SSH (Secure Shell) is a protocol for logging in to a remote machine and running commands over an encrypted connection. It is the standard way to administer a server you cannot physically touch, and with key-based login it replaces passwords with a key pair that is far harder to guess or steal.
At a glance
What it is
An encrypted remote login and command channel
Why it matters
It is how you run a headless server you never sit in front of
Best practice
Use a key pair, not a password, and disable password login
Default port
Port 22, though it is often changed to cut log noise
Comparison
Password login versus key-based login
Password
Key pair
What you send
A secret you typed, reusable if stolen
A proof you hold the private key, never the key itself
Survives a guessing attack?
Weakly; bots hammer passwords all day
Strongly; a key is far too long to guess
Where the secret lives
In your head, often reused
In a file on your machine, one key per use
What is SSH for?
A server you self-host usually has no screen and no keyboard. You administer it
from somewhere else, and SSH (Secure Shell) is the channel you use: an encrypted
connection that gives you a command line on the remote machine as if you were
sitting at it. Everything you type and everything it sends back is encrypted in
transit, so the connection is safe to make across an untrusted network.
It is the workhorse of remote operations. You install software, read logs,
restart services, and copy files, all through the same encrypted session. If you
run anything headless, you will live in SSH.
Why prefer keys over passwords?
A password is a short secret you reuse, and the open internet is full of bots
that do nothing but try passwords against every server they can find. A key pair
removes that whole attack. You keep a private key on your machine and put the
matching public key on the server; logging in proves you hold the private key
without ever sending it. There is nothing short to guess.
The honest setup is: generate a key pair, install the public half on the server,
then turn password login off entirely. Add a passphrase to the private key so a
stolen laptop is not a stolen server. Changing the default port from 22 cuts the
noise in your logs, which is pleasant, but it is housekeeping, not a lock. The
lock is the key.
Check it yourself
ssh -V
Prints the SSH client version installed. If the command is missing, you have no client yet and need to install one before you can connect anywhere.
Do
Log in with a key pair and disable password login
Protect the private key with a passphrase
Use one key per machine so you can revoke just one
Reach the box over a private network when you can, not the open internet
Don't
Leave password login open to the whole internet
Share one private key across every machine you own
Commit a private key to a repository, ever
Assume changing the port to a non-standard one is real security on its own