查看设备支持的kex交换算法和加密算法
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: diffie-hellman-group-exchange-sha1
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: aes128-cbc MAC: hmac-sha1 compression: none
debug1: kex: client->server cipher: aes128-cbc MAC: hmac-sha1 compression: none
查看golang支持的算法,在golang.org/x/crypto/common.go,发现默认没指定aes128-cbc
var supportedCiphers = []string{
"aes128-ctr", "aes192-ctr", "aes256-ctr",
"aes128-gcm@openssh.com",
"arcfour256", "arcfour128",
}
// supportedKexAlgos specifies the supported key-exchange algorithms in
// preference order.
var supportedKexAlgos = []string{
// P384 and P521 are not constant-time yet, but since we don't
// reuse ephemeral keys, using them for ECDH should be OK.
kexAlgoECDH256, kexAlgoECDH384, kexAlgoECDH521,
kexAlgoDH14SHA1, kexAlgoDH1SHA1,
}
// supportedKexAlgos specifies the supported host-key algorithms (i.e. methods
// of authenticating servers) in preference order.
var supportedHostKeyAlgos = []string{
CertAlgoRSAv01, CertAlgoDSAv01, CertAlgoECDSA256v01,
CertAlgoECDSA384v01, CertAlgoECDSA521v01,
KeyAlgoECDSA256, KeyAlgoECDSA384, KeyAlgoECDSA521,
KeyAlgoRSA, KeyAlgoDSA,
}
// supportedMACs specifies a default set of MAC algorithms in preference order.
// This is based on RFC 4253, section 6.4, but with hmac-md5 variants removed
// because they have reached the end of their useful life.
var supportedMACs = []string{
"hmac-sha1", "hmac-sha1-96",
}
指定aes128-cbc算法,仍然报错ssh: handshake failed: ssh: no common algorithms
Config: Config{
Ciphers: []string{"aes128-cbc", "3des-cbc", "des-cbc"},
MACs: []string{"hmac-sha1"},
},
查看代码Unit里面not currently support aes128-cbc,又查看github的issue有人做了PR,所以下载最新版本
下载最新版本crypto后修改supportedCiphers增加默认支持aes128-cbc
var supportedCiphers = []string{
"aes128-cbc",
"aes128-ctr", "aes192-ctr", "aes256-ctr",
"aes128-gcm@openssh.com",
"arcfour256", "arcfour128",
}
golang代理程序测试成功
-bash-4.3$ telnet 127.0.0.1 2322
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
ssh2 proxy
usage:ssh2 ip[:port] user pass>
ssh2 1.1.1.1 aaa aaa
Info: The max number of VTY users is 20, and the number
of current VTY users on line is 2.
The current login time is 2017-03-01 21:17:15.
<HK-HK-CW-F-1.CN2>display cur
后续
还有很多问题,代理的空格发送回车,性能测试等。
测试设备实际匹配协议是diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1和exchange-sha256两个协议golang crypto并没有支持
client key exchange [curve25519-sha256@libssh.org ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 diffie-hellman-group14-sha1 diffie-hellman-group1-sha1]
server key exchange [diffie-hellman-group1-sha1 diffie-hellman-group-exchange-sha1]
match key exchange result diffie-hellman-group1-sha1