Support PAM authentication

[tjunussov]

I know what there is feature request about "Multiple User Support" but all of them asking Live Coding with multiple users, what I'm promoting here is, to allow multiple login/users with their own ACLs, to restrict some users only edit some folders I think this feature easy to implement rather than LiveCoding with multiple users same file,

The easiest way is to use Linux User managment system(ACL), so when users logs in to code-server, it will ask linux user credentials,

Ex; config.yaml

bind-addr: 127.0.0.1:8080
auth: linuxManaged
cert: false

After that admin will create and configure acl inside linux, and code-server will work under that user Example how it will work

[code-asher]

Interesting! Thanks for the feature request. Our current recommendation is to put code-server behind a proxy that's capable of doing authentication like this. I'll drop it into the icebox for now but I'm not sure we'll put this on the roadmap.

[tjunussov]

code-server behind proxy with Basic Auth is only restricting access to whole code-server, but how to achieve restrict folders ?

[code-asher]

I think the only way to do that currently is to spawn a code-server instance for each user. To do this with one instance you're right that a proxy wouldn't be enough.

[geiseri]

One thing I have been playing with was putting the code-server inside of a systemd based container vs docker. This way I could have it listen to a socket and launch a new session. The only issue I had was reconnecting. I am looking at https://www.pomerium.io/ to possibly spin up dockers on the fly. Sadly as I look into this more it ends up looking like the monster that eclipse che had become. The nice thing about code-server is that it can "scale down" very well. I think "scaling up" might be better served as an external project though.
edit: This is where i started from: https://blog.developer.atlassian.com/docker-systemd-socket-activation

[sr229]

This would open up possibilities like SSH-based authentication, since we can just use a public key for authentication as well, not all Linux users has password IMO.

[paulchill]

up voting this - using outdated nuclide and atom as it supports multiple users on one nuclide-server on a large ec2. each user is jailed into their home dir then user does remote dev in their own folder. allows easier admin and other benefits.

[paulchill]

I installed code-sever last night on an EC2 for a test to replace nuclide-remote server.

My main issues that it did not seem to have initially were:

• disabling downloads of files / directories / code bases / code leaks
• multiple users - using one instance of code-server - for eg i currently have 10 devs using a large instance with their own jailed home directories in ubuntu where they write / build local code and Apache servers this under their own https domain
• security, users not being able to access other users codebases or code-server etc

So i invoked multiple instances of code server and it appeared to work with multiple users - all building mid / large angular code bases at the same time, seemed relatively ok - having a separate instance built using teraform sounds good - i saw a git report for that but just more management and having to change our workflow now is difficult

using the same IP - i opened 2 sessions / users of vscode - via code-server - each had a different port. the yaml password set would work with the correct port and not with the other.

is this relatively secure even if resource inefficient from a instance point of view?

Love some feedback on this and if any one else is using it for the above case.

[jsjoeio]

Very interesting approach! @paulchill have you considered coder/coder?