SSH Negotiation: Bad SSH2_MSG_KEX_DH_GEX_REPLY or something else?

Question

I am doing unix server ssh emulation for iOS. In the process of negotiation I met many of the hurdles and still fighting with those. One of the latest is about the SSH2_MSG_KEX_DH_GEX_REPLY packet data, where I receive the wrong packet length (may be extraneous padding). The packet description for overall process is as below:

Client : connection with aix.polarhome.com with port 775 (changed port for ssh) using GCDAsyncSocket
Server : SSH-2.0-OpenSSH_6.0
Client : send SSH-2.0-OpenSSH_6.0

(Rest packet will follow BPP protocol)
Server : SSH2_MSG_KEXINIT with set of supported algorithms
Client : SSH2_MSG_KEXINIT with set of common algorithms 

Client : SSH2_MSG_KEX_DH_GEX_REQUEST_OLD 
         code: 
    SignedByte sendByte[1920];
    int writeIndex = 0;

    minGroupLength = 1024;
    prefGroupLength = 1024;
    maxGroupLength = 4096;

    sendByte[writeIndex++] = SSH2_MSG_KEX_DH_GEX_REQUEST_OLD;

    [self write32BitInteger:prefGroupLength toPacket:sendByte fromIndex:writeIndex];
    writeIndex += 4;

    [self sendSSHBinaryPacketPayload:sendByte toLength:writeIndex];
    writeIndex = 0;

Server : SSH2_MSG_KEX_DH_GEX_GROUP

client -> fetch values of p and g 
         compute value of e (1 < e < (p-1)/2)

Client : SSH2_MSG_KEX_DH_GEX_INIT
         Code
SignedByte sendByte[1920];
    int writeIndex = 0;

NSInteger eByteCount = [[e description] stringByReplacingOccurrencesOfString:@" " withString:@""].length/2;

sendByte[writeIndex++] = SSH2_MSG_KEX_DH_GEX_INIT;

[self write32BitInteger:eByteCount toPacket:sendByte fromIndex:writeIndex];
writeIndex += 4;

Byte eBytes[eByteCount];
NSInteger length = [self getBytes:eBytes fromBigInteger:e];
for (int i = 0; i < length; i++) {
    sendByte[writeIndex++] = eBytes[i];
}

[self sendSSHBinaryPacketPayload:sendByte toLength:writeIndex];
writeIndex = 0;

Server : SSH2_MSG_KEX_DH_GEX_REPLY
Total length : 720 
Packet length (4 bytes): 00 00 02 bc (700 which should be 720 - 4 = 716) Don't Know why this 700?

client -> read host key and verify it
         read value of f
         read signature and verify it

Client : SSH2_MSG_NEWKEYS

Now after sent last packet server mocks and no data in return of SSH2_MSG_NEWKEYS.

I looked into code of other ssh emulators but none of them helped. I am totally clueless, What should I need to do, please do help, I am really so frustrated.

Try using wireshark with putty or may be mac terminal and compare the data. — SGDev, Apr 15 '15 at 09:23

score 0 · Answer 1 · answered Sep 10 '15 at 18:50

0

Per @revinder in a comment:

I solved it my own server sending the two packets merged into one, the SSH2_MSG_KEX_DH_GEX_REPLY and the SSH2_MSG_NEWKEYS.

answered Sep 10 '15 at 18:50

Kenster

23,465
21
80
106

Yeah, I also tried the same later on. It really worked but got stuck on next step. – Revinder Sep 14 '15 at 05:28

SSH Negotiation: Bad SSH2_MSG_KEX_DH_GEX_REPLY or something else?

1 Answers1