[SOLVED] ssh client to show server-supported algorithms

Issue

In order to check that all the servers across a fleet aren't supporting deprecated algorithms, I'm (programmatically) doing this:

telnet localhost 22 
Trying 127.0.0.1...
Connected to localhost. 
Escape character is '^]'. 
SSH-2.0-OpenSSH_8.0p1 Ubuntu-6build1
SSH-2.0-Censor-SSH2 
4&m����&F �V��curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1Arsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,[email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]�[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1�[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1none,[email protected],[email protected]
Connection closed by foreign host.

Which is supposed to be a list of supported algorithms for the various phases of setting up a connection. (kex, host key, etc). Every time I run, I get a different piece of odd data at the start - always a different length.

There's an nmap plugin - ssh2-enum-algos - which returns the data in it's complete form, but I don't want to run nmap; I have a go program which opens the port, and sends the query, but it gets the same as telnet. What am I missing, and how do I fix it?

For comparison, here's the top few lines from the output of nmap script:

$ nmap --script ssh2-enum-algos super
Starting Nmap 7.80 ( https://nmap.org ) at 2019-12-27 22:15 GMT
Nmap scan report for super (192.168.50.1)
Host is up (0.0051s latency).
rDNS record for 192.168.50.1: supermaster
Not shown: 998 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
| ssh2-enum-algos: 
|   kex_algorithms: (12)
|       curve25519-sha256
|       [email protected]
|       ecdh-sha2-nistp256
|       ecdh-sha2-nistp384
|       ecdh-sha2-nistp521

Solution

Opening a tcp connection to port 22, (in golang, with net.Dial) then accepting and sending connection strings leaves us able to Read() from the Reader for the connection. Thence the data is in a standard format described by the RFC. From this, I can list the algorithms supported in each phase of an ssh connection. This is very useful for measuring what is being offered, rather than what the appears to be configured (it's easy to configure sshd to use a different config file).

It's a useful thing to be able to do from a security POV. Tested on every version of ssh I can find from 1.x on a very old solaris or AIX box, to RHEL 8.1.

Answered By - Graham Nicholls

Answer Checked By - Willingham (WPSolving Volunteer)