[Twisted-Python] Conch/SSH & Cisco IOS
p.mayers at imperial.ac.uk
Thu Sep 3 18:19:16 EDT 2009
James Y Knight wrote:
>> It seems that the IOS SSH server reacts badly to the following:
>> c: syn
>> s: syn,ack
>> c: ack
>> c: PSH <my version>, <my kex>
>> s: PSH <ios version>
>> i.e. IOS doesn't like being bombarded with either the version string
>> KEX before it's sent its own banner.
> I'm surprised to hear that, given that other users have posted
> programs using conch that run commands against multiple Cisco routers
Well, it's possible I've mis-diagnosed the problem.
The symptoms are that my Conch SSH client only connects maybe one time
out of every 20, with a tcpdump showing the above. If I patch conch to
only send its banner after the cisco, it works fine.
If I get time I'll try to work up a minimal example and test it against
an older IOS version. Time is not something I have a lot of - this is
strictly a "nice to have" project.
> -- and apparently those programs worked. Do you have a particularly
> old IOS? (Or maybe particularly new?)
It's pretty new - 12.2(33)SXI on Cisco 6500/sup720
> But if that's the case, it is clearly a bug in their ssh implementation.
> From http://www.ietf.org/rfc/rfc4253.txt:
>> Since the new client MAY immediately send additional data after its
>> identification string (before receiving the server's identification
>> string), the old protocol may already be corrupt when the client
>> learns that the server is old. When this happens, the client
>> close the connection to the server, and reconnect using the old
> But anyhow, a patch to add a "broken-server-bug-workaround" option
> seems reasonable. Once you've reported the bug to Cisco, so they'll
> fix it at some point, that is.
I'll be honest; I'm unlikely to spend the time to do that. I open about
10 TAC cases a month for things varying from malloc failures to full-on
crashes, and I have opened enough to know what their response would be.
*If* I can reproduce a clear regression against a previous software
version I *might* open a fire&forget TAC case.
More information about the Twisted-Python