The Simple Explanation
Passwords Written on Postcards
Before SSH, computers talked using systems called Telnet and FTP. When you typed your password, it traveled across the internet like writing on the back of a postcard — in plain, readable text. The postcard was handed to a mailman, who showed it to people at the post office, who showed it to the delivery driver. Anyone who touched it could read your secrets.
In 1995, a computer scientist in Finland named Tatu Ylönen watched a thief break into his university's network and steal thousands of passwords. He decided the postcard method had to end. He invented the Secure Shell to replace the postcard with a locked steel box.
⚠️ The Three Great Flaws of Telnet & FTP
| Problem | Simple Explanation | The Real Danger |
|---|---|---|
| Cleartext Transmission | Information sent as plain, readable text — no scrambling | Like writing your bank password on a billboard for everyone to see |
| Lack of Authentication | No way to prove the computer you're talking to is who it claims to be | A stranger wearing a mask pretending to be your best friend to get into your house |
| No Integrity Checking | No way to know if a message was changed during delivery | Sending a letter saying "Give him $10" and a thief changing it to "Give him $1,000" |
# Intercepting Telnet traffic from user@company.com
CAPTURED PACKET:
Source: 192.168.1.45
Dest: 192.168.1.1:23 (Telnet)
Data: username: alice
Data: password: MySecret123 ← readable by anyone!
# SSH era: the same capture yields...
Data: 3f8a92c1b4e7d0f5... ← mathematically unreadable
🍽️ The Client-Server Model: The Customer & The Kitchen
Every SSH connection involves exactly two computers playing specific roles. Understanding this relationship is the foundation of everything else.
| Component | Analogy | Technical Name | Key Detail |
|---|---|---|---|
| Your Computer | The Customer | The SSH Client | You initiate the connection — you walk up and knock |
| Remote Computer | The Kitchen | The SSH Server | Always running, always waiting for authorised customers |
| Waiting Program | The Butler | The SSH Daemon (sshd) | Runs silently in background, listens 24/7 |
| The Digital Door | Door Number 22 | Port 22 | Default port — can be changed for security (obscurity) |
🍽️ Kitchen analogy: The Kitchen (SSH server) is always open and has a Butler (sshd daemon) standing at Door Number 22. When a Customer (your laptop) wants to enter, they call out to Door 22. The Butler checks who you are, verifies your identity, and decides whether to let you in — all before you even see the kitchen.
The Simple Explanation
A Locked Steel Box Inside a Private Tunnel
SSH replaces the postcard with a magical steel box. Your message goes inside the box, the box is locked, and it travels through a private tunnel built specifically for that one conversation. Even if a bad actor grabs the box from the tunnel, they cannot see inside — the steel is mathematically too thick to crack.
If they try to smash the box to change the message, it will "shatter" in a way that tells the receiver immediately that it was tampered with. SSH solves all three Dark Age problems simultaneously.
🎯 SSH's Three Goals
Encryption
Scrambles every byte into unreadable ciphertext using mathematical algorithms agreed on during the handshake. Even if intercepted, the data is worthless to an attacker.
Authentication
Proves the identities of both parties. The server proves who it is via its Host Key. The client proves who they are via password or — better — a cryptographic key pair.
Integrity
Every message includes a cryptographic "fingerprint" (MAC — Message Authentication Code). If even a single bit is changed in transit, the fingerprint fails and the message is rejected.
SSH vs. Telnet — Security Property Comparison
Higher score = better protection across each security dimension.
The Simple Explanation
SSH is a Three-Layer Cake
The Secure Shell is not one simple rule — it is a layered protocol. Think of it as a three-layer cake. Each layer has a completely different job, and they stack on top of each other in a specific order. You cannot have the top layer without first baking the bottom two.
The Transport Layer builds the secure tunnel before any credentials are ever mentioned. It runs the initial Handshake — the computers' first conversation.
① The Identification
The server shows its Host Key — a digital fingerprint unique to that machine. Your client checks it against your known_hosts "Friendship Diary" to confirm this is the same server you trusted before.
② The Agreement
Both computers negotiate which Encryption Algorithms they both know. They pick the strongest mutual option — like choosing to speak in the most difficult code instead of a simple substitution cipher.
③ The Session Key
Via Key Exchange (Diffie-Hellman), both computers independently calculate the same secret Session Key — without ever sending it over the network. The secret was never transmitted, yet both sides have it.
