James Y Knight wrote: >> It seems that the IOS SSH server reacts badly to the following: >> >> c: syn >> s: syn,ack >> c: ack >> c: PSH <my version>, <my kex> >> s: PSH <ios version> >> <hang> >> >> i.e. IOS doesn't like being bombarded with either the version string >> or >> KEX before it's sent its own banner. > > I'm surprised to hear that, given that other users have posted > programs using conch that run commands against multiple Cisco routers
Well, it's possible I've mis-diagnosed the problem. The symptoms are that my Conch SSH client only connects maybe one time out of every 20, with a tcpdump showing the above. If I patch conch to only send its banner after the cisco, it works fine. If I get time I'll try to work up a minimal example and test it against an older IOS version. Time is not something I have a lot of - this is strictly a "nice to have" project. > -- and apparently those programs worked. Do you have a particularly > old IOS? (Or maybe particularly new?) It's pretty new - 12.2(33)SXI on Cisco 6500/sup720 > But if that's the case, it is clearly a bug in their ssh implementation. Probably. > > From http://www.ietf.org/rfc/rfc4253.txt: >> Since the new client MAY immediately send additional data after its >> identification string (before receiving the server's identification >> string), the old protocol may already be corrupt when the client >> learns that the server is old. When this happens, the client >> SHOULD >> close the connection to the server, and reconnect using the old >> protocol. > > > But anyhow, a patch to add a "broken-server-bug-workaround" option > seems reasonable. Once you've reported the bug to Cisco, so they'll > fix it at some point, that is. I'll be honest; I'm unlikely to spend the time to do that. I open about 10 TAC cases a month for things varying from malloc failures to full-on crashes, and I have opened enough to know what their response would be. *If* I can reproduce a clear regression against a previous software version I *might* open a fire&forget TAC case. _______________________________________________ Twisted-Python mailing list Twisted-Python@twistedmatrix.com http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
