VSCode's SSH agent is bananas

103 comments

·February 8, 2025

tptacek

I have been for like a month now noodling on a long-form post about a piece of software we've been noodling with for 3-4 years now. Kurt is freaking out, because we haven't written anything on the blog since, like August. Finally I'm like, look, I will write the simplest thing I can come up with. We'll do the opposite of what we've been doing. We'll do anti- effortposts. I bet I can do one in 30 minutes.

I promise, I thought about this less than you have. It's a thing we were tinkering with, and I wrote about it. That's all.

bradgessler

I use to write posts for Ruby Dispatch at Fly.io, so if you’re looking for Fly quality Ruby content, I publish articles about once a week at https://terminalwire.com/articles.

Coincidentally the company I started, Terminalwire, streams command-line apps from web servers, like Rails, to a thin-client installed on your users’ machines. Unlike the bananas SSH agent, I have an entitlements security mechanism that prevents servers from doing whatever in the client unless the user grants access. More on that at https://terminalwire.com/docs/client/security

For now I’m focusing on making an awesome developer experience for Rails servers, so if you want to build CLI like Stripe or GitHub has for their apps, you can have the beginning of one in under 10 minutes at https://terminalwire.com/docs/rails.

alexgartrell

More low effort posts please!

scop

That first paragraph (in your HN comment, not the blog post) would have read better with zero periods.

Glad to see one of my favorite blogs is still active. I was starting to get a little worried.

The first two blogs currently listed, McCord-Valim’s FLAME-Livebook-GPU and your post which has the word “murid”, truly captures the psychological arc of a developer.

Thanks!

concerndc1tizen

VSCode is an IDE designed to suffocate the open source alternatives, so that they retain full strategic control. Oh, and it also promotes their tech (Copilot, Github, C#, TypeScript). It's a long list of issues.

It works well though, particularly over SSH and devcontainers, although it has severe bugs that they refuse to fix, and it isn't open source so you can't fix it yourself.

I wish software was secure by design, like browsers are. But it just isn't a business priority, because consumers have so little to lose. And enterprise customers have strict environments, separate staging/production environments that reduce blast radius, and so on, so the insecurity is tolerable. Besides, employees can't be trusted anyway, so what's the point of having a very secure IDE if they immediately run curl|sudo bash.

Are there any good web-based alternatives? (like Runpod's openvscode-server)

csdreamer7

> VSCode is an IDE designed to suffocate the open source alternatives, so that they retain full strategic control

What open source alternatives? Atom was a mess that kept breaking. LSP plugins are now used in almost every featureful editor and have really made editing a lot better. You spent more time configuring Vim and Emacs than they saved you. Microsoft made a really good code editor that set a standard and likely took market share from their own (mostly Windows) Visual Studio.

I do not use it anymore because of the creep of closed source plugins (+ they keep breaking my workflow) but I still think it is a great improvement.

> I wish software was secure by design, like browsers are.

Someone does not remember (or was not around) for the ActiveX or Flash days.

makeitdouble

> What open source alternatives?

This is part of parent's point IMHO.

As VSCode is good enough, there is no oxygen for an open source effort to reinvent that wheel. At some point it will stale long enough that some bigger communities will want to tackle the challenge, but that won't be tomorrow.

I see VSCode as a net positive, but I think it's healthy to keep in mind the embrance->extend bigger picture.

skydhash

> You spent more time configuring Vim and Emacs than they saved you

I trade whatever default workflow that VSCode and other IDEs are imposing for a better editing experience. And even the initial time investment is short these days due to the trove of config and tutorials online.

After learning Vim, I ditched the files explorer and embrace the buffer workflow instead. Opening many windows at the same time to peek at multiple files, then switching to a new tab only if I don’t want to lose the current windows configuration. Then fuzzy searching for navigation, and using the quickfix list for search and errors. No friction from thought to action.

