Chrome Secure Shell SSH stopped connecting after Chromebook ChromeOS Update

[Lukas DiBeneditto]

I have been directed to post this here from this:

https://productforums.google.com/forum/#!msg/chromebook-central/DW-Jei2OZgw/fHsn4nalCQAJ

Chrome Secure Shell SSH is no longer working after an upgrade/update of ChromeOS on Chromebooks.

ssh_exchange_identification: Connection closed by remote host

NaCl plugin exited with status code 255.

Chrome Secure Shell SSH

https://chrome.google.com/webstore/detail/secure-shell/pnhechapfaindjhompbnflcldabbghjo

I have 2 Chromebooks, my new one updated then SSH stopped working, the old one with the older version of ChromeOS was working fine, then I updated the old one with the new version of ChromeOS caused SSH to stop working on the old one as well.

I already tried this:

If I follow the instructions on this web page:

https://chromium.googlesource.com/apps/libapps/+/master/nassh/doc/FAQ.md

How do I remove ALL keys?

Open the JavaScript console and type...

term_.command.removeDirectory('/.ssh/')

This will remove any non-key files you may have uploaded as well. It will not affect your preferences.

Then there are also these:

 

If you don‘t know the index, or you’d like to clear all known hosts, type...

term_.command.removeAllKnownHosts()

To reset all preferences to their default state, type this...

localStorage.clear()

Note that I have to VPN first to an intranet. I use CiscoAnyConnect.

Cisco AnyConnect

https://chrome.google.com/webstore/detail/cisco-anyconnect/jacdijibdjifphcecdielmekkmfdpgee

----before ChromeOS update (old one)----

Connecting to [username]@[server] ...

Loading NaCl plugin... done.

The authenticity of host '[username]@[server] ([server ip address])' can't be established.

ECDSA key fingerprint is SHA256:[sha256].

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added '[server],[server ip address] (ECDSA) to the list of known hosts.

ssh_dispatch_run_fatal: Connection to UNKNOWN port -1: I/O error

NaCl plugin exited with status code 255.

(R)econnect, (C)hoose another connection, or E(x)it?

 failed! :(

Connecting to [username]@[server]...

Loading NaCl plugin... done.

[username]@[server]'s password: 

Last login: Mon Nov 13 11:21:23 2017 from [vpn server name]

[[username]@[server] ~]$ 

----after ChromeOS update (new one)----

Connecting to lusername]@[server]'...

Loading NaCl plugin... done.

ssh_exchange_identification: Connection closed by remote host

NaCl plugin exited with status code 255.

(R)econnect, (C)hoose another connection, or E(x)it?

[Mike Frysinger]

is this an os update or secure shell update? secure shell 0.8.39 was just released today with a new openssh.

you should look at the sshd logs on the server to see if there's anything useful in there.

--
You received this message because you are subscribed to the Google Groups "chromium-hterm" group.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-hterm/c49d37e4-30b5-4d62-864b-c63976a0552b%40chromium.org.

[Lukas DiBeneditto]

ChromeOS update.

[Lukas DiBeneditto]

I have also confirmed with the use of Windows OS, Google Chrome, and Secure Shell and was successful to SSH into the server without issue. So it does appear to be a Secure Shell issue, unfortunately.

Text from Secure Shell:

Welcome to Secure Shell version 0.8.39.

Answers to Frequently Asked Questions: https://goo.gl/muppJj (ctrl+click on links to open)

[Pro Tip] Use 'Open as Window' to prevent Control-W from closing your terminal!

[Pro Tip] See https://goo.gl/muppJj for more information.

ChangeLog/release notes: https://goo.gl/YnmXOs

Major changes since 0.8.36.11:

 ¤ The SSH command line can handle basic quoting rules (e.g. -o "Feature yes").

 ¤ Unicode combining character processing has been overhauled.

 ¤ Unicode tables updated to 10.0.0 release.

 ¤ Use Yubikeys and other smart cards for ssh auth: https://goo.gl/3ZEU1w

 ¤ Omnibox entries now match saved profile names first.

