This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

SSH Capture question

0

I am currently reviewing some SSH captures for a client. We are trying to validate the SSH version that is in use Cisco's SSH v 1.99 (OpenSSH). I am trying to create a case that outlines if certain features are in place then it must be SSH v1.99 (e.g. DH Key exchange, DSA auth method, etc).

One question I do have is within the capture I am noticing under the SSH protocol section there is an indicator or a "Message Code: Public Key (2)". What does that mean?

Any help would be greatly appreciated.

asked 23 Apr '13, 12:16

netwerk's gravatar image

netwerk
11112
accept rate: 0%


One Answer:

0

then it must be SSH v1.99

version 1.99 is defined in RFC 4253. It's a 'flag' that signals compatibility with old ssh protocol versions, meaning that server is able to speak the ssh-1 and ssh-2 protocol. So, I don't think that version is directly related to DH Key exchange and DSA auth method.

"Message Code: Public Key (2)". What does that mean?

That's defined in the ssh-1 protocol.

http://www.snailbook.com/docs/protocol-1.5.txt

Search for this string: 2 SSH_SMSG_PUBLIC_KEY

It's a packet that contains information about the public key of the server.

Regards
Kurt

answered 24 Apr '13, 15:38

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%