Questions: SSH: Secure Shell and Remote Access

SSH encrypts the entire session — not just the password, but every command, every response, every file transferred, and every byte of data moving through the connection. After the transport layer negotiates encryption during the handshake, all subsequent traffic flows through an encrypted channel. An attacker with packet capture sees only ciphertext. This contrasts sharply with Telnet, which transmitted everything in plaintext. The common misconception (represented by option A) is that SSH only protects the password; in fact, the session channel provides end-to-end encryption for all traffic.

SSH uses a 'trust-on-first-use' (TOFU) model by default, not a certificate authority hierarchy. On first connection, SSH asks you to verify the server's host key fingerprint manually and stores it in `~/.ssh/known_hosts`. On subsequent connections, SSH checks the presented key against the stored copy — a mismatch triggers a warning (possible man-in-the-middle attack). TLS relies on CAs to pre-establish trust through signed certificates. SSH's TOFU model is simpler but shifts responsibility to the user to verify the fingerprint on first contact. Enterprise environments can configure SSH with CAs for automated trust, but TOFU is the default.

Answer: False

This is one of the most common misconceptions about SSH. The encryption established during the transport layer phase covers the entire session — authentication, commands, responses, and all data. The session channel is a continuously encrypted tunnel, not a single-use authentication wrapper. This is precisely why SSH replaced Telnet: Telnet encrypted nothing, while SSH encrypts everything. The only part that might be considered 'outside' the session channel is the initial key exchange negotiation itself, which uses public-key cryptography and does not require prior secrecy.

Answer: True

This is the security advantage of key-based authentication over password authentication. The server knows the client's public key (stored in `~/.ssh/authorized_keys`). During authentication, the server sends a challenge encrypted with the client's public key. Only the holder of the matching private key can decrypt the challenge and produce the correct response. The private key is never transmitted — the server only sees the response. This is why key-based auth is immune to brute-force and password-guessing attacks, and why it is essential for automated systems that cannot type passwords interactively.

For CI/CD pipelines specifically, the use of dedicated deploy keys (key pairs generated for a specific pipeline with minimal permissions) follows the principle of least privilege. If the pipeline is compromised, only that key needs to be revoked. With password authentication, shared credentials would need to be changed everywhere they are used. The combination of network security (key never transmitted), auditability (each key is a distinct identity), and revocability makes key-based auth the default for serious infrastructure automation.