SSH is one of the most important tools in any IT professional’s toolkit — and one of the first things you’ll need when working with Linux servers. This guide explains exactly what SSH is, how it works, and how to use it securely from day one.
What Does SSH Stand For?
SSH stands for Secure Shell. It’s a network protocol that gives you a secure, encrypted command-line connection to a remote computer — typically a Linux server. Think of it as a secure tunnel between your local machine and the server, through which you can run commands as if you were physically sitting in front of it.
SSH replaced older, insecure protocols like Telnet and rlogin, which transmitted everything — including passwords — in plaintext.
How Does SSH Work?
SSH uses public-key cryptography to authenticate and encrypt the connection. Here’s the simplified flow:
- Your SSH client initiates a connection to the server on port 22
- The server presents its host key — your client verifies it matches a previously trusted key (or asks you to trust it on first connection)
- An encrypted channel is established
- You authenticate — either with a password or an SSH key pair
- You now have an interactive shell session on the remote server
How to Connect to a Server via SSH
The basic syntax is:
ssh username@hostname_or_ipFor example:
ssh root@192.168.1.100
ssh steve@myserver.example.comOn Windows, SSH is available natively in PowerShell and Command Prompt from Windows 10 onwards. On macOS and Linux it’s available in any terminal by default.
SSH Keys vs Passwords
Password authentication works, but it’s less secure and less convenient than SSH key authentication. Here’s why:
- Passwords can be guessed or brute-forced — SSH keys cannot
- SSH keys never travel over the network — only a cryptographic signature does
- Once set up, key authentication is faster — no typing a password each time
Generating an SSH Key Pair
Run this command on your local machine (not the server):
ssh-keygen -t ed25519 -C "your@email.com"This creates two files:
~/.ssh/id_ed25519— your private key. Never share this with anyone.~/.ssh/id_ed25519.pub— your public key. This goes on the servers you want to access.
Copying Your Public Key to a Server
ssh-copy-id username@server_ipOr manually — append the contents of your .pub file to ~/.ssh/authorized_keys on the server.
Useful SSH Options and Config
Connecting on a non-standard port
Some servers run SSH on a port other than 22 to reduce automated scanning. Use the -p flag:
ssh -p 2222 user@server_ipUsing an SSH config file for shortcuts
Instead of typing long connection strings every time, create or edit ~/.ssh/config:
Host myserver
HostName 192.168.1.100
User steve
Port 22
IdentityFile ~/.ssh/id_ed25519Now you can connect with just ssh myserver.
SSH tunnelling (port forwarding)
SSH can forward local ports to remote services — useful for accessing a database or admin panel on a server that isn’t exposed to the internet:
# Forward local port 3306 to MySQL on the remote server
ssh -L 3306:localhost:3306 user@server_ipNow you can connect to localhost:3306 on your machine and it’ll route through to the remote MySQL instance.
Securing SSH
Once you’re comfortable with SSH, take these steps to harden it:
- Disable password authentication — only allow key-based login (
PasswordAuthentication noin/etc/ssh/sshd_config) - Disable root login — (
PermitRootLogin no) — always use a named user with sudo - Change the default port — moving from port 22 reduces automated scan noise (security through obscurity, but still worth doing)
- Install fail2ban — automatically bans IPs with too many failed login attempts
Get a VPS to Practice On
The best way to learn SSH is to have a server to connect to. Spin up a cheap VPS on Vultr or DigitalOcean — both start from just a few dollars a month and you can destroy it when you’re done.
👉 Get $100 free credit on Vultr | 👉 Get $200 free credit on DigitalOcean
Disclosure: This article contains affiliate links. I may earn a commission if you sign up through these links, at no extra cost to you.