Introducing the 2024 PKI & Digital Trust Report     | Download the Report

The What, Why & How of SSH Protocol


The business environment is transforming. Enterprises have embarked into a digital transformation journey adopting emerging technologies that allow them to move fast and change how they collaborate, reducing costs and increasing productivity. However, these technologies have vanished the traditional perimeter and identity has become the new line of defense.

Modern challenges require modern security approaches. The use of passwords to authenticate privileged access to mission-critical assets is no longer acceptable. Passwords are infamous for being insecure, creating fatigue and a false sense of security. Enterprises need to adopt passwordless solutions – this is where the SSH key-based authentication comes in handy.

What is the SSH Protocol?

Created in 1995 by Tatu Ylönen, SSH protocol, known also as Secure Shell or Secure Socket Shell, is a network protocol that gives system administrators a secure way to access remote assets over an unsecured network.

SSH provides password or public-key based authentication and encrypts connections between two network endpoints. It is a secure alternative to legacy login protocols (such as telnet, rlogin) and insecure file transfer methods (such as FTP).

In addition to providing strong encryption, SSH is widely used by network administrators to manage systems and applications remotely, deliver software patches, or execute commands and move files.

How the SSH Protocol Works

Server (Host) Authentication

SSH protocol is built into Unix and Linux servers to enable secure connections between systems. The connection is established by an SSH client that intends to connect to an SSH server. The SSH client initiates

the connection setup process and uses public key cryptography to verify the identity of the SSH server. After the setup phase, the SSH protocol uses strong symmetric encryption and hashing algorithms to ensure the privacy and integrity of the data that is exchanged between the client and server.

The image below, adapted from NIST IR 7966, presents a simplified flow of an SSH connection:

SSH Blog 1

1. Client initiates connection to SSH server.
2. The server sends its public key to the client.
3. The server’s public key is saved in the client’s known hosts file.
4. The client and the server negotiate the connection parameters and establish connection.

Encryption and integrity

During the connection setup, the client and server negotiate and agree upon the symmetric encryption algorithm to be used for their communication and generate the encryption key to be used.

The SSH protocol uses industry standard strong encryption algorithms, like AES, to secure the communication between the involved parties. In addition, the protocol uses hashing algorithms, such as SHA-2, to ensure the integrity of the data transmitted.

Client (User) Authentication

SSH protocol enables client authentication using traditional passwords or public key authentication. However, given the risks and inefficiencies of using passwords, public key authentication is more widely used. Not only are SSH keys much stronger than passwords, they also enable system admins to bypass the need for a manual password-based login.

How does a user authenticate with SSH keys? They generate a public-private key pair with an SSH client (e.g. OpenSSH) using the ssh-keygen command. Once created, the user places their authorized key (public key) into the authorized_keys file on the server they need to connect to.

When the user remotely logs in using key-based authentication, the OpenSSH server looks for authorized keys, and the user authenticates to the server with its corresponding private key.

Since it doesn’t require manual authentication, key-based authentication is often used to secure IT process automation use cases, such as secure automated file transfers, backup and copy processes, or configuration management tools (i.e. Ansible, Terraform, Chef or Puppet).

Common Use Cases for SSH Protocol

SSH connections have mostly been used to secure different types of communications between a local machine and a remote host, including:

  • Secure remote access to resources
  • Remote execution of commands
  • Delivery of software patches and updates
  • Interactive and automated file transfers


In addition to creating a secure channel between local and remote computers, SSH protocol is used for managing critical corporate infrastructure such as routers, server hardware, virtualization platforms, and operating systems.

SSH keys are used to automate access to servers and often are used in scripts, backup systems and configuration management tools. Because of their design that allows connectivity across organizational boundaries, SSH keys provide single sign-on (SSO) capabilities allowing users to move between their accounts without typing a password each time

SSH in a Perimeterless Environment

Advances in technology and emergency situations, like the COVID-19 public health crisis, have renewed interest in, and adoption of, SSH.

Businesses not only are moving to the cloud, but they are using a plethora of cloud-based PaaS, IaaS, and SaaS platforms. At the same time, they still have many legacy, business-oriented applications hosted on-premise. In this hybrid, multi-cloud environment, the biggest challenge is how to maintain a robust and effective Identity and Access Management (IAM) system.