 ¤ OpenSSH upgraded to 7.6p1 (some older features dropped).

Random Pro Tip #12: Use Yubikeys and other smart cards for ssh auth: https://goo.gl/3ZEU1w

Connecting to [username]@[server]...

Loading NaCl plugin... done.

The authenticity of host '[server] ([server ip])' can't be established.

ECDSA key fingerprint is SHA256:[sha 256].

Are you sure you want to continue connecting (yes/no)? yes             

Warning: Permanently added '[server],[server ip]' (ECDSA) to the list of known hosts.

[username]@[server]'s password: 

Last login: Mon Nov 13 15:32:49 2017 from [local host ip]

[[username]@[server name] ~]$ 

[Lukas DiBeneditto]

Now I am thinking it might not be a Secure Shell issue, as I am able to log in using Secure Shell SSH with my Chromebook when I am on the intranet, but not using the CiscoAnyConnect VPN.

[Mike Frysinger]

you can add -ddd to the ssh command line and check the server logs to see what it thinks. the error message suggests initial key exchange worked before the server closed the connection.

-mike

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-hterm/27ab0643-95d9-4168-b58e-62386b347efb%40chromium.org.

[Lukas DiBeneditto]

I added the -ddd to the SSH Arguments: -ddd

Welcome to Secure Shell version 0.8.39.

Answers to Frequently Asked Questions: https://goo.gl/muppJj (ctrl+click on links to open)

[Pro Tip] Use 'Open as Window' to prevent Control-W from closing your terminal!

[Pro Tip] See https://goo.gl/muppJj for more information.

ChangeLog/release notes: https://goo.gl/YnmXOs

Random Pro Tip #7: Copy to your clipboard from emacs/vim/etc... using OSC-52: https://goo.gl/XSnyLo

Connecting to [redacted username]@[redacted server]...

Loading NaCl plugin... done.

OpenSSH_7.6p1, OpenSSL 1.0.2k  26 Jan 2017

debug2: resolving "[redacted server]" port 22

debug2: ssh_connect_direct: needpriv 0

debug1: Connecting to [redacted server] [[redacted server ip]] port 22.

debug1: Connection established.

debug1: getpeername failed: No such file or directory

debug1: key_load_public: No such file or directory

debug1: identity file /.ssh/id_rsa type -1

debug1: key_load_public: No such file or directory

debug1: identity file /.ssh/id_rsa-cert type -1

debug1: key_load_public: No such file or directory

debug1: identity file /.ssh/id_dsa type -1

debug1: key_load_public: No such file or directory

debug1: identity file /.ssh/id_dsa-cert type -1

debug1: key_load_public: No such file or directory

debug1: identity file /.ssh/id_ecdsa type -1

debug1: key_load_public: No such file or directory

debug1: identity file /.ssh/id_ecdsa-cert type -1

debug1: key_load_public: No such file or directory

debug1: identity file /.ssh/id_ed25519 type -1

debug1: key_load_public: No such file or directory

debug1: key_load_public: No such file or directory

debug1: identity file /.ssh/id_ed25519-cert type -1

debug1: Local version string SSH-2.0-OpenSSH_7.6

ssh_exchange_identification: Connection closed by remote host

NaCl plugin exited with status code 255.

(R)econnect, (C)hoose another connection, or E(x)it?

 failed! :(

Here is what I know works:

I uninstalled CiscoAnyConnect and reinstalled it on my old Chromebook, when I was physically onsite I used my old Chromebook and Secure Shell to connect via SSH to the server without issue. I then tried to use the VPN and then tried again with Secure Shell and SSH connected to the server without issue.

Now when I am off site, not using the VPN normally would never work, so that leaves me with using the VPN to connect with, using my old Chromebook it does not allow me to connect using Secure Shell. Also I tried uninstalling and reinstalling CiscoAnyConnect on my new Chromebook, and using the CiscoAnyConnect VPN with Secure Shell it does not work either.

What do you think? What is different? The connection. Everything else is the same right? VPN, Secure Shell, Chromebook. I'm confused.