Another plus for me. I have an emacs session opened for weeks now inside a VM on my desktop to work on a side project. Whatever the computer (laptops or said desktopj, it’s a quick ssh, then resuming the dtach sessiom and my workspace is ready. Multiple files opened (almost all of them), a postgresql REPL, Tasks runners, and a lot of packages (magit, project.el, consult,…) working together to streamline working on code.

m463

> I wish software was secure by design, like browsers are.

I feel this is one of those "repeat it until it is true" marketing things, like "apple believes privacy is a fundamental right"

But really, I think vscode, browsers and apple products only tangentially secure because business goals, features and convenience trump these kinds of broad statements.

I so wish it was otherwise. There are so few islands of common sense in our world and the water level keeps rising.

white-flame

I think it's more a case that browsers take security into account at the feature design phase, whereas other applications don't. That's actually a huge step in the right direction. Same thing with mobile OSes, which have a very preferable decision to sandbox individual applications, instead of running them with full user permissions & full user data access, like desktop OSes do.

Now, whether the browsers or mobile OSes actually are secure because of that, is a separate thing, but those are good steps to take.

idle_zealot

> which have a very preferable decision to sandbox individual applications, instead of running them with full user permissions

It's great that they took security into account during the design phase. I wish they had also taken into account user empowerment. They sandboxed all the apps and in so doing made interoperation, plugins, patches, mods, etc basically impossible. Now the most widely-used form of personal computer is more like a portal to digital services than it is a computing platform. It's sad to see, and I refuse to believe that it's one-or-the-other when it comes to security vs power.

hedora

Vscodium is open source, and ssh mode works. I don’t think copilot does.

evilduck

Cline, Roo, and Continue all work with Codium though, so it's not a big loss.

goldencoralefan

Zed. It is written in a compiled language and it’s C++ extension doesn’t take down my servers.

jeffbee

Eclipse theia. It is an almost pixel-perfect ripoff of VS Code that integrates the open source components such as Monaco. It is what you are using if you've ever started a Google Cloud Shell Editor.

bongodongobob

VSCode is great. If it suffocates other products, that's their fault for not being better. MS hate for hate sake is fucking old, do better.

shipp02

This is going to sound naive but, I don't understand what the security issue is. If you can ssh into a machine and port forward a socket, you already have permission to do all the other things. VSCode's protocol seems to be exposing it in way that's more convenient for them.

How is this a security problem? Is it because someone on the same network as the remote machine but without SSH access can connect the port that is forwarded over SSH?

As a user, I quite like how well VSCode's SSH system works.

schmichael

I think the difference is that what VSCode is doing is not an SSH Session like you get in a terminal with the ssh command or putty.

VSCode is installing a remote agent on the target machine that happens to use ssh as its transport protocol, and offers to share that transport with the user.

Is this a problem? Not if it only does things you want it to do. However any agent based system exposing an arbitrary API is suddenly a much bigger attack and risk surface area than the well trod (and still fraught) path of emulating a terminal over ssh.

shitter

> However any agent based system exposing an arbitrary API is suddenly a much bigger attack and risk surface area than the well trod (and still fraught) path of emulating a terminal over ssh.

I can see how this increases local (to the remote system) attack surface, but as long as the agent has the same OS privileges as the user logged in over SSH, what extra remote risk does this introduce?

smackeyacky

Because if the Agent code is compromised, the fact that it leaves things behind is enough for an attacker to hide whatever they need along with the vs code blob. Vscode does this for the right reason, mostly it’s so the bulk of it runs on the host where you’re doing remote development or WSL or whatever. But like a lot of dev stuff these days, compromise the npm packages and bingo you can own all the machines.

Npm is already a terrible thing because the packages are managed so haphazardly, but now you’re exposed to the nonsense without even going anywhere near the mad rodeo of node. I like vscode but it’s not going anywhere near a machine I care about.

makeitdouble

We usually don't hand over full ssh sessions to third party programs, so while you're right, I think people are not used to this level of trust into an app.

The article was to me a good reminder that it's a whole other level of access than just remote mounting a file system.

cogman10

A user that can manage remote processes is generally going to have pretty high permissions.

