Celestial Software

I can't connect to some Cisco switches with SSH2. SSH1 works, a co-worker can get to the same switches with AT using SSH2. Is there some connection debugging I can do in AT?

I can connect once to the switches with SSH2, accept and save the key, but the next connection attempt fails.

[ September 19, 2008, 07:50 AM: Message edited by: Brian T. Pence ]

What version of AT are you using?

6.28
I did some debugging on the Cisco side and it looks like after the Cisco sends it's SSH ID, AT never sends a response with version info.

Can you try the version 7 beta? This sounds familiar.

http://www.celestialsoftware.net/telnet/...teTelnet7.13RC12.exe

I will! I will let you know Monday how it turns out.

Did you ever get a chance to try version 7?

The current beta can be found here:

http://www.celestialsoftware.net/telnet/...teTelnet7.13RC18.exe

LOOOONG time no talk.
SSH2 has been working, and I upgraded my router. I am on 7.21 and now SSHv2 does not work, but it seems to bee just on my router. It appears to work on other devices, Cisco and non-cisco. The same thing is happening as before, it looks like the Cisco router sends it's ssh server string and AT is not responding.

Hello Chris!

Is there any chance I can access this router from the internet? Or, perhaps a different router of the same type that exhibits the same problem? I don't need username/password or anything, just the IP address.

Brian

99.175.228.89
right now it is configured for SSH v2 only.

Chris,

I think I have the answer to this... I believe I'd classify this as a bug in the SSH server implementation, but probably one that can be worked around.

At the beginning of the SSH2 exchange, the client and server exchange a version string. According to RFC4253, an SSH2 server should send (and expect to receive) a carriage return/linefeed pair to define the end of the string. In SSH1, the version string would just be terminated by a linefeed alone.

If Absolute sends a CR/LF pair to terminate the version string (ssh2 behavior). the connection gets nowhere. If I send a single linefeed instead (ssh1 behavior), the connection works fine. This tells me that the server is relying on SSH1 behavior and breaks when held strictly to SSH2 RFC4253 standards.

With this in mind, I modified the AbsoluteTelnet logic a bit. I first watch for the server version string to arrive. I check to see whether the server uses CR/LF or just LF to terminate the version string. Whatever the server uses for the terminator is what Absolute will use when sending its own version string.

This seems to work well for the Cisco and doesn't break compatibility on any other server I've tested.

Give it a try here:

www.celestialsoftware.net/telnet/AbsoluteTelnet7.54RC13.exe


Let me know how it goes!

Brian

Works Like a champ!

My turn:
the SSH server ID on Cisco gear that was working is:
SSH-1.99-Cisco-1.25

The server ID on the ones that did not work:
SSH-2.0-Cisco-1.25

I hope this helps in any future builds.

Once again, AT Is the BEST Telnet, SSH, Direct serial, SFTP client I have ever used!

Great job!

The cisco software version is 1.25 on both. The "1.99" indicates a server running in compatibility mode for both v1 and v2 clients. The "2.0" server is configured only to accept connections from v2 clients.

Funny, though, that the server declares itself as a 2.0 server, but only works with line-termination of SSH1.

I wish I could see the source code.

Grian

the version of IOS I am running on that router is REALLY buggy.
I am willing to bet a nickel's worth of bits that someone typo-ed and did not do very good regression testing.

MMMMM, good QA.

Is it an old version or something fairly recent?

Brian

It was released in Feb. of '09.

I am going to try a new version of older code tonight - I will backrev from 12.4(20)T2 to 12.4(15)T9 from April of '09.

the new IOS is running - you want to give it a try? It is showing "SSH-2.0-Cisco-1.25"

I bet there is no difference.

Seems I can connect now with any version of Absolute.

too funny. or sad. I am not sure.

I expected a little better QA from them.

What do I owe you for the lost bet? :lol: