Definition
SSH, the Secure Shell protocol, is the standard way to open an encrypted command session on a remote computer over an untrusted network. Underneath the protocol negotiates a fresh symmetric session key using a public-key handshake, authenticates the user with either a password or a key pair, and then tunnels a bidirectional stream of bytes that carries the remote shell, file transfers, and arbitrary forwarded TCP connections.
SSH replaced the unencrypted telnet and rlogin protocols of the early Internet, which transmitted passwords and keystrokes in plain text. Today it is the connective tissue of operations work: every server login, every git push to a private host, and every infrastructure automation tool reaches for SSH as its baseline trust primitive.
Why it matters
How it works
A client opens a TCP connection to port 22 on the server and the two endpoints negotiate a session. The server presents a host public key; the client checks it against the known_hosts file and refuses the connection if it does not match — this is the defence against on-path attacks. The two sides then run a Diffie-Hellman exchange to derive a fresh symmetric key for the session, after which every subsequent byte is encrypted. The user then authenticates: either by typing a password or, more commonly, by proving possession of a private key whose public counterpart is in the server's authorized_keys file.
Once authenticated, the connection becomes a multiplexed channel. The default channel is an interactive shell or a one-off command. Additional channels can be opened for sftp file transfers, X11 forwarding, or arbitrary TCP port forwards in either direction. Port forwarding is particularly powerful: a single ssh invocation can make a remote service appear on a local port, or vice versa, allowing secure access to internal services without exposing them to the public internet. The SSH agent caches decrypted private keys in memory and answers signing requests from child processes, which is what lets a developer push to twenty repositories without retyping a passphrase each time.