Once the safe tunnel exists, the server asks: "But who exactly are you?" There are three ways to prove identity:
Method A
🔤 Password
The basic method. You type your password. Because the Transport Layer already built the encrypted tunnel, the password travels scrambled — but if it's weak or reused, it's still the weakest link.
Method B — PRO
🗝️ Public-Key Auth
The professional way. Your private key never leaves your machine. The server uses a cryptographic challenge to verify you hold the matching key. Nothing to steal from the wire.
Method C
💬 Keyboard-Interactive
A flexible challenge-response system. The server can ask a series of questions — including one-time codes from an authenticator app for multi-factor authentication (MFA).
The top layer's job is Multiplexing — taking one single connection and splitting it into many separate "channels" simultaneously. Think of it as one large straw that can carry soda, air, and a secret note all at once.
⌨️
Shell Channel
Type commands into the remote terminal
📁
File Transfer Channel
Move files back and forth (SCP/SFTP)
🖥️
X11 Forwarding Channel
Run graphical apps from the remote machine on your screen
The Simple Explanation
A Padlock Anyone Can Lock — Only You Can Open
SSH uses Asymmetric Encryption — a lock that uses two mathematically linked but completely different keys. You can hand out a million copies of your padlock (public key) to every server in the world. Only the one physical key (private key) hidden on your machine can ever open them. This is the secret sauce that makes SSH so much better than passwords.
🔑 The Key Pair
Public Key
The Padlock
File: ~/.ssh/id_rsa.pub
A digital padlock. Make a million copies. Give them to anyone. Toss them all over the internet. A padlock can only lock — it cannot unlock anything. You add this to every server you want to visit by placing it in the server's ~/.ssh/authorized_keys file.
...QDBd8+kfHJx7v5p alice@laptop
Private Key
The Secret Key
File: ~/.ssh/id_rsa
The only key in the world that opens your padlocks. Never, ever share this file. Protect it with a Passphrase (a password that protects your key — like a combination lock on the safe where you keep your key). Permissions must be set to chmod 600.
MIIEowIBAAKCAQEA3Xl8... [KEEP SECRET]
-----END RSA PRIVATE KEY-----
🤝 The Challenge Handshake — How Login Actually Works
Server takes a random message, locks it in your padlock (encrypts with your Public Key), and sends you the locked box.
Only you — with your Private Key — can decrypt and open the box to read the random message inside.
You send the message back to the server. The server knows only the holder of the matching private key could have opened it.
Your Private Key never traveled over the internet. It stayed on your machine. A thief sniffing the network captured nothing useful.
The Math Behind the Magic
Trapdoor Functions — Easy One Way, Impossible the Other
SSH keys are built on Trapdoor Functions — maths that is trivial in one direction and computationally impossible to reverse.
7 × 13 = 91 (milliseconds)
Hard direction:
Given 91, find the two prime factors = ??? (much harder)
Now make the numbers 2,048 digits long...
Reversing this would take longer than the age of the universe.
The Public Key is like the number 91. The Private Key is the secret prime factors 7 and 13. Anyone can see 91; no one can work backwards to find 7 and 13 in a human lifetime.
The Simple Explanation
Your Steering Wheel for SSH
To use SSH, you need a client program — the software that acts as the steering wheel for your secure connection. There are three major options, each suited for a different type of user and workflow. A pro knows when to use each one.
Industry Standard
OpenSSH
Built-in to macOS, Linux, and modern Windows 10/11. Lives in the Terminal — no buttons or windows, just commands. The fastest, most reliable, and most professional tool. This is what almost every expert uses every single day.
Classic Legend
PuTTY
A free Windows SSH client that has been around for 20+ years. Lightweight, stable, and rarely breaks. However, it has an outdated interface and requires companion tools: PuTTYgen to make keys and Pageant to hold them in memory. Each server opens a new window — messy for managing many connections.
Modern Choice
Termius
Designed for professionals managing many servers. Uses browser-style Tabs so you can have 10 servers open in one window. Syncs your server list between your computer and phone. Teams can share a secure Vault of server addresses and keys together.
| Feature | OpenSSH | PuTTY | Termius |
|---|---|---|---|
| Interface Type | Text-only Terminal | Graphical (Old Style) | Graphical (Modern) |
| Tabbed Sessions | ✗ Separate windows | ✗ Separate windows | ✓ Like a browser |
| Key Management | Manual commands | Needs PuTTYgen | ✓ Built-in |
| Mobile App | ✗ No | ✗ No | ✓ iOS & Android |
| Cost | Free | Free | Free & Paid |
| Best For | Pros, scripting, automation | Legacy Windows users | Multi-server teams |
The Simple Explanation
The Master Command & Its Power Switches
A pro at SSH cannot rely only on buttons. Mastering the command syntax and flags (special letters that change how SSH behaves) is what separates a beginner from a professional. Adding a single letter to the command can completely change what it does.
