my $ssh = Net::OpenSSH->new($host, user=>$user, password=>$pass);
$ssh->error and die "unable to connect to remote host: " . $ssh->error
+;

my ($socket, $pid) = $ssh->open2socket({ssh_opts => '-s'}, 'xmlagent')
+;
talk_to_subsystem($socket);
waitpid($pid, 0);
[download]

Depending on the way the subsystem works there may be better ways to interact with it.

Once you're logged into the subsytem, you get a hello message like this:

<?xml version="1.0" encoding="ISO-8859-1"?>
<hello xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <capabilities>
    <capability>urn:ietf:params:xml:ns:netconf:base:1.0</capability>
    <capability>urn:ietf:params:netconf:base:1.0</capability>
  </capabilities>
  <session-id>25470</session-id>
</hello>
]]>]]>
[download]

You reply with a client hello message that is formatted very similarly, and then you send it XML/NETCONF formatted messages and it replies with XML formatted responses.

Using your suggestion, I tried this:

my $ssh = Net::OpenSSH->new($host, user=>$user, password=>$pass);
$ssh->error and die "unable to connect to remote host: " . $ssh->error
+;
my ($socket, $pid) = $ssh->open2socket({ssh_opts => '-s'}, 'xmlagent')
+;
($socket, $pid) = $ssh->open2socket;
while (<$socket>) { print };
waitpid($pid, 0);
[download]

Expecting to either see the XML hello message in the debug, or in the socket print. However, it appears that it first makes a connection to the main system, authenticates, and then tries to connect to the subsystem. I'm not good enough with SSH to know if that's how it works with except/shell version or not. Debug shows this:

# call args: ['ssh','-o','ServerAliveInterval=30','-x2MN','-o','Number
+OfPasswordPrompts=1','-o','PreferredAuthentications=keyboard-interact
+ive,password','-S','/home/user/.libnet-openssh-perl/user-host-31054-2
+7407','-l','user','host','--']
[download]

Then I see the banner go by and the password prompt as expected, but no XML hello. Then I see:

# call args: ['ssh','-s','-S','/home/user/.libnet-openssh-perl/user-ho
+st-31054-27407','-l','user','host','--','xmlagent']
# open_ex: ['ssh','-s','-S','/home/user/.libnet-openssh-perl/user-host
+-31054-27407','-l','user','host','--','xmlagent']
# call args: ['ssh','-S','/home/user/.libnet-openssh-perl/user-host-31
+054-27407','-l','user','host','--']
# open_ex: ['ssh','-S','/home/user/.libnet-openssh-perl/user-host-3105
+4-27407','-l','user','host','--']
Pseudo-terminal will not be allocated because stdin is not a terminal.
stty: standard input: Invalid argument
[download]

And then it hangs there, probably looping on the "while". But, the important bit for this step is that it does not look this this creates a properly formatted SSH command either. The "-s" flag is at the beginning, but the "xmlagent" value is at the end - I would expect that it would need to send "-s xmlagent" in order for the -s flag to have meaning. I'm also suspecting that it needs to do so in the first connection, not later (but I'm not positive if that is how SSH should work or not).

Using your suggestion, I tried...

You have two calls to open2socket, the first establishes a connection to the Netconf subsystem, but then on the next line it opens a new one to a shell overwriting $socket.

The correct way to do it is as follows:

my $ssh = Net::OpenSSH->new($host, user=>$user, password=>$pass);
$ssh->error and die "unable to connect to remote host: " . $ssh->error
+;
my ($socket, $pid) = $ssh->open2socket({ssh_opts => '-s'}, 'xmlagent')
+;
while (<$socket>) { print };
[download]

Expecting to either see the XML hello message in the debug, or in the socket print. However, it appears that it first makes a connection to the main system, authenticates, and then tries to connect to the subsystem. I'm not good enough with SSH to know if that's how it works with except/shell version or not.

This is how the SSH protocol works, first a TCP connection is established, then encryption and authentication are negotiated and from that point, bidirectional channels can be open freely between the client and server even in parallel (though, most servers set a limit on the number of concurrent channels, typically 10).

When you run ssh from the command line or using Expect, the two phases are performed under the hood by the ssh client, though just one channel is open.

The "-s" flag is at the beginning, but the "xmlagent" value is at the end

Yes, it works that way, the subsystem name is not an argument to the -s flag but it is taken from the remote command at the end of the ssh argument list (see ssh).

BTW, the specification for NETCONF over SSH (rfc4742) says the server must listen not at the default SSH port (22) but at port 830. Have you activated the subsystem also at port 22?