[Mike Frysinger]

please check the remote server logs as i suggested to see if there are any interesting lines in there

-mike

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-hterm/1b652f93-7b29-43c3-943b-979880af5c7a%40chromium.org.

[Lukas DiBeneditto]

I have contacted the server owner and we are waiting on any interesting server logs as soon as I receive them. Thank you.

[jdu...@google.com]

Any updates on this? I'm also not able to connect today.  Keep getting stuck at "Loading NaCl plugin... done." then eventually 255 error code.

[Doug Anderson]

I'm hitting something like this too.  On one Chromebook I confirmed that I could connect on 0.8.38.  Then I hit "Update Extensions" and it updated to 0.8.39 and got borked.

Ah, but actually when I removed my SSH Arguments (I had "-oConnectTimeout=120") then it appears to fix things.  No idea why that would happen, but at least I have a workaround for now...  I didn't really need that option anyway... :-P

-Doug

---

[Lukas DiBeneditto]

My situation is a little different, in that I was using a CiscoAnyConnect VPN off site along with Chrome Secure Shell SSH.

On site, bypassing the VPN:

Adding -v to the "SSH Arguments:"

----

----

I have since gone on site, and followed the directions below, I have modified them some:

Using SSH on Chrome

http://cs.umw.edu/~finlayson/class/cpsc225/notes/01-ssh-chrome.html

Essentially you need to be able to access the remote host (the server) then type the following comands:

(First check if you have a ".ssh" folder in your home directory. If not you can type these these commands: )

1. Generate a Key Pair

cd ~

ssh-keygen

When it asks you to “Enter the file in which to save the key”, type “id_rsa” and hit enter.

Hit enter without typing a passphrase for the next two questions.

Then enter the command:

cat .ssh/id_rsa >> .ssh/authorized_keys

This will append the contents of the file "id_rsa" into the file "authorized_keys".

2. Copy the Keys to Your Machine

You can cat the contents out the files and copy and paste the text into 2 files, but I ended up using SFTP to get them off.

cat .ssh/id_rsa

Copy the contents of this into a text file named "id_rsa" to your local machine.

cat .ssh/id_rsa.pub

Copy the contents of this into a text file named "id_rsa.pub" to your local machine.

3. Load the local files "id_rsa" and "id_rsa.pub" into Chrome Secure Shell

Now close the chrome SSH window, and launch the app again.

This time, before logging on, click the “Import...” button next to the “Identity” line:

In the file window, select both the id_rsa and id_rsa.pub files, and click “Open”.

Now your Identity should read “id_rsa” instead of “[default]“.

4. Log in Again

It should work, but when I go offsite I plan to confirm it.

----

If you have done it correctly you should get something like this:

----

Welcome to Secure Shell version 0.8.39.

Answers to Frequently Asked Questions: https://goo.gl/muppJj (ctrl+click on links to open)

[Pro Tip] Use 'Open as Window' to prevent Control-W from closing your terminal!

[Pro Tip] See https://goo.gl/muppJj for more information.

ChangeLog/release notes: https://goo.gl/YnmXOs

Random Pro Tip #3: Connect from the omnibox by typing 'ssh <profile name>': https://goo.gl/V7o8ki

Connecting to [redacted username]@[redacted server]...

Loading NaCl plugin... done.

OpenSSH_7.6p1, OpenSSL 1.0.2k  26 Jan 2017

debug1: Connecting to [redacted server] [[redacted ip address]] port 22.

debug1: Connection established.

