github.com/golang/crypto is vulnerable to man-in-the-middle (MitM) attacks. The HostKeyCallback function currently interprets nil as to accept any host keys. A MitM server can allow the login to succeed and get the agemt to authenticate to the actual server.