[Twisted-Python] Conch/SSH & Cisco IOS

Phil Mayers p.mayers at imperial.ac.uk
Thu Sep 3 18:19:16 EDT 2009

James Y Knight wrote:
>> It seems that the IOS SSH server reacts badly to the following:
>> c: syn
>> s: syn,ack
>> c: ack
>> c: PSH <my version>, <my kex>
>> s: PSH <ios version>
>> <hang>
>> i.e. IOS doesn't like being bombarded with either the version string  
>> or
>> KEX before it's sent its own banner.
> I'm surprised to hear that, given that other users have posted  
> programs using conch that run commands against multiple Cisco routers  

Well, it's possible I've mis-diagnosed the problem.

The symptoms are that my Conch SSH client only connects maybe one time 
out of every 20, with a tcpdump showing the above. If I patch conch to 
only send its banner after the cisco, it works fine.

If I get time I'll try to work up a minimal example and test it against 
an older IOS version. Time is not something I have a lot of - this is 
strictly a "nice to have" project.

> -- and apparently those programs worked. Do you have a particularly  
> old IOS? (Or maybe particularly new?)

It's pretty new - 12.2(33)SXI on Cisco 6500/sup720

> But if that's the case, it is clearly a bug in their ssh implementation.


>  From http://www.ietf.org/rfc/rfc4253.txt:
>>    Since the new client MAY immediately send additional data after its
>>    identification string (before receiving the server's identification
>>    string), the old protocol may already be corrupt when the client
>>    learns that the server is old.  When this happens, the client  
>>    close the connection to the server, and reconnect using the old
>>    protocol.
> But anyhow, a patch to add a "broken-server-bug-workaround" option  
> seems reasonable. Once you've reported the bug to Cisco, so they'll  
> fix it at some point, that is.

I'll be honest; I'm unlikely to spend the time to do that. I open about 
10 TAC cases a month for things varying from malloc failures to full-on 
crashes, and I have opened enough to know what their response would be.

*If* I can reproduce a clear regression against a previous software 
version I *might* open a fire&forget TAC case.

More information about the Twisted-Python mailing list