Hi Everybody,
I'm trying to understand more about how SSH works. I'm using Wireshark to grab the packets going between my machines (OpenSSH running on both ends). I'm stuck at the Diffie-Hellman Group Exchange Reply packet. There seems to be a length (4 Bytes) and value (1 Byte) not accounted for or not described by RFC 4419, just after the encryption algorithm name. The RFC says that the first chunk of data sent in this packet will be the server's public key and certificates, but I don't know where to look for certificate formats to try and decode this data.
Here is the packet received from the server (TCP, IP, and Ethernet packet information not included). I've spread it out for readability. I've also indicated values and field purposes as I understand them. The 'host key', 'f', and 'hash signature' are indicated to be in these positions by RFC 4419. The line marked with a "->" has the data that is confusing me. I can't see anything that the value 0x23 (35) would correlate to.
Packet Length: 444
Padding Length: 10
Key Exchange
Msg code: Diffie-Hellman GEX Reply (33)
Payload:
00000095 Value = 149 bytes
00000007 7373682d727361 Value = 7 bytes ; "ssh-rsa"
->00000001 23 Value = 1 byte ; 35
00000081 00dca412f58b8d7bea991901652857b3 Value = 129 bytes ; host key
...
... Total of 129 bytes
...
00000080 420b85197d902a986c7c67b2c4f72336 Value = 128 bytes ; f
...
... Total of 128 bytes
...
0000008f Value = 143 bytes
00000007 7373682d727361 Value = 7 bytes ; "ssh-rsa"
00000080 0c9f8b1a7f59c25f279fcc8199ea1ffe Value = 128 bytes ; hash signature
...
... Total of 128 bytes
...
Padding String:
MAC String:
I've read through RFCs 4250-4254 and 4419 to try to find some clue for this code 0x23, but I have been unsuccessful so far. It is entirely possible that I missed an explanation in the RFCs, so feel free to point one out to me if that's the case. Any hints or explanation will be helpful.
Thank You