From the client's point of view, SSH provides two levels of security verification.

The first level (password-based security authentication) allows you to log on to a remote host as long as you know your account and password. All transmitted data will be encrypted, but there is no guarantee that the server you want to connect to is the server you want to connect to. There may be other servers masquerading as real servers, that is, being attacked by "man in the middle".

The second level (key-based security verification) depends on the key, that is, you must create a pair of keys for yourself and put the public key on the server you need to access. If you want to connect to the SSH server, the client software will send a request to the server for security verification with your key. After receiving the request, the server first looks up your public key in the server's home directory, and then compares it with the public key you sent. If the two keys match, the server encrypts the challenge with the public key and sends it to the client software. After receiving the "challenge", the client software can decrypt it with your private key and send it to the server.

In this way, you must know the password of your key. However, compared with the first level, the second level does not need to transmit passwords on the network.

The second level not only encrypts all the transmitted data, but also the "man in the middle" attack mode is impossible (because he doesn't have your private key). However, the whole login process may take 10 seconds.