debug1: getpeername failed: No such file or directory

debug1: identity file /.ssh/id_rsa type 0

debug1: key_load_public: No such file or directory

debug1: identity file /.ssh/id_rsa-cert type -1

debug1: Local version string SSH-2.0-OpenSSH_7.6

debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4

debug1: match: OpenSSH_7.4 pat OpenSSH* compat 0x04000000

debug1: Authenticating to [redacted server]:22 as '[redacted username]'

debug1: SSH2_MSG_KEXINIT sent

debug1: SSH2_MSG_KEXINIT received

debug1: kex: algorithm: curve25519-sha256

debug1: kex: host key algorithm: ecdsa-sha2-nistp256

debug1: kex: server->client cipher: chacha20...@openssh.com MAC: <implicit> compression: zl...@openssh.com

debug1: kex: client->server cipher: chacha20...@openssh.com MAC: <implicit> compression: zl...@openssh.com

debug1: expecting SSH2_MSG_KEX_ECDH_REPLY

debug1: Server host key: ecdsa-sha2-nistp256 SHA256:[redacted sha256]

The authenticity of host '[redacted server] ([redacted server ip])' can't be established.

ECDSA key fingerprint is SHA256:[redacted sha256].

Are you sure you want to continue connecting (yes/no)? 

----

I know I am definitely not doing this correctly, but it seems to be working. The concerning part is "The authenticity of host '[redacted server] ([redacted server ip])' can't be established." That is most likely my ignorance. After you type "yes" it should work.

[Lukas DiBeneditto]

I have tested it at home and it is not working. Unfortunately. Does anyone know what is going on?

Attempting to connect via the CiscoAnyConnect VPN and Google Chrome Secure Shell

----

Welcome to Secure Shell version 0.8.39.

Answers to Frequently Asked Questions: https://goo.gl/muppJj (ctrl+click on links to open)

[Pro Tip] Use 'Open as Window' to prevent Control-W from closing your terminal!

[Pro Tip] See https://goo.gl/muppJj for more information.

ChangeLog/release notes: https://goo.gl/YnmXOs

Random Pro Tip #2: Display notifications in the browser using hterm-notify: https://goo.gl/ZNxGdF

Connecting to [redacted username]@[redacted server]...

Loading NaCl plugin... done.

OpenSSH_7.6p1, OpenSSL 1.0.2k  26 Jan 2017

debug1: Connecting to [redacted server] [[server ip]] port 22.

debug1: Connection established.

debug1: getpeername failed: No such file or directory

debug1: identity file /.ssh/id_rsa type 0

debug1: key_load_public: No such file or directory

debug1: identity file /.ssh/id_rsa-cert type -1

debug1: Local version string SSH-2.0-OpenSSH_7.6

ssh_exchange_identification: Connection closed by remote host

NaCl plugin exited with status code 255.

(R)econnect, (C)hoose another connection, or E(x)it?

 failed! :(

----

My next test is to pull out an old computer, a non Google Chromebook, setup the VPN, then SSH. If that computer can get through I am inclined to say that this is a Secure Shell issue, if it cannot, then I am inclined to say that it is a server issue. Is my logic sound on that?

----

I have setup my old computer, a MacBook Pro, I setup the VPN, and I was able to SSH into the server without any issue. At this time it does look like it is a Secure Shell issue.

[Maciej Żenczykowski]

There's tons of possibilities.

One is that the server (or perhaps a firewall) has the new version of
openssh blacklisted (or not whitelisted...).

Server logs (and possibly packet traces) would help...

You'll note that from the -v output above, it's the server which is
terminating the connection,
the question is *why*

[Lukas DiBeneditto]

I have have contacted the server owner and will try to get the server logs. I will update as soon as I have more information. Thank you everyone for your help so far.

[Lukas DiBeneditto]

Dear Secure Shell Developers,

I apologize, I made a mistake, and was incorrect. It was the Cisco AnyConnect VPN that was causing the issue!

I am now using the built in OpenVPN / L2TP for the Google Chromebook. SSH is working again.

I also have route and path trace data, with and without vpn, on site, off site, for the Chromebook and with a MacBook Pro if any developers want to look at but I do not want to post them publicly. Let me know if you want them.

Thanks all!

Sincerely,

Lukas W. DiBeneditto

[Mike Frysinger]

don't worry about it.  glad things are working for you again!

-mike

--

You received this message because you are subscribed to the Google Groups "chromium-hterm" group.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-hterm/b8520371-fcca-401e-a61a-90233e9977cf%40chromium.org.

