[Twisted-Python] Conch/SSH & Cisco IOS
Phil Mayers
p.mayers at imperial.ac.uk
Fri Sep 4 09:36:44 EDT 2009
James Y Knight wrote:
> On Sep 3, 2009, at 5:38 AM, Phil Mayers wrote:
>
>> All,
>>
>> I've been having some problems using Conch/SSH to talk to the SSH
>> server
>> on Cisco IOS (specifically the netconf subsystem)
>>
>> It seems that the IOS SSH server reacts badly to the following:
>>
>> c: syn
>> s: syn,ack
>> c: ack
>> c: PSH <my version>, <my kex>
>> s: PSH <ios version>
>> <hang>
>>
>> i.e. IOS doesn't like being bombarded with either the version string
>> or
>> KEX before it's sent its own banner.
>
> I'm surprised to hear that, given that other users have posted
> programs using conch that run commands against multiple Cisco routers
> -- and apparently those programs worked. Do you have a particularly
> old IOS? (Or maybe particularly new?)
As per my other email, it seems to be limited to the 12.2(33) train on
the 6500 platform. Later and earlier trains on other platforms don't
display the issue.
>
> But if that's the case, it is clearly a bug in their ssh implementation.
>
> From http://www.ietf.org/rfc/rfc4253.txt:
>> Since the new client MAY immediately send additional data after its
>> identification string (before receiving the server's identification
>> string), the old protocol may already be corrupt when the client
>> learns that the server is old. When this happens, the client
>> SHOULD
>> close the connection to the server, and reconnect using the old
>> protocol.
>
>
> But anyhow, a patch to add a "broken-server-bug-workaround" option
> seems reasonable. Once you've reported the bug to Cisco, so they'll
> fix it at some point, that is.
FWIW I've opened a TAC case with Cisco; we'll see what they say.
I note that OpenSSH seems to wait for the server banner before sending
the client banner & kex.
More information about the Twisted-Python
mailing list