At some point, the website or app you’re building stops living on your laptop and moves onto a real server — a machine that’s always online, sitting in a data center you’ll probably never see. That raises an obvious question: if you can’t sit in front of it, how do you actually control it? How do you install software, edit files, restart things, and check what went wrong?
The answer, almost universally, is SSH. It’s the tool that lets you open a terminal on a computer that’s thousands of kilometers away and type commands as if you were right there. Once you understand SSH, a server stops feeling like a distant black box and starts feeling like just another machine you can reach. Let’s build that understanding from the ground up.
What SSH actually is
SSH stands for Secure Shell. Break that into two halves and the whole idea falls into place.
A shell is the program that reads the commands you type and runs them — it’s the thing behind the command-line prompt. When you open a terminal on your own machine, you’re talking to a shell. SSH gives you a shell on a different machine, over the network. You type, the remote computer runs the command, and the output comes back to your screen.
The secure part is just as important. Everything you send over an SSH connection — your commands, your password, the files you transfer, the results that come back — is encrypted. Even if someone is watching the network between you and the server, all they see is scrambled noise. That’s a big deal, because SSH replaced older tools like Telnet that sent everything, passwords included, in plain readable text.
So put simply: SSH is a secure way to log into and control a computer remotely. If you’ve heard people say “ssh into the server,” that’s exactly what they mean — opening one of these encrypted remote sessions.
One protocol, two pieces
SSH describes a protocol — an agreed-upon way for two computers to talk securely. In practice it shows up as two cooperating programs. The SSH client runs on your machine (you start it by typing ssh). The SSH server runs on the remote machine, usually a program called sshd (the “d” is for daemon, a background service). The client connects, the server answers, and the encrypted session begins. Almost every Linux server runs sshd by default, which is why SSH is the standard way in.
How an SSH connection works
You don’t need to memorize the cryptography, but a mental model of what happens when you connect makes everything afterward less mysterious. Here’s the sequence, simplified:
- You start the connection. Your client reaches out to the server’s address, on a specific port (SSH uses port
22by default). - The server proves who it is. The server hands over its host key — a unique fingerprint that identifies this exact server. Your client checks it. The first time you ever connect, you’ll be asked to confirm you trust it.
- An encrypted tunnel is set up. The two machines agree on a shared secret using some clever math, and from this point on everything in both directions is scrambled.
- You prove who you are. Now the server needs to confirm you’re allowed in — either with a password or, much better, with a key (more on that below).
- You get a shell. Authentication passes, and a prompt appears. You’re now typing commands that run on the remote machine.
YOUR LAPTOP REMOTE SERVER
(ssh client) (sshd, port 22)
│ │
│ 1. connect ─────────────────────►│
│ │
│◄──── 2. "here's my host key" ─────│
│ │
│═══ 3. encrypted tunnel agreed ════│
│ │
│ 4. "here's who I am" ───────────►│
│◄──── 5. welcome — here's a shell ─│
│ │
you type commands ───────────────────► they run over there
Every keystroke after that travels through the encrypted tunnel. The experience feels instant and local, but you’re really driving a machine that could be on the other side of the planet.
Connecting: the ssh command
The command itself is refreshingly short. The basic form is:
ssh username@host
usernameis the account you want to log in as on the server (for examplejaneordeploy).hostis where the server lives — either an IP address like203.0.113.10or a domain name likesrv.acypartner-indonesia.example.
So a real connection might look like this:
ssh jane@203.0.113.10
If the SSH server listens on a non-default port (some are moved off 22 to cut down on automated noise), you tell ssh with -p:
ssh -p 2222 jane@203.0.113.10
The very first time you connect to a new server, you’ll see something like this:
The authenticity of host '203.0.113.10' can't be established.
ED25519 key fingerprint is SHA256:Xy9k...3Qz.
Are you sure you want to continue connecting (yes/no)?
That’s step 2 from earlier — your client showing you the server’s host key and asking if you trust it. Type yes, and the fingerprint gets saved to a file called known_hosts on your machine. From then on, your client quietly checks that the server still matches. If that fingerprint ever changes unexpectedly, SSH will loudly refuse to connect — its way of warning you that something might be impersonating your server.
Don't blindly click through a changed host key
A host key warning that pops up after you’ve connected before is not something to ignore. It usually means the server was rebuilt or reinstalled (innocent), but it can also mean someone is sitting between you and the real server. If you didn’t expect a change, stop and verify with whoever runs the server before you remove the old key and reconnect. The whole point of the host key is to catch exactly this situation.
Passwords vs. SSH keys
When the server asks you to prove who you are, there are two common ways to do it. This is the part beginners most often get wrong, so it’s worth slowing down.