For example, opening up debug ports on the running server processes, sudo privileges, or just the ability to run arbitrary code or curl in random binaries from the internet.

TZubiri

I sometimes kick myself for not being more productive.

But then I see the clusterfucks productive people are doing and it looks like I'm onto something

shipp02

Is it better to programmatically interact with bash to provide the features VSCode does? Do note that I am unwilling to accept an implementation with less features/ease of use!

I can see how writing a custom agent that provides remote access to privileged API's is a bad idea but bash isn't exactly the most secure piece of software in the world.

ajsharp

This is the relevant part:

> The agent runs over port-forwarded SSH. It establishes a WebSockets connection back to your running VSCode front-end. The underlying protocol on that connection can:

- Wander around the filesystem - Edit arbitrary files - Launch its own shell PTY processes - Persist itself

When you ssh into a remote server as a client, afaik that server cannot execute arbitrary code on the client. At a minimum, the client would have to explicitly take action for that to happen.

KTibow

Is that to say that the server can do things on the client connecting to the server? That doesn't make much sense.

inetknght

> When you ssh into a remote server as a client, afaik that server cannot execute arbitrary code on the client.

...assuming you have X11 forwarding disabled and/or don't have X11 server running on the same system that your client is running on.

yjftsjthsd-h

I'm pretty sure X11 forwarding is opt-in, not opt-out? That is, if you don't run `ssh -X` or -Y then this isn't a problem

khana

[dead]

Deathmax

It's helpful for evading detection, because if you've compromised a machine, you can drop in the server binary and it'll have been added to the allowlist for devs to run.

rkagerer

One reason it's a problem is because it's very unexpected behavior. Software should follow some sort of pattern that you can develop a reasonable mental model around.

null

[deleted]

indigodaddy

he says in the article, that the agent seems to be just fucking about at will

ydj

But the author doesn’t give a single example, and so there’s nothing someone else can do to explain why or continue the conversation. The best we got use that he has a vague sense of unease, which I don’t think is very useful.

__MatrixMan__

...which I've come to expect from Microsoft. Windows scrozzles the efi partition for my other OS every third or fourth time it installs updates. It's like they think they own every computer they have code on.

bkallus

I ran the servers for our networks, binary exploitation, and intro systems programming classes, and this thing is a major annoyance. It is because of this stupid RAT that students do not understand how to use the OpenSSH client.

I've tried a few things to fix this: 1., I set a motd on our class servers asking the students not to use the VSCode remote server plugin. 2. I ran `ncdu /home` in front of the class and demonstrated how, without exception, everyone with >100MB of disk usage on the class server was a VSCode user. 3. I set a user process limit of 45, because the VSCode RAT (somehow) uses ~50 Node processes. When students inevitably ignored the motd and the in-class warning, they hit the process cap and had to ask us to kill their processes in order to get back onto the system. 4. I replaced the process limit with a script that kills all the .vscode-server RATs every 10 seconds.

rednafi

I don't know what the alternative would be here. VSCode's SSH edit works surprisingly well, and I stopped fiddling with vim, nano, or micro on my remote machines long ago.

The agent gets out of my way and lets me work in peace. It almost feels like I'm working from my local machine—a huge win in my book.

This could be a security risk, but the development experience is unmatched. I couldn't care less which other editor VSCode is killing, as I mostly don't care about my tools as long as they get out of the way and let me do my job.

spacemanspiff01

The security risk comes from all those unvetted plugins, that have unrestricted access to the editor.

shipp02

That's an issue with any plugin system, right? AFAIK no IDE has a plugin system with capabilities or a sandboxed interpreter.

VSCode does have a thing where it's like do you trust the authors of this project. Not sure what it does because I've never had to use it. From StackOverflow[1]:

>If you select No, I don't trust the authors, Visual Studio Code will open the workspace in 'restricted mode'. This is the default for all new workspaces. It lets you safely browse through code but disables some editor feature, including debugging, tasks, and many extensions. However, keep in mind that 'restricted mode' is all you need for many use cases.

