No documentation for security of open port on remote host

[zao]

• VSCode Version: 1.40.2
• Local OS Version: Windows 10 1909 (18363.476)
• Remote OS Version: Ubuntu 16.04
• Remote Extension/Connection Type: SSH

Steps to Reproduce:

1. Connect to a remote host which has multiple user accounts with Remote-SSH.
2. Observe that the remote host has an open port listening on localhost, seemingly some sort of web server.
3. Fail at finding any documentation on what precautions are taken to prevent unauthorized access by other users on remote system.

Issues #1016 and #291 were closed believing that it was secure enough to just restrict the listening to localhost instead of all interfaces, but did not address the concerns of running Remote-SSH on multi-user machines.

For some context, we have cluster login nodes with many hundreds of users. There is a significant chance that some user loses their credentials to a malicious party and as such, malicious parties can connect to the port on the remote.

I'm asking for documentation or a statement on the existence of security measures (auth tokens, whatever) to prevent other users on the remote system from accessing the service.

As none of the source for this extension is available, it's impossible to audit as a third party and given the history of listening on all interfaces, I'm erring on the side of caution.

Remote-SSH is an excellent piece of tech and would be awesome for our users but until this issue is sorted out, we can't allow them to run it at all.

[jdspugh]

Let me say first that VSC is a great product. I installed this extension and was having a wonderful remote development experience.

After a while I was having trouble connecting to the server yet my pure ssh connections made from the command line were operating fine. I looked further into this and found some strange roundabout connections being made to my server. Then I looked on the server and was absolutely shocked to find a bunch of hidden directories installed including nodejs server software which was opening a port that VSC could connect to. I take a lot of care to make sure my servers are secure and this was a complete violation of my server. I used find / -mtime -1 -ls to find all the recently installed files and removed them.

Now I'm using the Sync-Rsync plugin which does what I want but in a much more secure manner. My lesson: don't provide full ssh access to even software you love and trust. Left feeling violated!

[alexdima]

Remote - SSH launches the vscode server with a secret (a random generated string), the vscode server opens up a random port number listening on 127.0.0.1, and each connection needs to provide that secret as part of a handshake. There is one HTTP path that is available without authentication at that server at /version. Remote - SSH funnels back this secret to the VS Code client that is connecting and this mechanism allows that particular VS Code client to connect to the server.

[alexdima]

@roblourens Could you please document this in the Remote - SSH extension documentation?

[roblourens]

Do you think it should be another note in the README, or a note in the docs like next to https://code.visualstudio.com/docs/remote/troubleshooting#_improving-security-on-multiuser-servers

[alexdima]

👍 https://code.visualstudio.com/docs/remote/troubleshooting#_improving-security-on-multiuser-servers looks like a very good place