Cisco IOS-XR is a Linux-based router operating system. To scan a Linux system, Sandfly requires the ability to ssh to a host, be given an sh-type shell immediately at login, and be able to use sudo to run commands with elevated privileges.

Setup

IOS-XR does run an SSH server, but there is no apparent supported way to ensure a user is given a shell prompt (not the IOS CLI) at login; a shell is accessible from the run bash IOS command, but due to the way Sandfly runs commands over SSH command channels, this does not meet our requirement of being given a shell immediately at login.

However, IOS-XR currently ships with a service that runs an additional SSH server, on a different port, that does drop users directly into a shell. To scan an IOS-XR device with Sandfly, you must enable this additional SSH server and create a Sandfly user.

Caveats

Users must consider the trade-offs between enabling this additional service and the additional risks that may pose on the router versus the benefits that come from scanning the device with Sandfly. Sandfly is unaware of the intended purpose of the additional SSH service, and Sandfly does not expect this use to be a supported activity by Cisco.

The additional SSH service has two additional restrictions:

1. In our testing, we have found that it is only accessible from the local subnet in which the router's management IP address resides. If your Sandfly Node with the default "main" queue is in a different subnet, you will need to run a Node with a different named queue in the same subnet as your router's management IP address.
2. Enabling the service does not persist across reboots. If the router reboots, you will need to start the additional SSH service again.

Given these limitations and the potentially unsupported nature of this, users may consider only enabling the SSH service temporarily for occasional manual scans to establish baseline findings and for incident response activities until / unless Cisco provides guidance on supported methods for providing direct shell access via SSH.

SSH Service Activation

To activate the additional SSH service, which listens on port 57722, run the following command from the IOS CLI:

run service sshd_operns start

You may now SSH to the router, from the same subnet as the management IP address, on port 57722, and will be dropped to the bash shell instead of the IOS CLI.

The service must be started each time the router reboots.

❗️

IMPORTANT: The additional SSH service does not persist across reboots

If the router reboots, the additional SSH service will need to be started again in order for Sandfly scans to be able to continue. Therefore, users may consider only enabling the SSH service temporarily for occasional manual scans to establish baseline findings and for incident response (IR) activities.

User Setup

Create a sandfly user from configuration mode:

RP/0/RP0/CPU0:cisco-iosxrv-01(config)# username sandfly
RP/0/RP0/CPU0:cisco-iosxrv-01(config-un)# password EnterSecurePasswordHere

Commit the config to create the user.

Sandfly strongly recommends SSH keys for authentication to minimize the risk of attackers stealing credentials. Consult Cisco documentation for enabling SSH public key authentication in IOS-XR; doing so is outside the scope of these brief instructions.

Finally, give the user sudo permissions:

RP/0/RP0/CPU0:cisco-iosxrv-01# run echo "sandfly ALL=(ALL) ALL" > /etc/sudoers.d/sandfly

At this point, the user named "sandfly" is able to SSH to the router on port 57722 from the same subnet as the router's management IP, will be given a shell prompt, and is able to use sudo.

Sandfly Setup

Add the router to Sandfly using the normal add host process, remembering that the SSH port is 57722, and you must select a queue name that corresponds to a Sandfly Node in the same local subnet as the router's management IP address that you are SSHing to.