Actually if restricted mode[2] is any good, vscode might be better at security than most other editors/IDEs.

[1]:https://stackoverflow.com/a/67914669/11422647 [2]:https://code.visualstudio.com/docs/editor/workspaces/workspa...

rednafi

Yeah, I'm all in for a more secure option as long as it allows me to do everything that VSCode's SSH agent does. But if the devex goes down the drain because of "security" then I'm good for now.

saulrh

The alternative is suggested by tramp, which from what I know treats the remote as a network filesystem instead of an execution host. I don't believe that tramp deploys any binaries: it reads and writes bytes over pipes and all meaningful execution happens locally. Notably, it does not achieve persistence, because there's a difference between "VSCode plugins have access while you're SSH'd in" and "VSCode plugins have access forever".

rednafi

Persistence is important to me, and making it read-only significantly reduces its usefulness. I regularly SSH into a dev machine to run scripts and update configurations. As long as a tool lets me do that without getting in my way, I'm good with any solution that works.

saulrh

Tramp is perfectly able to write, it's just that it does it by writing a temp file locally and then using ssh to transfer the file to the remote, rather than installing a copy of itself on the remote and acting through that. It only uses executables that it finds on the remote. So if make and gcc and sed and such are available it's basically transparent, indistinguishable from local editing except for network round trips, and the only changes it leaves behind are the files you edit.

skydhash

Then tramp would be a perfect fit for you as long as you’re willing to learn emacs. If you open a remote file, almost all actions when that buffer is selected will execute in the remote context (launching commands, visiting directories, opening a shell,…)

cobbal

Running `make' works in tramp, so it can do some form of execution

fiddlerwoaroof

It can do anything you can do over SSH

arp242

> I don't know what the alternative would be here

I'm not sure what features VSCode offers exactly, but I find sshfs works quite well for remote editing of a bunch of stuff. I think it should basically be the same as VSCode?

sunshowers

You really want your LSPs to run on the remote, especially with high-latency connections.

rednafi

One fewer tool to think about. It remembers the connections and instantly gives you access to a full-fledged editor on a remote server. It just works, and I don’t think about it twice, which is a huge win in my book. I’m good with the trade-offs.

arp242

Okay fair enough; just saying it seems like a reasonable alternative if you want to avoid fiddling with editors on remote machines.

andrewfromx

Instead of working with existing remote tools it deploys a comprehensive agent that includes:

A Node.js binary installation. A WebSocket connection back to the VSCode frontend. Extensive system access capabilities.

The VSCode agent has broad permissions including:

File system navigation. File editing capabilities. Shell PTY process creation. Self-persistence abilities.

AlotOfReading

I don't see any reasonable alternatives that can support what VScode does, like running extensions that aren't installed locally. Maybe those features aren't something you want, but they're part of the product feature set.

dekhn

One perspective is to think of these as things that a modern OS should provide as a standardized feature, and VSCode is just working around the fact they don't exist. It's crazy to think about but the kernel itself could have a webserver (or other protocol) with encryption and auth that let you directly control the entire machine through EBPF. It could be an entirely different paradigm for client/server remoting. Also a security hole you could drive a death star through.

jazzyjackson

It’s not clear to me, are these issues on the local or remote vs code instance? If remote, I understand elisp tramp is a lighter touch as far as dependencies go, but is the attack surface all that different? (That is, does the remote node binary have any permissions a user running arbitrary ssh clans wouldn’t?)

The OPs goal was to give an llm keys the kingdom on an ephemeral/throwaway virtual machine, are they saying the sockets opened up by the agent allow it to fiddle with the developer machine it’s meant to be isolated from?

throwanem

Emacs Tramp just uses whatever SSH access you already have to a remote host, to copy files back and forth. It may use scp or sftp if the remote host advertises the protocol, but it does not install anything or invent any of its own protocols.

kazinator

"SSH agent" is a confusing term to use here, because it usually stands for a daemon that caches authentication tokens.

