[c-nsp] putty SSH errors on IOS-XR 5.1.1

Lukas Tribus luky-37 at hotmail.com
Fri Aug 14 13:08:49 EDT 2015


>> Full disclosure: this is CSCup31447, IOS XR's ssh server erroneously
>> disconnects the TCP session after sending SSH_MSG_CHANNEL_FAILURE.
>>
>> Its pretty obvious that the SSH server is not supposed to do that, but
>> because its not explicitly prohibited in the RFC, the developers seem
>> unwilling to fix this (quote "It could be a simple fix from our side [...]
>> but bringing this change will impact the behavior which we exhibited for
>> long years").
>
> You really need to look at 5.3.1 as that fixes a lot of the SSH defects
> that were in 5.1.x. We identified quite a number of defects such as if two people
> were logged in at the same time (eg: rancid, someone else) you would not be
> able to login anymore.

5.2.4 is already in production and fortunately putty has a workaround
for this specific bug (CSCup31447).

That said, after playing some time with IOS XR I'm quite amazed about the
code quality (DE's forget about debugging code that make it into CCO
release), complete lack of secure file transfer protocols, stupid bugs that
they refuse to fix, etc.

Seems to me like IOS XR really is IOS with a better kernel, proper process
isolation, the "commit" feature and some other minor features, but the
code quality and QA is basically the same as in IOS, DE ignorance also,
and it does introduce a whole lot of major annoyances for the operator.

Yes, IOS-XR its an improvement, but boy, could they have done better ...


Stopping the rant now, I have to go to the meeting [1].

cheers,
lukas



[1] https://honestnetworker.wordpress.com/2015/07/22/at-the-ios-xr-self-help-group/
 		 	   		  


More information about the cisco-nsp mailing list