Suppose your remote username on shell.isp.com is pat. To connect to your remote account from your friend’s account on local.university.edu, you type:

    $ ssh -l pat shell.isp.com
    pat's password: ******
    Last login: Mon Aug 16 19:32:51 2004 from quondam.nefertiti.org
    You have new mail.
    shell.isp.com>

This leads to the situation shown in Figure 2-1. The ssh command runs a client that contacts the SSH server on shell.isp.com over the Internet, asking to be logged into the remote account with username pat.^[5] You can also provide user@host syntax instead of the -l option to accomplish the same thing:

    $ ssh pat@shell.isp.com

Figure 2-1. Our example scenario

On first contact, SSH establishes a secure channel between the client and the server so that all transmissions between them are encrypted. The client then prompts for your password, which it supplies to the server over the secure channel. The server authenticates you by checking that the password is correct and permits the login. All subsequent client/server exchanges are protected by that secure channel, including everything you type into the SSH application and everything it displays to you from shell.isp.com.

It’s important to remember that the secure channel exists only between the SSH client and server machines. After logging into shell.isp.com via ssh, if you then telnet or ftp to a third machine,