Open ksourdrille opened 1 year ago
Hello,
I'll have to look into it more deeply, but there are chances it won't work, unfortunately.
This is because the Remote SSH extension of vscode uses the -D
option of ssh
, which opens a local port that talks the SOCKS4/5 protocol, and tunnels it to the server, enabling unfiltered and unlogged access to any remote party accessible from the server itself. This is a variant of the -L
and -R
option, which uses SOCKS instead of forwarding a single port.
Obviously this is very handy for dev environments and several other use cases, but this would break the auditability, traceability and authorization check mechanisms of the bastion, as you can tunnel and potentially access other things that the bastion won't have a chance to see, hence not able to allow, deny, or even log. The protocol break done on the bastion side is actually done to prevent this kind of loophole, among other things.
Now, this use case on a bastion reserved to dev environments and flagged as such in a more global security policy, might be legit, as long as it's explicitly allowed, but again I'll have to look into it, as I'm not sure this can be done, given the design of the bastion. There's apparently a mode that can be enabled in the Remote SSH extension that can use -L
instead of -D
, by forwarding a UNIX socket instead of forwarding a port, I'll try to look into that.
Actually, had a look yesterday, and I might have a PoC with -L
that roughly seems to work, but it would need to be tested by people using vscode daily. Would you be interested to test it?
Hi @speed47, Thanks for your answer and your time :)
of course I am interested :)
What should I do?
Kélian
Hi @speed47,
Do you have any news for me?
Kélian
Yes, I'll be writing the documentation this week. There is one major drawback, unfortunately: due to an OpenSSH bug that is known since at least 2016 but still unfixed (!), one has to enable local port forwarding on the bastion for the vscode plugin to work (even if it doesn't actually require local port forwarding), so that's something to have in mind. It's not really a good practice to enable this on a bastion, but it might be acceptable for dev environments (if you have a separate bastion for production environments, for example).
I'll outline this in the documentation. Stay tuned.
Hello,
Ok thank you for all :)
Kélian
Hi @speed47
Do you somes good news about this topic ?
Kélian
I've also attempted to connect to a remote host using the SSH extension without any luck. If there are any updates or if there's an opportunity for me to lend a hand in debugging, I'd greatly appreciate the information.
Hello,
Do you know if there is a way to connect to the remote host with vscode ssh extension trought the bastion ?
i saw we can't use proxy jump and proxy command, but i don't know if someone already done this without this commands.
Kélian