How SSH Works Internally: Handshake, Encryption & Authentication Explained

You’ve learned how to use SSH and generate keys — now let’s look behind the curtain. What really happens when you type ssh user@server in your terminal? Let’s break down the internal process step by step, so you understand how SSH keeps your data safe and your identity verified.

What Happens When You Connect via SSH?

SSH isn’t just “magic encryption” — it’s a series of carefully designed security steps. Every time you connect to a server, these major phases occur:

• 🔑 Key exchange and handshake
• 🧮 Encryption setup
• 👤 Authentication (you prove your identity)
• 💬 Secure communication starts

Phase 1: SSH Handshake (Key Exchange)

When you first connect to a server, your SSH client and the server “shake hands” to agree on how to talk securely. This handshake ensures that:

• Both sides are legitimate (no imposters in the middle)
• They agree on a common encryption algorithm
• A shared secret key is generated (used to encrypt all future messages)

# When you connect for the first time, you’ll see:
The authenticity of host 'your-server.com (192.168.x.x)' can't be established.
ED25519 key fingerprint is SHA256:abc123xyz...
Are you sure you want to continue connecting (yes/no)?

That fingerprint is the server’s public key — SSH stores it in ~/.ssh/known_hosts so it can verify you’re talking to the same server next time.

How the Key Exchange Works (Simplified)

1. 🔹 The server sends its public key to your SSH client.
2. 🔹 Your client uses that to create a shared secret.
3. 🔹 Both sides now have the same secret (but no one else does).
4. 🔹 All future traffic is encrypted using this shared secret.

Phase 2: Encryption Setup

Once the handshake is complete, both sides agree on which encryption algorithm to use — commonly AES-256 or ChaCha20. This makes all communication unreadable to anyone else.

# Example of encryption algorithms used internally
aes256-ctr
chacha20-poly1305@openssh.com

From this point, every message between you and the server is encrypted and tamper-proof.

Phase 3: Authentication

After encryption is ready, SSH verifies who you are. There are two main ways this happens:

• 🔐 Password authentication: You manually enter a password (less secure).
• 🗝️ Public key authentication: Your local private key signs a message that the server verifies using your stored public key.

Public Key Authentication in Action

1. Server sends a random message (challenge) to your SSH client.
2. Your client signs it using your private key.
3. The server verifies the signature using your public key.
4. If the signature matches — you’re in! 🎉

# Typical login command
ssh user@host

# If authenticated via key, you won’t be asked for password

Phase 4: Secure Communication Channel

Once authentication succeeds, SSH opens a fully encrypted tunnel. All your commands, files, and outputs now travel safely inside this tunnel.

# Everything you run now goes through the SSH tunnel
ls -al
git pull
sudo systemctl restart nginx

You can even use the same tunnel for secure file transfer (SCP/SFTP) or port forwarding for databases and web apps.

Understanding SSH Trust (Known Hosts)

SSH keeps a record of every server you’ve connected to in the ~/.ssh/known_hosts file. This protects you from “man-in-the-middle” attacks — if the server’s fingerprint changes unexpectedly, SSH will alert you before connecting.

# To remove a mismatched host key
ssh-keygen -R your-server.com

Bonus: SSH Handshake Visualization

Conclusion

SSH is a masterpiece of modern cryptography — combining asymmetric (public/private key) and symmetric (shared key) encryption to ensure total security. Understanding how it works gives you the confidence to use it safely and automate your workflows like a professional.