This content originally appeared on DEV Community and was authored by Naval Kishor Upadhyay
SSH (Secure Shell) is the tool that engineers use to log into servers safely. It solves two big problems:
- Privacy — everything you type and receive is encrypted so outsiders can’t read it.
- Identity — the server knows it’s really you, and you know it’s really the server.
Let’s walk through how SSH makes this possible, step by step.
1. The problem SSH solves
Without protection, your password or commands would travel across the network in plain text. Anyone listening could steal them. SSH was built to prevent this.
It guarantees:
- Encryption so the session can’t be spied on.
- Authentication so access is only granted to the right person.
2. Your digital identity: SSH keys
SSH avoids sending passwords by using a pair of keys:
- Private key → stored on your laptop, never shared.
- Public key → copied to the server.
3. How the login actually works
Here’s what happens when you type ssh user@server:
Connection starts
Client and server set up a secure channel so no one can listen in.Server identity check
The server shows its own “host key.” Your computer checks it against saved records to ensure you’re not talking to an impostor.-
Authentication
- The server finds your public key in its records.
- It sends you a random challenge: “Prove you own the private key.”
- Your computer signs this challenge with your private key.
- The server uses your public key to verify the signature.
- If it matches, you are authenticated — without ever sending a password.
4. Deep dive: verifying the signature
This is the heart of SSH authentication — how the server proves you really have the private key.
The server already has:
- the public key you uploaded earlier
- the fresh challenge it just generated
Your laptop produces a signature of that challenge using your private key.
Example:
Signature: MEQCIF6QwG1W84yF8Lk98K1F5...aYFJ2kAbQIgJj4H
The server takes the challenge, your signature, and your public key, and runs a check:
- If the signature correctly matches the challenge with that public key →
you must own the private key.
- If not →
login is denied.
Why this works:
- Only the correct private key can produce a valid signature for that challenge.
- The challenge is random each time, so an old signature can’t be replayed.
- The private key never leaves your laptop, so there’s nothing to steal in transit.
5. Why this is secure
- No password is sent over the network — nothing reusable to steal.
- The private key stays with you — only a mathematical proof (signature) is shared.
- Replay attacks are blocked — each login uses a fresh challenge.
- The server itself is verified — SSH warns you if a server’s identity suddenly changes.
6. Benefits in practice
- Safer than passwords — prevents brute-force guessing and credential theft.
- Easy to manage — add/remove public keys to control access.
- Automation-friendly — scripts and systems can log in without storing passwords.
- Scales to teams — each engineer gets their own key; revoking access is as simple as removing one line.
7. What can go wrong
- If your private key file is stolen and not protected by a passphrase, an attacker can impersonate you.
- If you ignore SSH’s warning about a changed server identity, you may connect to an impostor.
- If teams share keys, you lose accountability — you can’t tell who did what.
Key takeaways
- SSH doesn’t rely on sending passwords — it proves identity with keys and signatures.
- The server challenges you, and your private key signs the challenge.
- If the server can verify the signature with your public key, it knows it’s really you.
- After login, all communication is encrypted with a fast shared key.
- The system is secure because the private key never leaves your device.
This content originally appeared on DEV Community and was authored by Naval Kishor Upadhyay