golang1.7.3的ssh调试，支持diffie-hellman-group-exchange-sha1和aes128-cbc的设备

查看设备支持的kex交换算法和加密算法

debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: diffie-hellman-group-exchange-sha1
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: aes128-cbc MAC: hmac-sha1 compression: none
debug1: kex: client->server cipher: aes128-cbc MAC: hmac-sha1 compression: none

查看golang支持的算法，在golang.org/x/crypto/common.go,发现默认没指定aes128-cbc

var supportedCiphers = []string{
 "aes128-ctr", "aes192-ctr", "aes256-ctr",
 "[email protected]",
 "arcfour256", "arcfour128",
}

// supportedKexAlgos specifies the supported key-exchange algorithms in
// preference order.
var supportedKexAlgos = []string{
 // P384 and P521 are not constant-time yet, but since we don't
 // reuse ephemeral keys, using them for ECDH should be OK.
 kexAlgoECDH256, kexAlgoECDH384, kexAlgoECDH521,
 kexAlgoDH14SHA1, kexAlgoDH1SHA1,
}

// supportedKexAlgos specifies the supported host-key algorithms (i.e. methods
// of authenticating servers) in preference order.
var supportedHostKeyAlgos = []string{
 CertAlgoRSAv01, CertAlgoDSAv01, CertAlgoECDSA256v01,
 CertAlgoECDSA384v01, CertAlgoECDSA521v01,

 KeyAlgoECDSA256, KeyAlgoECDSA384, KeyAlgoECDSA521,
 KeyAlgoRSA, KeyAlgoDSA,
}

// supportedMACs specifies a default set of MAC algorithms in preference order.
// This is based on RFC 4253, section 6.4, but with hmac-md5 variants removed
// because they have reached the end of their useful life.
var supportedMACs = []string{
 "hmac-sha1", "hmac-sha1-96",
}

指定aes128-cbc算法，仍然报错ssh: handshake failed: ssh: no common algorithms

Config: Config{
 Ciphers:      []string{"aes128-cbc", "3des-cbc", "des-cbc"},
 MACs:         []string{"hmac-sha1"},
 },

查看代码Unit里面not currently support aes128-cbc，又查看github的issue有人做了PR，所以下载最新版本

Paste_Image.png

下载最新版本crypto后修改supportedCiphers增加默认支持aes128-cbc

var supportedCiphers = []string{
        "aes128-cbc",
        "aes128-ctr", "aes192-ctr", "aes256-ctr",
        "[email protected]",
        "arcfour256", "arcfour128",
}

golang代理程序测试成功

-bash-4.3$ telnet 127.0.0.1 2322
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
ssh2 proxy
usage:ssh2 ip[:port] user pass>
ssh2 1.1.1.1 aaa aaa

Info: The max number of VTY users is 20, and the number
      of current VTY users on line is 2.
      The current login time is 2017-03-01 21:17:15.
display cur

后续

还有很多问题，代理的空格发送回车，性能测试等。
测试设备实际匹配协议是diffie-hellman-group1-sha1，diffie-hellman-group-exchange-sha1和exchange-sha256两个协议golang crypto并没有支持

client key exchange [[email protected] ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 diffie-hellman-group14-sha1 diffie-hellman-group1-sha1]
server key exchange [diffie-hellman-group1-sha1 diffie-hellman-group-exchange-sha1]
match key exchange result diffie-hellman-group1-sha1