🔌 The Basic Connection
ssh alice@192.168.1.10
# alice = your username on the remote machine
# 192.168.1.10 = the IP address (or domain name) of the server
🚩 Essential Flags for Professional Use
| Flag | Name | What It Does & When to Use It |
|---|---|---|
-p 2222 | Port | Use if the SSH butler stands at a non-standard door. E.g. ssh -p 2222 user@host |
-i ~/.ssh/key | Identity | Specify exactly which key file to use for this connection. E.g. ssh -i ~/.ssh/work_key user@host |
-v / -vvv | Verbose | Debug mode — prints every step of the connection. Use -vvv for maximum detail when troubleshooting failures |
-C | Compression | Compresses all data in transit. Useful on slow connections to make the session feel faster |
-N | No Command | "Build the tunnel but don't give me a shell." Essential for port forwarding where you only need the pipe, not a terminal |
-f | Background | Hides the SSH connection in the background so your terminal stays free for other work |
-A | Agent Forwarding | Carries your authentication keys to the next server, enabling seamless "hop" from server to server without re-entering credentials |
-X | X11 Forwarding | Sends a visual graphical window (like a file browser) from the remote machine to your local screen |
ssh -p 2222 -i ~/.ssh/work_key alice@prod-server.com
# Debug a failing connection (maximum verbosity)
ssh -vvv alice@192.168.1.10
# Build tunnel only (no shell) + send to background
ssh -N -f -L 8080:localhost:80 alice@server.com
The Simple Explanation
The Key Factory, the Lock Installer, and the Key Ring
Passwordless login is the gold standard of professional SSH. Setting it up requires three tools working together: ssh-keygen creates your padlock and key, ssh-copy-id installs the padlock on the server, and ssh-agent holds your unlocked key all day so you don't have to type your passphrase every time.
ssh-keygen
Step 1 — Create KeysThe Key Factory. Generates your public/private key pair using a specified cryptographic algorithm and key length.
# -t rsa → use the RSA algorithm
# -b 4096 → make the key 4096 bits (very strong)
Enter file in which to save the key (~/.ssh/id_rsa): [press Enter]
Enter passphrase (empty for no passphrase): MyStr0ngPassphrase!
Your identification has been saved in ~/.ssh/id_rsa
Your public key has been saved in ~/.ssh/id_rsa.pub
ssh-copy-id
Step 2 — Install PadlockThe Lock Installer. Knocks on the server's door using your password one last time, then appends your public key to the server's ~/.ssh/authorized_keys Approved Visitors list. After this, you'll never need a password for that server again.
Number of key(s) added: 1
Now try logging into the machine with: ssh alice@192.168.1.10
# No password ever needed again ✓
ssh-agent
Step 3 — The Key RingThe Key Fob for your keys. You unlock your private key once when you start your day. The agent holds it in memory — you never type your passphrase again until you reboot. Type it once, connect to a hundred servers.
eval $(ssh-agent -s)
# Add your key to the agent's memory
ssh-add ~/.ssh/id_rsa
Enter passphrase for ~/.ssh/id_rsa: MyStr0ngPassphrase!
Identity added: ~/.ssh/id_rsa (alice@laptop)
# Now connect to servers all day — no passphrase prompts
ssh alice@server1.com ← instant
ssh alice@server2.com ← instant
The Simple Explanation
Secret Passages Through the Internet
The most magical trick a pro can do with SSH is Port Forwarding (also called Tunneling). This is like building a secret, invisible pipe through the internet to reach something that is hidden behind a wall. There are three types, each going in a different direction.
