SSH Protocol
SSH is the protocol that replaced Telnet, rlogin, and rsh. It runs on TCP port 22 by default and is built from three layered protocols.
The three layers
- Transport layer (RFC 4253). Algorithm negotiation, server authentication, key exchange, encryption, and integrity. Produces a secure channel.
- User authentication layer (RFC 4252). Public key, password, host-based, or keyboard-interactive authentication of the user to the server.
- Connection layer (RFC 4254). Multiplexes multiple logical channels onto the single secure connection: interactive sessions, port forwards, X11, agent forwarding, SFTP subsystems.
What's negotiated
- Key exchange — modern:
curve25519-sha256,ecdh-sha2-nistp256. - Host key algorithms — modern:
ssh-ed25519,ecdsa-sha2-nistp256,rsa-sha2-512. - Ciphers — AEAD preferred:
chacha20-poly1305@openssh.com,aes256-gcm@openssh.com. - MAC — implied by AEAD ciphers; otherwise
hmac-sha2-512-etm. - Compression — usually disabled because of CRIME-style risks.
Host key trust
The server presents a host key during the handshake. The client compares it against ~/.ssh/known_hosts; on first connection, the user accepts or rejects the fingerprint. This is Trust On First Use (TOFU). For higher assurance, an organisation can use SSH certificates signed by a CA, which lets clients trust any server presenting a valid signed certificate without per-host pinning.
i
SFTP and SCP run over SSH. SFTP (SSH File Transfer Protocol) is a subsystem of the SSH connection layer — not a variant of FTP. SCP uses SSH to run a remote scp binary.
Useful client tricks
ssh -L 8080:localhost:80 host— forward local port to a port on the remote.ssh -R 8080:localhost:80 host— reverse forward — open a port on the remote that tunnels back.ssh -D 1080 host— SOCKS proxy through the SSH connection.~/.ssh/config— declarative connection settings: aliases, jump hosts, identity files, agent forwarding.