How secure is an SSH tunnel or connection?

I'd just like to quote a little from Wikipedia here:

Even if a symmetric cipher is currently unbreakable by exploiting structural weaknesses in its algorithm, it is possible to run through the entire space of keys in what is known as a brute force attack. Since longer symmetric keys require exponentially more work to brute force search, a sufficiently long symmetric key makes this line of attack impractical.

With a key of length n bits, there are 2ⁿ possible keys. This number grows very rapidly as n increases. Moore's law suggests that computing power doubles roughly every 18 to 24 months, but even this doubling effect leaves the larger symmetric key lengths currently considered acceptably well out of reach. The large number of operations (2¹²⁸) required to try all possible 128-bit keys is widely considered to be out of reach for conventional digital computing techniques for the foreseeable future. However, alternative forms of computing technology are anticipated which may have superior processing power than classical computers. If a suitably sized quantum computer capable of running Grover's algorithm reliably becomes available, it would reduce a 128-bit key down to 64-bit security, roughly a DES equivalent. This is one of the reasons why AES supports a 256-bit key length. See the discussion on the relationship between key lengths and quantum computing attacks at the bottom of this page for more information.

So a 128 bit key would have 340,282,366,920,938,463,463,374,607,431,768,211,456 possible permutations. Imagine going through all those. Even a powerful desktop computer can only try a few per second.

So although it's theoretically possible to brute-force decrypt an SSH stream, by the time the key has been decrypted by the most powerful computer imaginable two things would have happened:

1. The key would have been changed by SSH
2. We would all have died and the sun exploded and destroyed the earth.

^{<disclaimer: not an expert on cryptography>}

SSHv2 uses mostly the same algorithms as TLS/SSL:

• DH, recently ECDH or RSA for key exchange;
• RSA, DSA or ECDSA for server authentication (and very often, client authentication).
• AES for symmetric encryption (the entire data stream is encrypted using a randomly-generated key).

All of them are widely used and proven secure for everyday use.

However, in any protocol, security depends on knowing that you are communicating with the right server. In the case of SSH (standard configuration), the first time you connect to the server you have to verify its fingerprint. (Don't just confirm it without actually checking, as many people do.) The next time, the server's key will be checked against a cached copy to prevent man-in-the-middle attacks – but only if the right key was cached in the first place.

(In comparison, TLS/SSL handles the above by using X.509 certificates issued by well-known authorities which are trusted to not sign bogus certificates.)