation of a key pair. The public key is stored on the server, while the private key remains on the local machine. The private key must be protected carefully — anyone who obtains it can impersonate you and gain the same access you have. Keeping your private key safe is essential.

When you attempt to SSH into another machine, the SSH protocol checks whether the public key on the server and the private key on your machine match. If they do, access is granted and secure communication begins.

All SSH key pairs are based on asymmetric cryptography. This cryptographic approach uses a pair of mathematically linked keys and is built upon one-way functions. Thanks to the nature of these functions, it is computationally infeasible to reconstruct a private key from a public key.

• One-way function

• Public-key cryptography

Generating SSH Key Pairs with ssh-keygen

The ssh-keygen utility generates, manages, and converts authentication keys for SSH. It is recommended to create different SSH key pairs for different services and purposes to improve security and manageability.

ssh-keygen -t ed25519 -f ~/.ssh/id_work_github -C "your-email@example.com id_work_github"

• -t: Specifies the key type (e.g., ed25519).

• -f: Specifies the filename for the key pair.

• -C: Adds a comment stored in the public key file.

Instead of using just your email for the comment, it’s often more useful to include descriptive information that identifies the key’s purpose or scope.

Types of SSH Keys

• rsa – Widely supported, but less secure at shorter key lengths.

• dsa – Deprecated; avoid using.

• ecdsa – Smaller and faster than RSA; based on elliptic curve cryptography.

• ed25519 – Modern, fast, and secure; recommended.

• ecdsa-sk / ed25519-sk – Secure key variants for use with FIDO/U2F hardware tokens.

Naming Convention

Creating a separate key pair for each server or purpose minimizes risk: if one private key is compromised, only the related server or service is affected. A suggested naming pattern is:

id_<purpose>[_<service>]_<scope|hostname>[_<username>]

Examples:

• id_work_github

• id_deploy_webserver_root

Components:

• purpose – The reason for the key (e.g., work, personal, deploy).

• service – Optional; the external service it’s for (e.g., github, aws).

• scope|hostname – Server, group, or host name.

• username – Optional if using varied usernames per host.

Verifying Public Key Fingerprints

In some environments, such as GitHub, you can’t view the full public key after uploading it. Instead, only a fingerprint (a hash of the key) is shown. To verify which key was uploaded, you can compare the local key’s fingerprint using:

ssh-keygen -lf <public-key>

This allows you to confirm that the uploaded key matches your local key.

• ssh-keygen Manual

Managing SSH Identities with ssh-agent

When connecting to a server using SSH, the client searches for available private keys and/or queries the ssh-agent for any loaded identities.

If the server accepts one of the offered keys, authentication succeeds. If your private key is encrypted with a passphrase, you’ll be prompted to enter it. This passphrase decrypts the private key locally — it is not sent to the server.

To list keys currently loaded into ssh-agent:

ssh-add -l

To add a private key to the agent:

ssh-add ~/.ssh/your_private_key

This allows you to avoid entering the passphrase multiple times.

• ssh-agent Manual

How SSH Authentication Works

Suppose we use the following command:

ssh hyperoot@192.168.x.x

Here’s what happens step-by-step:

1. Client Offers Public Key
   The SSH client informs the server it wants to authenticate using a specific public key. The server checks if this key is authorized for the user (e.g., in ~/.ssh/authorized_keys).

2. Server Sends a Challenge
   If the public key is recognized, the server sends a random challenge (a nonce) to the client. This ensures the authentication attempt is live and not replayed.

3. Client Signs the Challenge
   The SSH client uses the private key to sign the server’s challenge. This creates a digital signature unique to the challenge and the key.

4. Server Verifies the Signature
   Using the public key, the server verifies the signature. If it checks out, the client is authenticated — without ever revealing the private key.

Digital Signatures in SSH

SSH uses digital signatures as part of its authentication process. This ensures that the client actually possesses the private key associated with the public key, without sending the private key over the network.

Signature Analogy

Consider this analogy:

• Public Key = Lock

• Private Key = Your unique key

• Server = Security guard with the lock

• Signature = You unlocking the lock in front of the guard, proving you own the key — without handing it over

Role of ssh-agent

When a private key is added to ssh-agent, the agent handles signing operations on your behalf. This way, the ssh command doesn’t need direct access to the private key file — it delegates the signing to the agent, improving security.

Final Thoughts

SSH is a foundational tool for secure remote access and automation. By understanding how key pairs work, how to generate and manage them responsibly, and how authentication happens under the hood, you can significantly improve the security and reliability of your SSH usage.

For advanced usage, consider learning about ~/.ssh/config, using passphrase-protected keys with keychain-style agents, or integrating with hardware tokens for even greater protection.