Updated on 25 Feb, 202622 mins read 27 views

What is SSH?

SSH (Secure Shell) is a protocol that allows remote login and command execution over a network. It replaces older insecure protocols like:

  • Telnet
  • FTP
  • rlogin

It allows:

  • Remote login
  • Command execution
  • Secure file transfer
  • Secure tunneling

Unlike these older protocols, SSH encrypts all communication between client and server.

Default SSH Port:

22 (TCP)

Why SSH is Important

Without SSH, data transmitted over a network could be intercepted, modified, or stolen. SSH provides:

  • Encryption
  • Authentication
  • Integrity protection
  • Secure file transfer
  • Remote command execution

SSH Architecture

SSH follows a client-server model.

SSH Client

The user's machine that initiates the connection

Examples:

  • Linux/macOS Terminal
  • PuTTY (Windows)
  • OpenSSH client

SSH Server

The remote machine running an SSH daemon (sshd), waiting for incoming connections.

How SSH Works

When you type:

ssh user@server_ip

or

ssh {user on remote server}@{ip address of remote server}

The following happens behind the scenes:

Step 1: TCP Connection Establishment

The client connects to the server over TCP port 22.

Step 2: Version Exchange

Client and server exchange protocol versions (e.g., SSH-2.0).

Modern systems use SSH-2, which is secure and standardized.

Step 3: Key Exchange (KEX)

This is one of the most important steps.

SSH uses asymmetric cryptography to establish a shared secret key.

Common algorithms:

  • Diffie-Hellman
  • ECDH (Elliptic Curve Diffie-Hellman)

During this stage:

  1. Client and server exchange public keys.
  2. They generate a shared session key.
  3. The session key is used for symmetric encryption.

This ensures that even if someone intercepts the traffic, they cannot decrypt it.

Step 4: Server Authentication

The server proves its identity using its host key.

On first connection, you see:

The authenticity of host can't be established.

If you accept it, the server's fingerprint is stored in:

~/.ssh/known_hosts

On future connections, SSH verifies the fingerprint to prevent man-in-the-middle attacks.

Step 5: User Authentication

After the secure channel is established, SSH authenticates the user.

There are two common methods:

1 Password Authentication

  • User enters password
  • Password is encrypted during transmission
  • Simple but less secure (vulnerable to brute force attacks).

2 Public Key Authentication

Instead of passwords, SSH uses key pairs:

  • Private Key = Kept secret on your machine
  • Public Key = Stored on the server

Entering password is tedious and less secure than using SSH Keys. SSH keys consist of a “Public Key” (shared with the server) and a “Private Key” (kept secret on your machine).

Step A: Generate Key Pair

ssh-keygen -t ed25519 -C "admin@thejat.in"

Follow the prompts.

You can:

  • Leave passphrase empty (faster login)
  • Add passphrase (more secure)

This command creates two files, ssh_key (private key) and ssh_key.pub (public key).

ssh_key        (Private key)
ssh_key.pub    (Public key)

Step B: Copy Public Key to Server

~/.ssh/authorized_keys

Display the public key:

cat ssh_key.pub

Copy its contents.

On the server:

ls -a
cd .ssh
vim authorized_keys

It shows the .ssh directory. Do cd in it.

There is a special file authorized_keys. We have to write public key in it.

vim authorized_keys

Paste the public key inside the authorized_keys file and save.

File path:

~/.ssh/authorized_keys

Step C: Login Using the Private Key

ssh -i ssh_key user_name@ip_address_of_server

What happens now?

  1. Server sends a cryptographic challenge
  2. Client signs it using the private key
  3. Server verifies it using the stored public key
  4. If valid -> access granted

The private key is never sent over the network.

Step 6: Encrypted Session Begins

Once authentication is successful:

  • All commands
  • All outputs
  • All file transfers

are encrypted using symmetric encryption algorithms such as:

  • AES
  • ChaCha20

This ensures speed and security.

How GitHub Uses SSH

What Happens When You Set Up SSH for GitHub

Step A: You Generate a Key Pair

ssh-keygen -t ed25519 -C "you@example.com"

This creates:

~/.ssh/id_ed25519        (private key)
~/.ssh/id_ed25519.pub    (public key)

Important:

  • The private key stays on your computer
  • The public key is uploaded to GitHub

Step B: You Upload the Public Key to GitHub

Inside GitHub:

Settings → SSH and GPG Keys → New SSH Key

GitHub stores:

  • Your public key
  • Associates it with your user account

Now GitHub knows:

“If someone proves they own the matching private key, they are this user.”

What Happens During git clone or git push

Example:

git clone git@github.com:username/repo.git

Let's go step by step.

Phase 1: TCP Connection

You machine connects to:

github.com:22

This initiates an SSH handshake

Phase 2: SSH Handshake

This includes:

1 Version negotiation

Both sides confirm SSH protocol version (SSH-2.0)

2 Algorithm negotiation

They agree on:

  • Key exchange algorithm
  • Encryption algorithm (AES, ChaCha20)
  • MAC (message authentication)
  • Compression (optional)

Phase 3: Key Exchange (KEX)

GitHub and your machine performs:

  • Diffie-Hellman or ECDH exchange
  • Generate a shared session key

Now:

  • A symmetric encryption key exists
  • All traffic becomes encrypted

Phase 4: Server Authentication

GitHub presents its host key fingerprint.

On first connection you see:

The authenticity of host 'github.com' can't be established.

If accepted, it gets saved in:

~/.ssh/known_hosts

This prevents man-in-the-middle attacks.

Phase 5: User Authentication

Now GitHub must verify you.

Here's the cryptographic flow:

  1. GitHub checks which public keys are associated with your account.
  2. It sends cryptographic challenge.
  3. Your SSH client:
    1. Uses your private key
    2. Signs the challenge
  4. GitHub verifies the signature using your stored public key.
  5. If valid -> authentication successful.

Your private key is NEVER transmitted.

What Happens During git push

When you run:

git push origin main

Here's the deep flow:

  1. Git determines remote URL:

    git@github.com:username/repo.git
  2. Git invokes SSH internally.
  3. SSH authenticates (as explained above).
  4. GitHub checks:
    1. Does this user have write access?
    2. Does the repository exist?
    3. Is branch protection enabled?
  5. Git sends:
    1. Commit objects
    2. Tree objects
    3. Blob objects
    4. Refs update
  6. GitHub verifies and updates the repository.

All data transfer happens inside the encryption SSH tunnel.

Deploy Keys vs Personal SSH Keys

GitHub supports two SSH models:

  • Personal SSH Key
    • Linked to your GitHub account
    • Access to all repos you have permission for
  • Deploy Key
    • Linked to a single repository
    • Used in servers or CI/CD
    • Can be read-only or read-write

 

Buy Me A Coffee

Leave a comment

Your email address will not be published. Required fields are marked *