Authentication

Authentication

Once the transport layer has constructed a secure tunnel to pass information between the two systems, the server tells the client the different authentication methods supported, such as using a private key-encoded signature or typing a password. The client will then try to authenticate itself to the server using any of the supported methods.
Since servers can be configured to allow different types of authentication, this method gives each side the optimal amount of control. The server can decide which encryption methods it will support based on its security model, and the client can choose the order of authentication methods to attempt from among the available options. Thanks to the secure nature of the SSH transport layer, even seemingly insecure authentication methods, such as a host-based authentication, are safe to use.
Most users requiring a secure shell will authenticate using a password. Unlike other security authentication schemes, the password is transmitted to the server in cleartext. However, since the entire password is encrypted when moving over the the transport layer, it can be safely sent across any network.