Password authentication
The simplest method: you type the account’s password, the server checks it, and you’re in. It works, and it’s how a lot of people start. But it has real weaknesses. Passwords can be guessed, reused across sites, or worn down by automated bots that hammer servers trying thousands of common ones per minute. A password also has to travel (encrypted, thankfully) on every login.
Key-based authentication
The better way is a key pair — two matching files generated together:
- A private key that stays on your machine and that you never share with anyone.
- A public key that you copy onto the server.
When you connect, the two halves prove they belong together using cryptography, without your private key ever leaving your computer. The result: logins that are both more convenient (no password to type each time) and far more secure (a good key is effectively impossible to guess). For any real server, keys are the standard you should aim for.
You generate a key pair once, with:
ssh-keygen -t ed25519 -C "jane@acy-partner-indonesia"
That creates two files in your ~/.ssh/ folder: id_ed25519 (the private key — guard it) and id_ed25519.pub (the public key — safe to share). The -C part is just a comment so you can tell your keys apart later.
Then you copy the public key to the server:
ssh-copy-id jane@203.0.113.10
After that, ssh jane@203.0.113.10 logs you in using the key — no password prompt. Behind the scenes, your public key got added to a file called ~/.ssh/authorized_keys in your account on the server, which is the list of public keys allowed to log in as you.
YOUR MACHINE THE SERVER
┌──────────────────┐ ┌──────────────────────┐
│ id_ed25519 │ private │ authorized_keys │
│ (PRIVATE, stays)│ │ holds your PUBLIC │
│ id_ed25519.pub ──┼──copy────► │ key, lets you in │
└──────────────────┘ └──────────────────────┘
Treat your private key like a house key
Your private key is the one thing that must never leak. Don’t email it, don’t paste it into a chat, don’t commit it to a Git repository, and don’t copy it onto shared machines. If you want an extra layer, protect it with a passphrase when you create it — then even someone who steals the file can’t use it without that phrase. Losing a private key isn’t a disaster (you just generate a new pair and update the server), but a leaked one is, so handle it carefully.
Doing things once you’re in
After you connect, you’re simply at a Linux prompt — the same kind of shell you’d use locally. If you’ve spent any time with the command line, everything you know applies here, just on the remote machine. You can move around with cd and ls, read and edit files, check running services, and install software.
A few things worth knowing about working over SSH:
- The prompt usually tells you where you are. Something like
jane@srv01:~$reminds you which user you are (jane) and which machine (srv01). That small detail saves you from accidentally running a command on the wrong server. - To leave, type
exit(or pressCtrl+D). That closes the session and drops you back to your own machine’s prompt. - You can run a single command without a full session. Tack the command onto the end and SSH runs it, returns the output, and disconnects:
ssh jane@203.0.113.10 "uptime"
That’s handy for quick checks or scripts that need to ask a server one thing.
Which account you log in as matters, too. Logging in as a regular user and using elevated privileges only when needed is far safer than logging in as the all-powerful root user for everything. If that distinction is fuzzy, the article on users and groups covers who’s allowed to do what, and file permissions explains why not every account can touch every file.
A small comfort: the SSH config file
Typing ssh -p 2222 jane@203.0.113.10 every time gets old fast. SSH lets you save shortcuts in a file at ~/.ssh/config. Add an entry like this:
Host acy-server
HostName 203.0.113.10
User jane
Port 2222
Now this is all you type:
ssh acy-server
The client looks up acy-server in the config, fills in the address, user, and port for you, and connects. For anyone juggling more than one or two servers, this small file turns a chore into a habit you barely notice.
Why SSH matters
SSH is the front door to nearly every server you’ll ever touch. Deploying a website, fixing a bug in production, reading logs at 2 a.m. to figure out why something broke, transferring files, automating a routine task — almost all of it starts with an SSH connection. It’s not an advanced topic you can put off; it’s day-one, foundational plumbing for anyone working with servers.
It’s also the secure foundation that a lot of other tools quietly build on. File-transfer methods like SCP and SFTP run over SSH, using the same encrypted tunnel and the same keys. Deployment scripts and configuration tools connect through SSH under the hood. Learn it well once, and you’ve unlocked a whole layer of how servers are managed.
Wrapping up
Here’s everything in one place:
- SSH (Secure Shell) is a secure, encrypted way to log into and control a remote computer’s command line over a network.
- It’s split into a client (on your machine, the
sshcommand) and a server (sshd, listening on port22by default). - Connecting checks the server’s host key (so you know it’s really your server), sets up an encrypted tunnel, then verifies you.
- You authenticate with a password or, much better, an SSH key pair — a private key you guard and a public key you place on the server.
- The basic command is
ssh username@host; you leave withexit, and an~/.ssh/configfile saves you from retyping connection details.
Once you’re comfortable opening a session, the natural next step is moving files between your machine and the server — copying a build up, pulling a backup down. That’s the job of file transfer over SSH, and the keys you just set up carry straight over to it.