How SSH2 works:
(1) When a TCP connection is made by a client, the server responds with the protocol versions it supports. If the client can match one of the acceptable protocol versions, the connection continues. The server also provides its public host key, which the client can use to check whether this was the intended host.
At this point, both parties negotiate a session key using a version of something called the Diffie-Hellman algorithm. This algorithm (and its variants) make it possible for each party to combine their own private data with public data from the other system to arrive at an identical secret session key.
The session key will be used to encrypt the entire session.
(2) The next stage involves authenticating the user and deciding access. like pw, public-private key pair etc.
So the very important part ( different from TLS/SSL) is:
ssh use D-H to set up the shared session key first, the pw, public-private are for user authentication