Local Port Forwarding
Bring the hidden thing to youA private database exists inside the server, hidden behind a firewall. You can't reach it from your laptop — but you have SSH access to the server. Local forwarding builds a pipe from your laptop directly to that hidden database through the SSH tunnel.
localhost:8080
encrypted
gateway
port 80
# 8080 = the door on YOUR laptop
# internal-db = the hidden service (only the server can reach it)
# 80 = the door on the hidden service
# Now open: http://localhost:8080
# You're looking at internal-db through the tunnel ✓
Remote Port Forwarding
Show them something on your machineThe opposite direction. You're building a website on your laptop and want your team on the server to preview it — without deploying it. Remote forwarding builds a pipe from the server back to your laptop.
port 3000
reversed
port 9090
# Anyone on server.com visiting localhost:9090
# sees your local app running on port 3000
Dynamic Port Forwarding
The master SOCKS proxyThe Pro Master trick. Instead of building a pipe to one specific place, this turns your SSH connection into a SOCKS Proxy — a general-purpose tunnel that can reach anywhere the server can reach. Like a straw that can reach into any glass in the kitchen.
# -D 1080 → open a SOCKS proxy on local port 1080
# -N → no shell, just the tunnel
# -f → run in background
# Point your browser's SOCKS proxy to localhost:1080
# All browser traffic now routes through the server ✓
The Simple Explanation
Moving the Digital Groceries
SSH isn't just for typing commands — it's also the most secure way to move files between computers. Three tools are built on the SSH protocol: SCP (fast single-file delivery), SFTP (interactive moving company), and SSHFS (the god-level trick that makes a remote folder appear on your desktop like a USB drive).
Tool 1
SCP — Secure Copy
scp cake_recipe.txt alice@server:/home/alice/
# Get a file FROM the server
scp alice@server:/home/alice/cake_recipe.txt ./
# Copy an entire folder (recursive)
scp -r ./my_project/ alice@server:/var/www/
Tool 2
SFTP — Secure File Transfer Protocol
When you start SFTP, you enter an interactive mode where you can walk around the server's folders and pick exactly which files to move. Like walking into a warehouse with a clipboard rather than placing a delivery order.
Connected to server.com.
sftp> ls
documents logs uploads
sftp> cd documents
sftp> get report.pdf # download to local
sftp> put invoice.pdf # upload to server
Tool 3 — God Level
SSHFS — SSH File System
sshfs alice@server:/var/www ~/remote_site
# Now ~/remote_site IS the server's /var/www folder
# Edit files locally, changes save directly to server ✓
# Unmount when done
umount ~/remote_site
The Simple Explanation
Your Speed-Dial Address Book & Terminal Cheat Sheet
When you become a professional, you will manage dozens of servers. No one memorises 20 IP addresses, usernames, ports, and key files. The SSH Config file is your personal address book — type a short nickname and SSH fills in all the details automatically. Pair that with core terminal commands and you can manage the world's infrastructure from one window.
📋 The SSH Config File — Your Address Book
Location: ~/.ssh/config. Create it if it doesn't exist. Each entry defines an alias and its full connection details.
Without Config — Every. Single. Time.
ssh -p 4422 -i ~/.ssh/bakery_key alice@bakery.com
# Remembering all this = headaches
With Config — Clean & Fast
ssh the-bakery
# SSH looks up the alias and fills
# in port, key, user automatically ✓
HostName 192.168.1.5
User bob
Port 2222
IdentityFile ~/.ssh/work_key
Host the-bakery
HostName bakery.com
User alice
IdentityFile ~/.ssh/bakery_key
Host * # applies to ALL connections
ServerAliveInterval 60 # keep connection alive
AddKeysToAgent yes
⌨️ Essential Terminal Commands — Once You're In
| Command | Simple Meaning | Pro Usage |
|---|---|---|
ls | List — see what's on the counter | ls -la shows hidden files (starting with a dot) + permissions |
cd | Change Directory — walk into another room | cd .. goes back one level; cd ~ returns home |
pwd | Print Working Directory — "where am I?" | Shows your full current path — use when lost in deep folders |
mkdir | Make Directory — build a new cabinet | mkdir -p a/b/c creates the full nested path at once |
touch | Create a new empty file | Also updates a file's "last modified" timestamp |
rm | Remove — throw in the trash | ⚠️ No undo on a server. Use rm -rf with extreme caution |
cat | Concatenate — peek inside a file | View file contents without an editor; pipe into grep |
grep | Search — find a specific word in files | grep -r "ERROR" ./logs/ searches all log files recursively |
top | Show which programs are eating CPU/RAM | Press q to quit; use htop for a coloured version |
Summary — Security is a Journey
The Professional's SSH Principles
The evolution from Telnet to SSH represents more than a change in technology — it represents the birth of Defence in Depth. A professional uses SSH with four guiding principles:
Whether you're moving files with SCP, building tunnels with -L, or managing hundreds of servers with a tidy config file — you are now using the same secret codes that protect the world's most important infrastructure.