Secure Shell (SSH) is an industry-standard cryptographic network protocol used to securely log onto, manage, and administer remote systems over an unsecured network. It operates using a client-server architecture, connecting an SSH client program on your local machine to an SSH server (often called sshd) running on the remote machine.
SSH was designed as a secure replacement for older remote access protocols like Telnet and rsh, which dangerously transmitted passwords and data in plain text. By utilizing strong encryption to create a secure tunnel, SSH hides the contents of your transmission from potential eavesdroppers, making it safe for remote command-line execution, secure file transfers (via SFTP or SCP), and port forwarding.
An SSH key is a cryptographic key pair used for authenticating with an SSH server. It serves as a significantly more secure and convenient alternative to traditional password-based logins. SSH keys rely on asymmetric cryptography (also known as public-key cryptography) and consist of two distinct parts:
- The Private Key: This key resides solely on your local client machine and must be kept strictly secret. Because anyone possessing your private key can impersonate you, it should never be shared and is often protected by an additional passphrase for an extra layer of security.
- The Public Key: This key is designed to be shared freely. To set up authentication, you place your public key on the target remote server, typically adding it to a specific file located at
~/.ssh/authorized_keys.
How an SSH key works: When your client attempts to connect, the remote server uses your public key to issue a cryptographic challenge. Your local client then uses your private key to decrypt the challenge and generate the correct response. Because only the private key can solve the challenge created by the public key, this process successfully proves your identity without ever transmitting a password or the private key itself across the network.
Using SSH keys provides enhanced security because the keys are long strings of bits (generated by modern algorithms like Ed25519 or RSA) that are computationally infeasible for attackers to crack using brute-force methods. Furthermore, they allow for automated, passwordless logins, which are essential for seamless system administration and automated background tasks.