SSH (Secure Shell) Complete Guide: Keys, Tunneling & Best Practices

What is SSH?

Secure Shell (SSH) is a cryptographic network protocol that enables secure remote login, command execution, and file transfer over untrusted networks. SSH replaced Telnet and rlogin because it encrypts all traffic, preventing password sniffing and session hijacking.

TCP 22

Default Port

AES-256

Encryption Standard

1995

Year Invented

SSH vs. Telnet: Why Encryption Matters

Feature	SSH	Telnet
Port	TCP 22	TCP 23
Encryption	Full (AES, ChaCha20)	None (Plaintext)
Authentication	Password, Keys, MFA	Password Only
Security	Safe on Public Networks	Vulnerable to MITM

⚠️ Never Use Telnet

Telnet transmits your username and password in plaintext. Anyone with a packet sniffer on the same network segment can capture your credentials. SSH should be used for all remote administration.

Authentication Methods

🔑 Password Authentication

The simplest method. You type your password each time you connect. Vulnerable to brute-force attacks if not rate-limited.

ssh user@192.168.1.1

🔐 Public Key Authentication (Recommended)

Uses a cryptographic key pair. The private key stays on your machine; the public key goes on the server. Far more secure and can be passwordless.

ssh -i ~/.ssh/id_ed25519 user@server

Generating SSH Keys

Modern best practice is to use Ed25519 keys, which are faster and more secure than older RSA keys.

Linux / macOS / Windows (PowerShell)

# Generate a new Ed25519 key pair

ssh-keygen -t ed25519 -C "yourname@example.com"

# Your keys are saved to:

~/.ssh/id_ed25519 (Private Key - NEVER share this)

~/.ssh/id_ed25519.pub (Public Key - Copy to servers)

Copying Your Public Key to a Server

# Use ssh-copy-id (easiest method)

ssh-copy-id user@192.168.1.1

# Or manually append to authorized_keys

cat ~/.ssh/id_ed25519.pub | ssh user@192.168.1.1 "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"

SSH Tunneling (Port Forwarding)

SSH can create encrypted tunnels to forward traffic, bypassing firewalls or securing insecure protocols.

Local Port Forward

Access a remote service through a local port. Example: Access a database on a remote server that only allows localhost connections.

ssh -L 3306:localhost:3306 user@dbserver

Now connect to localhost:3306 to reach the remote MySQL.

Dynamic SOCKS Proxy

Create a SOCKS5 proxy to route all browser traffic through the SSH server. Useful for secure browsing on untrusted Wi-Fi.

ssh -D 1080 user@server

Configure your browser to use SOCKS proxy on localhost:1080.

Hardening SSH (Best Practices)

Default SSH configurations are often insecure. Edit /etc/ssh/sshd_config to lock down your server.

1️⃣
Disable Password Authentication: Force key-based login. PasswordAuthentication no
2️⃣
Disable Root Login: Require users to sudo. PermitRootLogin no
3️⃣
Change Default Port: Move off port 22 to reduce automated attacks. Port 2222
4️⃣
Use Fail2Ban: Automatically ban IPs with too many failed login attempts.
5️⃣
Allow Specific Users: Restrict who can SSH in. AllowUsers admin deployer

SSH on Network Devices

Most enterprise network equipment (Cisco, Aruba, Juniper) supports SSH for management.

Enabling SSH on Cisco IOS

! Set hostname and domain (required for key generation)

hostname Switch1

ip domain-name example.com

! Generate RSA key pair

crypto key generate rsa modulus 2048

! Enable SSHv2

ip ssh version 2

! Apply SSH to VTY lines

line vty 0 15

transport input ssh

Troubleshooting SSH Issues

"Connection Refused"

Cause: SSH daemon not running, or firewall blocking port 22.

Fix: sudo systemctl start sshd and check firewall rules.
"Permission denied (publickey)"

Cause: Your public key is not in the server's ~/.ssh/authorized_keys, or file permissions are wrong.

Fix: Ensure ~/.ssh is 700 and authorized_keys is 600.
"Host key verification failed"

Cause: The server's host key changed (possibly a security risk, or the server was reinstalled).

Fix: Remove the old key with ssh-keygen -R hostname.