SSH stands for Secure Shell. It is a network protocol that lets you connect to a remote computer securely over an unsecured network like the internet. When you manage a VPS, deploy code to a server, or transfer files between machines, SSH is almost certainly what you are using to do it.
Before SSH existed, people used protocols like Telnet and rlogin to connect to remote servers. The problem was that these protocols sent everything in plain text, including your password. Anyone monitoring the network could see exactly what you typed. SSH was created in 1995 by a Finnish researcher named Tatu Ylonen after a password sniffing attack at his university. He built a protocol that encrypted the entire connection, making it impossible for anyone to eavesdrop.
Today SSH is the standard way to manage remote servers. It is installed by default on virtually every Linux distribution, macOS, and even Windows 10 and later. If you have ever opened a terminal and connected to a server, you have used SSH.
SSH creates an encrypted tunnel between your computer and the remote server. Everything that passes through this tunnel, your commands, the server's responses, file transfers, and even your password if you use one, is encrypted so that nobody between you and the server can read it.
The process starts with a handshake. When you connect to a server, your SSH client and the server agree on an encryption method. They exchange cryptographic keys to set up the encrypted channel. Once the channel is established, you authenticate yourself, either with a password or an SSH key. After authentication, you have a secure connection and can start working.
The encryption SSH uses is the same kind that protects online banking and e-commerce. It is based on well tested cryptographic algorithms that would take billions of years to crack with current technology. This is why SSH replaced Telnet so completely. There is simply no reason to send data unencrypted when SSH makes encryption effortless.
The simplest way to log into a server over SSH is with a username and password. You type your password, it gets encrypted and sent to the server, and the server checks it against its records. If it matches, you are in.
Password authentication works, but it has weaknesses. If your password is short or common, automated bots can guess it through brute force attacks. These bots try thousands of password combinations per hour against servers all over the internet. A strong, unique password mitigates this risk, but there is a better option.
SSH keys are the recommended way to authenticate. Instead of a password, you use a pair of cryptographic keys. One is your private key, which stays on your local machine and should never be shared with anyone. The other is your public key, which you place on the server.
When you connect, the server sends a challenge that can only be answered correctly if you have the matching private key. Your SSH client uses your private key to respond, and the server verifies the response against the public key. If they match, you are authenticated. The private key never leaves your machine and is never sent over the network.
The security advantage is enormous. An SSH key is typically 2048 or 4096 bits long. Brute forcing a key of that length is computationally impossible with any technology that exists or is expected to exist in the foreseeable future. Even if an attacker intercepts the authentication exchange, they cannot derive your private key from it.
Most server administrators disable password authentication entirely once SSH keys are set up. This eliminates brute force attacks completely because there is no password to guess.
For additional security, you can configure SSH to require both an SSH key and a second factor like a time based one time password from an authenticator app. This means that even if someone somehow obtains your private key, they still cannot log in without the second factor. This level of security is common in enterprise environments and for servers that handle sensitive data.
The most common use of SSH is logging into a remote server to manage it. Once connected, you have a command line interface where you can run any command as if you were sitting in front of the machine. You can install software, edit configuration files, restart services, check logs, and do anything else the operating system allows.
When you set up a Linux VPS, SSH is how you connect to it for the first time and how you manage it going forward. Your provider gives you an IP address and credentials, and you use SSH to log in.
SSH includes built in file transfer capabilities through two related protocols. SCP, which stands for Secure Copy Protocol, lets you copy files between your local machine and a remote server using a simple command. SFTP, which stands for SSH File Transfer Protocol, provides a more feature rich file transfer experience with the ability to browse directories, resume interrupted transfers, and manage files on the remote server.
Both SCP and SFTP use the same SSH encryption, so your files are protected during transfer. This makes them the secure alternative to FTP, which like Telnet sends data in plain text.
SSH can create encrypted tunnels that forward network traffic between your local machine and the remote server. This is called port forwarding, and it has several practical uses.
Local port forwarding lets you access a service on the remote server as if it were running on your local machine. For example, if a database on your server only accepts connections from localhost for security reasons, you can create an SSH tunnel that forwards your local port to the server's database port. Your database client connects to localhost on your machine, and SSH transparently forwards the connection to the remote database through the encrypted tunnel.
Remote port forwarding does the opposite. It makes a service on your local machine accessible through the remote server. This is useful when you want to share a local development server with someone else or when you need to expose a local service to the internet temporarily.
For a deeper look at SSH port configuration and security, check out our SSH port guide which covers changing the default port and hardening your setup.
If you use Git for version control, you are probably using SSH without realizing it. When you clone a repository using an SSH URL, push code to GitHub or GitLab, or pull updates from a remote repository, Git uses SSH to authenticate you and encrypt the transfer. This is why you add your SSH public key to your GitHub account. It lets Git authenticate you automatically without asking for a password every time.
You do not always need an interactive session. SSH lets you run a single command on a remote server and get the result back immediately. This is useful for quick checks like seeing how much disk space is available, checking if a service is running, or restarting a process. It is also the foundation for automation scripts that manage multiple servers.
SSH is built into every Linux distribution and macOS. Open a terminal and the ssh command is ready to use. No installation required. The SSH client, key generation tools, and file transfer utilities are all included as part of the base system.
Windows 10 and later include an SSH client built into PowerShell and Command Prompt. You can use it the same way you would on Linux or macOS. For older versions of Windows, PuTTY is the most popular SSH client. It provides a graphical interface for managing connections and supports all SSH features including key authentication and port forwarding.
Windows also supports SSH through the Windows Subsystem for Linux, which gives you a full Linux environment running inside Windows. This is popular among developers who want Linux tools without running a separate machine.