[msch...@mrn.org]

Lukas, I'm also having this problem.

Cisco AnyConnect, then ssh to vpn server. 

It worked fine Monday.  Didn't work Tuesday.  Worked Wednesday?? Not working again today.

Can you share info about your anyconnect work around?

I had openvpn working on crouton on my chromebook last year, but it was a huge pain to set up, and I don't have everything in place any more.

Thanks for your help!

Megan

[Lukas DiBeneditto]

Megan,

Essentially you need to figure out a way to use a different VPN. I my case I uninstalled the Cisco AnyConnect and setup a L2TP connection. You will probably need to contact your server admin to find the L2TP settings, here is some more information.

Set up virtual private networks (VPNs) - Chromebook Help

https://support.google.com/chromebook/answer/1282338?hl=en

Thanks,

Lukas W. DiBeneditto

[msch...@mrn.org]

Thanks, Lucas.

I'll give it a try!

Megan

[Mike Frysinger]

the dev version has been updated to 0.8.40.1 and includes an option you can try to see if it makes a difference:

  --ssh-client-version=pnacl-openssh-7.5p1

this will tell Secure Shell to use the previous 7.5p1 release rather than the latest 7.6p1.  this might help with troubleshooting the connection.

remember though: older versions will not stick around forever.  selecting older versions of the plugin is meant only for testing, so do not rely on it long term.

-mike

--

You received this message because you are subscribed to the Google Groups "chromium-hterm" group.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-hterm/bc89bf00-4588-44c9-b78d-efd932306cf5%40chromium.org.

[Megan Schendel]

Thanks for the info.

Do you mean dev version of chrome os, or of secure shell? Sorry, new-ish user.

Can you point me to a document for updating the dev version?

Thanks!

Megan

MEG Technician
The Mind Research Network
1101 Yale Blvd. NE
Albuquerque, New Mexico 87106

--
You received this message because you are subscribed to a topic in the Google Groups "chromium-hterm" group.
To unsubscribe from this topic, visit https://groups.google.com/a/chromium.org/d/topic/chromium-hterm/1e_-6qdFSkY/unsubscribe.
To unsubscribe from this group and all its topics, send an email to chromium-hterm+unsubscribe@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-hterm/CAAbOScmC2QEA9zFrHF%3D6kn1bVuuNffeF--U33UfxrcsDYgmzQA%40mail.gmail.com.

[Mike Frysinger]

Secure Shell is independent of CrOS

the FAQ explains how to test Secure Shell versions:

  https://chromium.googlesource.com/apps/libapps/+/master/nassh/doc/FAQ.md#is-there-a-way-to-try-early-releases-of-secure-shell

-mike

[msch...@mrn.org]

Finally figured out my solution.  Figured I'd post in case there are any other users in the universe who might benefit...

It turns out my husband had set up a local name server on our home router.  When I would leave the house and try to work from a coffee shop or the library, secure shell worked fine!

I'm not sure why, but it seems with the ChromeOS update, it changed how the network name server settings worked.  Before the update, the automatic chromeos network name server settings worked fine.  After the update, Cisco Anyconnect agent was not able to get my work vpn name server into use on my home wifi network!  

So the solution was to manually add my work vpn name server to the top of the custom name server list into the wifi network settings of my home wifi (I used google's name server next on the list, so it can still find things outside of my work vpn).  

Crazy!

To unsubscribe from this group and all its topics, send an email to chromium-hter...@chromium.org.

[giri...@gmail.com]

Thank you very much for sharing this solution. Works like a charm.

[rei...@gmail.com]

Just to follow up, as of today 2019-07-10 (July 10th), a chromebook i purchased (and updated) today, still has this issue. A quick work-around and proof is to ssh using an ip address for the host vs a domain name. Have this issue when using a Pulse Secure VPN, so it doesn't look like a vendor specific issue, and more like a bug in the way the vm is setup.

-Reinard

On Friday, February 23, 2018 at 10:37:43 AM UTC-8, msch...@mrn.org wrote:

[Megan Schendel]

Good idea!