Traditional password-based authentication mechanisms no longer work, and wherever they are present, they are the sources of fog and friction, leading to numerous data breaches or incidents because of credential abuse.

On the other hand, DevOps leverages native, well-known tools and processes in an agile and iterative fashion in teams that are self-sufficient and capable of rapid and frequent, even daily, code releases. Despite

the obvious advantages of a highly automated, high-frequency release cycle, there are challenges to be met, especially with securing the software being released. Businesses need to ensure the delivery of applications and updates that have not been tampered or altered by malicious actors to serve as Trojan Horses when installed in the end-user devices.

Finally, the COVID-19 crisis has forced millions of employees to work from their home, using their own devices and accessing corporate assets through their home Wi-Fis. The IT security teams are faced with numerous new challenges: how do you enforce a strong authentication scheme to ensure that only authorized people and devices access mission sensitive assets?

For all the above modern challenges, the SSH protocol serves as the modern solution. In DevOps, SSH is the fundamental secure building block that enables the rapid, frequent, and highly automated build and release process favored by DevOps. In multi-cloud and remote working environments, SSH protocol offers the solution for a passwordless access management, capable of a single-sign-on (SSO), frictionless experience. SSH can also be used for issuing just-in-time, ephemeral certificates, that expire when the authorization is over.

Using SSH together with IAM automation platforms, organizations can strengthen their authentication schemes not only for the privileged users (PAM), but for every employee and/or device requesting access to corporate assets.

The Risks of SSH Key Abuse

The above use cases highlight the importance of SSH keys and their secure and effective management. The problem is that most organizations are not aware of the vast numbers of SSH keys they hold and therefore, these keys are left untracked and unmanaged. Unmanaged keys expose organizations to significant risks that could in the worst case bring down critical information systems for months.

SSH keys provide the same access as usernames and passwords. Furthermore, they often grant root access to privileged accounts on the operating system level, giving a command line. They also grant access to resources – production servers, databases, routers, firewalls, disaster recovery systems, financial data, payment systems, intellectual property, and patient information.

An attacker getting root access means they can do anything on the server – including inject fraudulent data, subvert encryption software, install persistent malware, or outright destroy the system. Confidentiality, integrity, and continuity of operations are all compromised. Even if the key gives non-root access, local privilege escalation vulnerabilities can often result in the attacker gaining root access.

Here are just a few examples below:

  • Originally a banking trojan that first appeared in 2016, TrickBot has evolved into a universal crimeware solution that now primarily targets enterprise environments. In 2019, TrickBot added SSH key-grabbing capabilities for both PuTTY (SSH client for Microsoft) and OpenSSH.
  • CryptoSink crypto-mining campaign targeting Elasticsearch systems, backdoors the target servers by adding the attacker’s SSH keys.
  • Kaji malware targets IoT devices that have left their SSH port exposed on the internet. According to the researchers who discovered this malware, once it gains access to a device’s root account, Kaiji will use the device in three ways. First, for DDoS attacks. Second, to carry out more SSH brute-force attacks against other devices. Third, to steal any local SSH keys and spread to other devices the root account has managed in the past.
  • Back in 2016, the BlackEnergy cybercriminals group that targeted the Ukrainian electric utilities and media, used a backdoored SSH server called Dropbear. According to the ESET researchers, the attackers deployed a variant of this software on compromised machines that had been pre-configured to accept a hard-coded password and key for SSH authentication. By running SSH on the server in a compromised network, attackers can come back to the network whenever they want.


To reap the benefits of SSH protocol and to defend yourself against SSH key abuse, you must ensure complete visibility and intelligence over all authorized SSH keys used by the enterprise on-premise and in the cloud.

However, since attackers may also insert their own SSH keys into target environments, it is important to focus not just on the known keys, but on discovering and analyzing all keys that are being used across your organization.

To learn more about the challenges of SSH key sprawl and how you can start to take back control, join our upcoming webinar, Ghost Hunt: How to Find & Secure SSH Keys in Your Network.