[c-nsp] putty SSH errors on IOS-XR 5.1.1

Jared Mauch jared at puck.Nether.net
Thu Aug 13 09:44:21 EDT 2015 

On Thu, Aug 06, 2015 at 11:12:20AM +0200, Lukas Tribus wrote:
> Hi,
> 
> 
> >> Hello,
> >>
> >> I've got a pair of new ASR-9904 routers running IOS-XR 5.1.1
> [...]
> >> When a lot of data is being sent at once from the router to my client,
> >> putty will disconnect and give me the error: "Disconnected: Server
> >> protocol violation: unexpected SSH2_MSG_CHANNEL_FAILURE packet".
> > Hi Vinny,
> >
> > On PuTTY go to:
> >
> > Configuration -> Connection -> SSH -> Bugs
> >
> > And set “Chokes on PuTTY’s SSH-2 ‘windadj’ requests” to On (the default
> > is Auto).
> 
> Full disclosure: this is CSCup31447, IOS XR's ssh server erroneously
> disconnects the TCP session after sending SSH_MSG_CHANNEL_FAILURE.
> 
> Its pretty obvious that the SSH server is not supposed to do that, but
> because its not explicitly prohibited in the RFC, the developers seem
> unwilling to fix this (quote "It could be a simple fix from our side [...]
> but bringing this change will impact the behavior which we exhibited for
> long years").

	You really need to look at 5.3.1 as that fixes a lot of the SSH defects
that were in 5.1.x.  We identified quite a number of defects such as if two people
were logged in at the same time (eg: rancid, someone else) you would not be
able to login anymore.

	Took Cisco quite some time to address this issue and properly fix it
as they were unable to duplicate it without someone thinking "hey lets log in
multiple times".  Cisco seems to think of a device as a single monolithic
login session without the need for concurrency protection or other
protections or auto-restoration.

	I'm thinking we need a good community test-suite that simulates actual
activities in a device.  After over a decade of asking cisco has not tried to
use any "industry standard" tools in its testing such as RANCID for fetching the
configurations.  SSH for login as another example.

	Paranoia about breaking things when you're not standards compliant is
pure lazy gamesmanship.

	- Jared


-- 
Jared Mauch  | pgp key available via finger from jared at puck.nether.net
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.

More information about the cisco-nsp mailing list