Based on the November 1995 RFC for SSH

Sample SSH 1.5 Initial Network Negotation

1. Client --> Server (CLEARTEXT)

Client initially connects to server on Port 22.

2. Client <-- Server (CLEARTEXT)

Server sends back ID string:

SSH-1.5-1.2.22

This breaks down to: SSH-<protocolmajor>.<protocolminor>-<version>.  Version is not interpreted on client side.

3. Client --> Server (CLEARTEXT)

Client sends its own identification
SSH-1.5-1.2.22

4. Client <-- Server (CLEARTEXT)

 Both sides switch to a packet based binary protocol.



 Packet Format
 
Length Padding Packet Type Data Check Bytes (CRC)
4 bytes 1-8 bytes 1 byte Length - 5 bytes 4 bytes
 Length        
 CRC        
 Encrypted        
 Compressed        
 Length of packet = Packet Type + Data + Check Bytes.  Max Packet Length is 262144 bytes.

CRC Check Bytes is calculated with polynomial 0xEDB88320 of Padding, Packet Type, and Data Fields - computed before any encryption.

Encrypted Portion = Padding + Type + Data + Check

Compressed portion = Type + Data portion.  Packet is compressed before it is encrypted.  Padding is computed from compressed data so packet length to be encrypted = 8 bytes.



 
Packet Type 2 SSH_SMSG_PUBLIC_KEY
Data 8 bytes      anti_spoofing_cookie  
32-bit int   server_key_bits  
mp-int       server_key_public_exponent  
mp-int       server_key_public_modulus  
32-bit int   host_key_bits  
mp-int       host_key_public_exponent  
mp-int       host_key_public_modulus  
32-bit int   protocol_flags  
32-bit int   supported_ciphers_mask  
32-bit int   supported_authentications_mask  
 
Client and server calculate session ID

5. Client --> Server (CLEARTEXT)
 
Packet Type 3 SSH_SMSG_PUBLIC_KEY
Data 1 byte       cipher_type  
8 bytes      anti_spoofing_cookie  
mp-int       double encrypted session key  
32-bit int   protocol_flags 
 
6. Client <-- Server (FROW NOW ON ALWAYS ENCRYPTED)
 
Packet Type 14 SSH_SMSG_SUCCESS 
 
7. Client --> Server
 
Send Client's username to Server.
Packet Type 4 SSM_CMSG_USER 
Data string       username
 
8. Client <-- Server
 
Server returns a success packet, otherwise it will return failure (but keeps listening and responding to messages - so it does not confirm a user's existence).
Packet Type 14 SSH_SMSG_SUCCESS 
 
9. Client --> Server

Client sends one of the following authentication method packets.
 
Packet Type 5 SSH_CMSG_AUTH_RHOSTS
Data string       username
 
Packet Type 6 SSH_CMSG_AUTH_RSA
Data string       username
 
Packet Type 9 SSH_CMSG_AUTH_PASSWORD
Data string       username