golang1.7.3的ssh调试,支持diffie-hellman-group-exchange-sha1和aes128-cbc的设备

飞天神猫 · · 1665 次点击 · · 开始浏览    
这是一个创建于 的文章,其中的信息可能已经有所发展或是发生改变。

查看设备支持的kex交换算法和加密算法

debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: diffie-hellman-group-exchange-sha1
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: aes128-cbc MAC: hmac-sha1 compression: none
debug1: kex: client->server cipher: aes128-cbc MAC: hmac-sha1 compression: none

查看golang支持的算法,在golang.org/x/crypto/common.go,发现默认没指定aes128-cbc

var supportedCiphers = []string{
 "aes128-ctr", "aes192-ctr", "aes256-ctr",
 "aes128-gcm@openssh.com",
 "arcfour256", "arcfour128",
}

// supportedKexAlgos specifies the supported key-exchange algorithms in
// preference order.
var supportedKexAlgos = []string{
 // P384 and P521 are not constant-time yet, but since we don't
 // reuse ephemeral keys, using them for ECDH should be OK.
 kexAlgoECDH256, kexAlgoECDH384, kexAlgoECDH521,
 kexAlgoDH14SHA1, kexAlgoDH1SHA1,
}

// supportedKexAlgos specifies the supported host-key algorithms (i.e. methods
// of authenticating servers) in preference order.
var supportedHostKeyAlgos = []string{
 CertAlgoRSAv01, CertAlgoDSAv01, CertAlgoECDSA256v01,
 CertAlgoECDSA384v01, CertAlgoECDSA521v01,

 KeyAlgoECDSA256, KeyAlgoECDSA384, KeyAlgoECDSA521,
 KeyAlgoRSA, KeyAlgoDSA,
}

// supportedMACs specifies a default set of MAC algorithms in preference order.
// This is based on RFC 4253, section 6.4, but with hmac-md5 variants removed
// because they have reached the end of their useful life.
var supportedMACs = []string{
 "hmac-sha1", "hmac-sha1-96",
}

指定aes128-cbc算法,仍然报错ssh: handshake failed: ssh: no common algorithms

Config: Config{
 Ciphers:      []string{"aes128-cbc", "3des-cbc", "des-cbc"},
 MACs:         []string{"hmac-sha1"},
 },

查看代码Unit里面not currently support aes128-cbc,又查看github的issue有人做了PR,所以下载最新版本


Paste_Image.png

下载最新版本crypto后修改supportedCiphers增加默认支持aes128-cbc

var supportedCiphers = []string{
        "aes128-cbc",
        "aes128-ctr", "aes192-ctr", "aes256-ctr",
        "aes128-gcm@openssh.com",
        "arcfour256", "arcfour128",
}

golang代理程序测试成功

-bash-4.3$ telnet 127.0.0.1 2322
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
ssh2 proxy
usage:ssh2 ip[:port] user pass>
ssh2 1.1.1.1 aaa aaa

Info: The max number of VTY users is 20, and the number
      of current VTY users on line is 2.
      The current login time is 2017-03-01 21:17:15.
<HK-HK-CW-F-1.CN2>display cur

后续

还有很多问题,代理的空格发送回车,性能测试等。
另外sha1已经被破解,但sha256,golang还没有支持。。。。


有疑问加站长微信联系(非本文作者)

入群交流(和以上内容无关):加入Go大咖交流群,或添加微信:liuxiaoyan-s 备注:入群;或加QQ群:692541889

1665 次点击  
加入收藏 微博
暂无回复
添加一条新回复 (您需要 登录 后才能回复 没有账号 ?)
  • 请尽量让自己的回复能够对别人有帮助
  • 支持 Markdown 格式, **粗体**、~~删除线~~、`单行代码`
  • 支持 @ 本站用户;支持表情(输入 : 提示),见 Emoji cheat sheet
  • 图片支持拖拽、截图粘贴等方式上传