Unsupported packet 60

Question

Hi, One of our user complains that his private key is not supported. As you suggested here an example of what he needs to use. His Cisco Switch required that. Is this something that we can solve on our side or you have to fix it.

PuTTY-User-Key-File-2: ssh-rsa Encryption: none Comment: test Public-Lines: 4 AAAAB3NzaC1yc2EAAAABJQAAAIEApFdNRbhfhID+5DPGgO1Kc1vAY0idzHqhPnJY /5HTMxw72ZoDuJfdYRFYuy9l1raMUpDe1ZD8pMd019xdgZyslvS/VAo/oDrFZ2Xh pxncDE/Hdqqfjxj3LAk9w5fTz4sWxKY0Fp2Ns5O2LPI9KOtsl4fGnNTS4pew3ou7 i2MTX+k= Private-Lines: 8 AAAAgQCOIf2kFRRW7Bq3hrmEQtibHuuUIyCw2MLOOWG6cEf02iXsoOCfpe/lP29V yCC5sqLfn+NQ7BjF3O9ulRKZnEI7+v6oRoeJVKH/VyIiieukymrWqqha2iDm3kxU iP4NR54BrpdsuN8q4FLWDtst8fjj1IULaOsbhYeQoj3cQcd0LQAAAEEA1TqD1Gpl NQQ/ibuzrGxBbuIXZHz8Rw21G3hKjUqb/CRA/Z/pSsFFg2PWE2YQ90yJr91STg9w Wvi8zWKFnk8VJwAAAEEAxU5dpEiEO+XYn2Z7ffdUVtnXEM/pxbNr/L03TCN0NCPR trUXnQpkfPKPXamq1FhGai91VXOaalNigsF/GLWsbwAAAEEArDuAkDup8vJT/4kW 06UEc1dV5lC4kMQlM9mlYt6Z8QsciAsGIZ2k6K4W1j31kP01kSGQKJDQggBOuRBG l4LKpQ== Private-MAC: 9cfada2f34a383b066187eb19558ad8aca4d48d4

The resulting error result in our application is:

[9/11/2014 2:29:21 PM]ERROR SILENT Rebex.Net.SshException: Unsupported packet 60. at Rebex.Net.SshSession.ZY(String A, String B, SshPrivateKey C, SshGssApiCredentials D) at Rebex.Net.SshSession.Authenticate(String userName, String password, SshPrivateKey privateKey) at Rebex.Net.Ssh.QIB.MCB(String A, String B, SshPrivateKey C, PIB D) at Rebex.Net.Ssh.ZO(String A, String B, SshPrivateKey C, PIB D) at Rebex.Net.Ssh.Login(String userName, String password, SshPrivateKey privateKey) at Devolutions.RemoteDesktopManager.Frames.Embedded.FreEmbeddedSshShell.Connect()

Hope that will help.

Thanks, André

Comments

From the error stack trace, it seems that the private key was successfully loaded and decrypted. However, an error occured while authenticating with this key because the client received an SSH packet it could not handle at the time. This looks like an incompatibility between Rebex and Cisco's SSH libraries.

---

To make it possible to tell what is going on, please create a communication log at the 'Verbose' level (see http://www.rebex.net/kb/logging.aspx for details) and mail it to support@rebex.net for analysis (remove any sensitive information from the log - a private key and its password don't appear in the log, but the password for the authenticating user does (if you use one).

---

According to the log we got by e-mail, it looks like the server is sending a seldom-used SSH_MSG_USERAUTH_PK_OK packet (see https://tools.ietf.org/html/rfc4252#page-9) that we currently don’t handle properly. Fortunately, fixing this is rather simple – we should have a hotfix for this tomorrow. Sorry for inconvenience, and thanks for bringing this issue to our attention.

---

Further analysis revealed that the server should not have been sending the SSH_MSG_USERAUTH_PK_OK packet as a response to SSH_MSG_USERAUTH_REQUEST with public key and signature, so this actually turned out to be a bug in the server. We have added a workaround for it and I sent a link to a hotfix to your e-mail address. It will be included in the next release as well.

Answer 1

This problem was caused by Cisco SSH server that sends SSH_MSG_USERAUTH_PK_OK packet as a response to SSH_MSG_USERAUTH_REQUEST with public key and signature, which is wrong (see RFC 4522).

We added a workaround for this Cisco server bug to Rebex SFTP 2014 R3.