Port 22 (SSH)

Port 22 is the default TCP port for SSH (Secure Shell), an encrypted network protocol for secure remote administration, secure file transfer (SFTP, SCP), and tunneled connections. SSH replaces unencrypted predecessors like Telnet (port 23), rlogin, and rsh, all of which sent credentials and session data in cleartext.

What SSH does

SSH provides three core capabilities:

1. Remote shell access: log into a remote machine and run commands as if you were sitting at its console. The most common use case.
2. Secure file transfer: SCP (Secure Copy Protocol) and SFTP (SSH File Transfer Protocol) move files over the same encrypted channel.
3. Port tunneling: forward arbitrary TCP traffic through the SSH connection. Used for accessing internal services without exposing them publicly, or for jumping through bastion hosts.

All three are protected by SSH's authentication and encryption. The protocol uses asymmetric cryptography for the initial handshake and symmetric encryption for the bulk session traffic.

Authentication methods

SSH supports several authentication methods, ranked by security:

1. Password: weakest. Vulnerable to brute force. Should be disabled on internet-facing servers.
2. Public key: stronger. The user's private key is on the client; the public key is in the server's ~/.ssh/authorized_keys. The private key never leaves the client.
3. Certificate-based: strongest. Public keys are signed by a trusted CA. Eliminates the need to manage authorized_keys files across thousands of servers. AWS Systems Manager Session Manager and Hashicorp Vault SSH backend implement this pattern.
4. Hardware-key-backed: the private key lives in a YubiKey or Secure Enclave. Even if the client is compromised, the key cannot be extracted.

Port 22 exam topics

• CompTIA Network+: TCP/IP fundamentals, common port numbers (SSH 22, Telnet 23, HTTP 80, HTTPS 443, RDP 3389), the difference between Telnet and SSH.
• CompTIA Security+: SSH key management, jump hosts/bastion hosts, SSH agent forwarding, SCP vs SFTP.
• CCNA: SSH access to Cisco devices, the ip ssh version 2 config, SSH vs Telnet on routers and switches.
• AZ-104 / AWS SAA: Azure Bastion (replaces traditional jump hosts), AWS Systems Manager Session Manager (SSH-less alternative for EC2), security group rules for port 22.

Common SSH misconfigurations

• Permitting root login: root SSH access should be disabled (PermitRootLogin no). Use a regular user with sudo.
• Allowing password authentication on internet-facing servers: PasswordAuthentication no and require key-based auth.
• No fail2ban or rate limiting: SSH is constantly scanned. fail2ban or cloud-native rate limiting (AWS Network Firewall, Azure NSG rate-limit rules) is essential.
• Default port 22 exposed publicly: changing the listening port to a high random number is "security through obscurity" but reduces background scan noise. Combine with key-based auth.
• Sharing private keys: every user should have their own key pair. Sharing private keys destroys the audit trail.

SSH in cloud environments

Modern cloud security increasingly avoids exposing SSH directly:

• AWS Systems Manager Session Manager: browser-based or AWS CLI shell access without opening port 22 or managing keys. Sessions are logged to CloudWatch and CloudTrail.
• Azure Bastion: managed jump host service. Users connect through the Azure portal; backend VMs never expose port 22 publicly.
• GCP Identity-Aware Proxy: TCP forwarding through Google's edge, authenticated with Google identity rather than SSH keys alone.

These services typically replace the need for traditional bastion hosts and direct port 22 exposure.