If you prefer a full graphical desktop instead of a command line, a Windows RDP server gives you remote desktop access using the Remote Desktop Protocol, which is the Windows equivalent of SSH for graphical environments.
Creating an SSH key pair takes one command. Run ssh-keygen on your local machine and it will generate a private key and a public key. The default algorithm is Ed25519 on modern systems, which is fast and secure. You can also use RSA with a 4096 bit key length for compatibility with older systems.
During generation, you will be asked for a passphrase. This is an optional password that encrypts your private key file. If someone steals your private key file, they still need the passphrase to use it. For servers you access frequently, you can use an SSH agent to cache the passphrase so you only enter it once per session.
The easiest way to install your public key on a server is with the ssh-copy-id command. It connects to the server using your password, creates the necessary directory and file if they do not exist, and adds your public key to the authorized keys list. After this, you can log in with your key instead of a password.
If ssh-copy-id is not available, you can manually copy the contents of your public key file and paste it into the authorized_keys file on the server. The file lives in the .ssh directory inside your home directory on the server.
Once your SSH key is working, the recommended next step is to disable password authentication entirely. Edit the SSH daemon configuration file on the server and set PasswordAuthentication to no. Restart the SSH service and password logins are no longer accepted. This is the single most effective security measure you can take for your server.
Our Ubuntu server setup guide walks through the complete process of setting up SSH keys and hardening your server from scratch.
If you manage multiple servers, typing out full SSH commands with IP addresses, usernames, ports, and key file paths gets tedious quickly. The SSH configuration file solves this by letting you create shortcuts.
The file lives at ~/.ssh/config on your local machine. Each entry defines a host alias with the connection details. You specify the hostname or IP address, the username, the port if it is not the default, and the path to the private key file. After saving the configuration, you can connect by typing just the alias instead of the full command.
The config file also lets you set default options for all connections. You can enable connection keepalives to prevent timeouts, set a default username, specify preferred authentication methods, and configure other options that apply to every server you connect to.
This is the most common SSH error. It means authentication failed. If you are using a password, double check that it is correct and that the username is right. If you are using SSH keys, make sure your public key is in the authorized_keys file on the server, the file permissions are correct, and you are using the right private key. SSH is strict about file permissions. The .ssh directory should be readable only by your user, and the authorized_keys file should not be writable by anyone else.
A timeout means your SSH client cannot reach the server. Check that the server is online, the IP address is correct, and no firewall is blocking the SSH port. If you recently changed the SSH port, make sure you are connecting to the new port and that the firewall allows it.
SSH remembers the identity of every server you connect to. If a server's identity changes, SSH warns you because this could indicate a man in the middle attack. However, it also happens legitimately when a server is reinstalled or its IP address is reassigned. If you are sure the change is legitimate, remove the old entry from your known_hosts file and connect again.
SSH connections can drop if there is no activity for a while. The server or a network device in between closes idle connections. To prevent this, configure your SSH client to send keepalive packets at regular intervals. Add ServerAliveInterval 60 to your SSH config file, and your client will send a small packet every 60 seconds to keep the connection active.
Telnet is the predecessor to SSH and should never be used for anything. It sends all data including passwords in plain text. SSH does everything Telnet does but with encryption. There is no scenario where Telnet is a better choice than SSH.
RDP, or Remote Desktop Protocol, is Microsoft's protocol for graphical remote desktop access. SSH gives you a command line interface, while RDP gives you a full graphical desktop. They serve different purposes. SSH is for managing servers, running commands, and transferring files. RDP is for using a Windows desktop remotely, running graphical applications, and doing work that requires a visual interface.
Many administrators use both. SSH for quick server management tasks and RDP when they need a graphical environment.
A VPN creates an encrypted tunnel for all network traffic between your device and a network. SSH creates an encrypted tunnel for a specific connection. VPNs are broader in scope, protecting all your internet traffic. SSH tunnels are more targeted, encrypting specific connections to specific servers. You can use SSH port forwarding as a lightweight alternative to a VPN for accessing specific services, but it is not a full replacement for all VPN use cases.
- Use SSH keys instead of passwords. This is the most important step.
- Disable password authentication after setting up keys.
- Disable root login over SSH. Use a regular user with sudo privileges.
- Keep your SSH software updated on both client and server.
- Use a strong passphrase on your private key.
- Consider changing the default SSH port to reduce automated scan noise.
- Install Fail2Ban to automatically block IP addresses with too many failed login attempts.
- Limit SSH access to specific IP addresses if possible.
- Review your authorized_keys file periodically and remove keys that are no longer needed.
- Use Ed25519 keys for the best combination of security and performance.
If you have never used SSH before, the learning curve is gentle. Open a terminal on your computer, type the ssh command followed by your username and server IP address, enter your password when prompted, and you are connected. From there, you can start learning commands, setting up SSH keys, and exploring what your server can do.
SSH is one of those tools that becomes second nature quickly. Within a few days of managing a server, connecting over SSH will feel as natural as opening a web browser. And once you set up SSH keys and a config file, connecting to any of your servers takes a single short command.
Ready to get started? A Ubuntu VPS comes with SSH enabled out of the box, so you can connect and start working within minutes of provisioning.
Ready to Deploy?
Get a high performance VPS with instant setup, full root access, and 24/7 support.
Written by Sophie Laurent
Technical Writer & DevOps Engineer
Bridges complex infrastructure topics and practical guides for everyone.
Edge Computing vs Cloud Computing: What's the Difference?
Serverless vs Traditional Hosting: When You Still Need a Server