SameSite and Secure flag not set for authentication cookies

[jmsgomes]

First of all, thank you for providing and maintaining nassh-relay - it has been supremely useful to me individually.

I've encountered an issue with Opening stream socket failed: 410: resulting in Connection refused.

Expected result

Secure Shell App should successfully connect to the SSH server.

Actual result*

( scrubbed for privacy*)

Secure Shell App output

(with verbose logging, via -vvvv flag)

Welcome to Secure Shell App version 0.21.
Answers to Frequently Asked Questions: https://goo.gl/muppJj (ctrl+click on links to open)
ChangeLog/release notes: https://goo.gl/YnmXOs

Random Pro Tip #13: Display images inline: https://goo.gl/MnSysj

Looking up relay server using: relay.my.domain:443
Found relay server: https://relay.my.domain:443/
Loading NaCl plugin... done.
Connecting to owner@192.168.x.x...
OpenSSH_8.1p1, OpenSSL 1.0.2k  26 Jan 2017
debug2: resolve_canonicalize: hostname 192.168.x.x is address
debug2: ssh_connect_direct
debug1: Connecting to 192.168.x.x [192.168.x.x] port 22.
Opening stream socket failed: 410: 
debug1: connect to address 192.168.x.x port 22: Connection refused
ssh: connect to host 192.168.x.x port 22: Connection refused
NaCl plugin exited with status code 255.
(R)econnect, (C)hoose another connection, or E(x)it?

Dev Console output

[Warning] A cookie associated with a cross-site resource at http://my.domain/ was set without the SameSite attribute. It has been blocked, as Chrome now only delivers cookies with cross-site requests if they are set with SameSite=None and Secure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.

[Error] GET https://relay.domain.com/proxy?host=192.168.x.x&port=22 410 nassh.Stream.GoogleRelay.asyncOpen @ nassh_stream_google_relay.js:83 nassh.StreamSet.openStream @ nassh_stream_set.js:37 nassh.GoogleRelay.openSocket @ nassh_googlerelay.js:174 nassh.CommandInstance.onPlugin.openSocket @ nassh_commandinstance.js:1589 nassh.CommandInstance.dispatchMessage @ nassh_commandinstance.js:1190 nassh.CommandInstance.onPluginMessage @ nassh_command_instance.js:1430

Workaround found

The issue can be worked around by:

1. Setting chrome://flags/#same-site-by-default-cookies to Disabled
2. Setting chrome://flags/#cookies-without-same-site-must-be-secure to Disabled
3. Relaunch/Restart Chrome browser/ChromeOS.

How to reproduce

If the above flags are not already enabled (and they eventually will be in Chrome), manually set the above flags to Enabled and (importantly) relaunch Chrome. Then try to connect using nassh-relay.

I'm currently on Chrome Version 81.0.4035.0 (Official Build) canary (64-bit), on Mac OS X 10.14.6. Also (not sure if a factor), access to the the relay server is restricted via Cloudflare Access and Google SSO is configured on the relay server.

[zyclonite]

this should fix it https://github.com/zyclonite/nassh-relay/commit/0803fe518f477634eca7ad28110bf471a64a8cfd

i will do a 1.1.0 release so you can test it

[jmsgomes]

Thanks for the quick response!

Since I run nassh-relay in a Docker container, would I need to set this up "the traditional way" to test or will a docker image be available for testing?

[zyclonite]

container should be release as latest and 1.1.0 tag

[jmsgomes]

The issue no longer occurs in 1.1.0 :-D I created a container to use the latest zyclonite/nassh-relay:1.1.0 image and – after making sure that both chrome://flags/#same-site-by-default-cookies and chrome://flags/#cookies-without-same-site-must-be-secure were enabled and relaunching Chrome – I successfully connected to my hosts via the relay using Secure Shell.

I really appreciate the quick resolution of this issue - Thank you!