SSH (Secure Shell) is a cryptographic network protocol for secure remote access, command execution, and data transfer over untrusted networks. It provides encrypted communication channels using public-key cryptography, replacing legacy protocols like Telnet and FTP. SSH operates on port 22 by default and is fundamental to modern system administration, DevOps workflows, and secure remote management. With OpenSSH 10.x (current as of 2026), connections now default to post-quantum hybrid key exchange (ML-KEM + Curve25519), guarding against "harvest now, decrypt later" quantum threats — a shift that governments worldwide mandate completing by 2030–2035. The key concept to remember: SSH tunnels all traffic through encrypted channels, meaning not just authentication but also all subsequent data transfer is protected — making it essential for accessing servers, managing infrastructure, and transferring files securely.
What This Cheat Sheet Covers
This topic spans 21 focused tables and 202 indexed concepts. Below is a complete table-by-table outline of this topic, spanning foundational concepts through advanced details.
Table 1: SSH Key Types
Ed25519 is the recommended choice for all new key generation; RSA at 4096 bits remains the compatibility fallback for legacy systems. Hardware-backed -sk variants add physical presence requirements for the strongest possible authentication against credential theft.
| Type | Example | Description |
|---|---|---|
ssh-keygen -t ed25519 -a 100 -C "user@email.com" | • Most recommended modern algorithm • 256-bit Edwards-curve providing best performance and security with the smallest key size • -a 100 increases KDF rounds to slow passphrase brute-force attacks. | |
ssh-keygen -t rsa -b 4096 -C "user@email.com" | • Most widely supported algorithm • 4096-bit minimum for adequate security • slower than Ed25519 but necessary for older servers that don't support newer algorithms. | |
ssh-keygen -t ecdsa -b 521 -C "user@email.com" | • Elliptic curve algorithm with shorter keys than RSA • NIST curves have suspected manipulation concerns; use Ed25519 instead for new deployments. |