CGamesPlay

Agreed, because VSCode does not provide an SSH Agent but does communicate with your local one (their own version of ForwardAgent, complete with the security implications that carries). And the way it does that breaks a popular macOS SSH agent: https://github.com/maxgoedjen/secretive/issues/543

epistasis

Oh shoot, secretive is one of the few ways I knew of to keep track of each time an SSH key was actually used to auth something. I love using Agent Forwarding but the idea of anybody with root being able to arbitrarily auth stuff gave me a (perhaps unreasonable) feeling of insecurity.

rednafi

The "VSCode" before "SSH Agent" does the disambiguation fairly well.

bqmjjx0kac

I, for one, was actually confused.

ak217

The proper name for this functionality is Visual Studio Code Remote - SSH (https://code.visualstudio.com/docs/remote/ssh), and it's VSCode's killer feature. With this plugin, VSCode is the first IDE to properly implement the remote IDE paradigm.

When VSCode connects to the remote using the plugin, it installs an entire VSCode server - seamlessly to the user every time they connect to a remote - that keeps track of all project facilities, shells, extension accessory runtimes, takes care of embedded or computationally heavy tasks like compiling, building, running project-wide code analysis tools, etc. while keeping all settings, editor windows, and accessory panes local (which is critical for UX and latency). VSCode appropriately partitions responsibilities between the local and the remote, automatically restores IDE infrastructure on the remote as needed, and enforces the partitioning architecturally for all extensions.

This architecture is not an accident - it's rooted in VSCode's origin as a browser-based IDE, and makes use of the LSP and other features that don't exist in Emacs/TRAMP because nobody really thought deliberately about running the extensions at an arm's length from the editor UI in Emacs, using an async protocol that doesn't allow extensions to impact core UI latency. But the flipside is that the "client" part I described above does place a lot of trust in the "server" part, just as you might expect a browser-based application to do.

Whether you consider this architecture bananas or not depends on your security model. It's probably not the best idea to let people SSH to production using this plugin. If you are trying to rely on it to partition a novel AI tool away from part of your infrastructure, yeah, it wasn't really meant for that. The plugin predates agentic AIs by 5+ years. But it's an incredibly powerful and useful feature. I don't think taking cheap shots against it is helpful when the actual bananas thing is trying to use it in a way it was not intended for.

nomendos

When is the Risc-V support coming?

gopalv

The way most people learned this is because somewhere in the middle of last year, VSCode's node install stopped working with the old glibc.

https://github.com/microsoft/vscode/issues/201129

Most people who hit this hard pinned their vscode to 1.85 & it took a while till this turned into a simple nag bar on top of their editor.

hughes

> I would be a little nervous about letting people VSCode-remote-edit stuff on dev servers, and apoplectic if that happened during an incident on something in production.

Totally agree that using vscode remote on production servers is insane.

Everything else described as "bananas" sounds like expected functionality.

toprerules

I've reached a level (staff engineer at MAANG) that I consider to be difficult to obtain using plain old Vim, and I've noticed that other high performers tend to still use Vim or Emacs. There's plenty of amazing developers who use VCode, JetBrains, etc. but I think there are certain personality traits - seeks out barriers to entry, likes to demagic tools through exploration, values completely open source, highly tinkerable community driven projects, etc. that explain this phenomenon more than feature set or ease of use.

When I read about how complicated VSCode's remote editing was (which I knew about before this article) it just made me want to use VSCode less. I can just ssh into a machine and use whatever editor is on the machine. VSCode's solution works, but it's also not nearly as elegant or universally applicable, and is more prone to breaking.

Also, Tramp is still quite awful, sorry Emacs users (netrw isn't any better).

theamk

Reminds me of Jenkins (the CI system) remote agent.

One would expect a remote agent with well-defined capabilities: read/write/delete files and directories; run the process with stdout/stderr capture; stop the running process started in previous item.

Instead, there is a generic bytecode executor, and Jenkins controller ships out Java bytecode to be executed remotely. Crazy stuff.