[GH-ISSUE #376] connect to remote host with vscode ssh extension #102

New issue

Open

opened 2026-05-07 00:18:55 +02:00 by BreizhHardware · 9 comments

BreizhHardware commented 2026-05-07 00:18:55 +02:00

Owner

Copy link

Originally created by @ksourdrille on GitHub (Mar 19, 2023).
Original GitHub issue: https://github.com/ovh/the-bastion/issues/376

Hello,

Do you know if there is a way to connect to the remote host with vscode ssh extension trought the bastion ?

i saw we can't use proxy jump and proxy command, but i don't know if someone already done this without this commands.

Kélian

Originally created by @ksourdrille on GitHub (Mar 19, 2023). Original GitHub issue: https://github.com/ovh/the-bastion/issues/376 Hello, Do you know if there is a way to connect to the remote host with vscode ssh extension trought the bastion ? i saw we can't use proxy jump and proxy command, but i don't know if someone already done this without this commands. Kélian

BreizhHardware commented 2026-05-07 00:18:56 +02:00

Author

Owner

Copy link

@speed47 commented on GitHub (Mar 21, 2023):

Hello,

I'll have to look into it more deeply, but there are chances it won't work, unfortunately.

This is because the Remote SSH extension of vscode uses the -D option of ssh, which opens a local port that talks the SOCKS4/5 protocol, and tunnels it to the server, enabling unfiltered and unlogged access to any remote party accessible from the server itself. This is a variant of the -L and -R option, which uses SOCKS instead of forwarding a single port.

Obviously this is very handy for dev environments and several other use cases, but this would break the auditability, traceability and authorization check mechanisms of the bastion, as you can tunnel and potentially access other things that the bastion won't have a chance to see, hence not able to allow, deny, or even log. The protocol break done on the bastion side is actually done to prevent this kind of loophole, among other things.

Now, this use case on a bastion reserved to dev environments and flagged as such in a more global security policy, might be legit, as long as it's explicitly allowed, but again I'll have to look into it, as I'm not sure this can be done, given the design of the bastion. There's apparently a mode that can be enabled in the Remote SSH extension that can use -L instead of -D, by forwarding a UNIX socket instead of forwarding a port, I'll try to look into that.

<!-- gh-comment-id:1477924273 --> @speed47 commented on GitHub (Mar 21, 2023): Hello, I'll have to look into it more deeply, but there are chances it won't work, unfortunately. This is because the Remote SSH extension of vscode uses the `-D` option of `ssh`, which opens a local port that talks the SOCKS4/5 protocol, and tunnels it to the server, enabling unfiltered and unlogged access to any remote party accessible from the server itself. This is a variant of the `-L` and `-R` option, which uses SOCKS instead of forwarding a single port. Obviously this is very handy for dev environments and several other use cases, but this would break the auditability, traceability and authorization check mechanisms of the bastion, as you can tunnel and potentially access other things that the bastion won't have a chance to see, hence not able to allow, deny, or even log. The protocol break done on the bastion side is actually done to prevent this kind of loophole, among other things. Now, this use case on a bastion reserved to dev environments and flagged as such in a more global security policy, might be legit, as long as it's explicitly allowed, but again I'll have to look into it, as I'm not sure this can be done, given the design of the bastion. There's apparently a mode that can be enabled in the Remote SSH extension that can use `-L` instead of `-D`, by forwarding a UNIX socket instead of forwarding a port, I'll try to look into that.

BreizhHardware commented 2026-05-07 00:18:56 +02:00

Author

Owner

Copy link

@speed47 commented on GitHub (Mar 23, 2023):

Actually, had a look yesterday, and I might have a PoC with -L that roughly seems to work, but it would need to be tested by people using vscode daily. Would you be interested to test it?

<!-- gh-comment-id:1480992444 --> @speed47 commented on GitHub (Mar 23, 2023): Actually, had a look yesterday, and I might have a PoC with `-L` that roughly seems to work, but it would need to be tested by people using vscode daily. Would you be interested to test it?

BreizhHardware commented 2026-05-07 00:18:56 +02:00

Author

Owner

Copy link

@ksourdrille commented on GitHub (Mar 23, 2023):

Hi @speed47, Thanks for your answer and your time :)

of course I am interested :)

What should I do?

Kélian

<!-- gh-comment-id:1480996244 --> @ksourdrille commented on GitHub (Mar 23, 2023): Hi @speed47, Thanks for your answer and your time :) of course I am interested :) What should I do? Kélian

BreizhHardware commented 2026-05-07 00:18:57 +02:00

Author

Owner

Copy link

@ksourdrille commented on GitHub (Apr 8, 2023):

Hi @speed47,

Do you have any news for me?

Kélian

<!-- gh-comment-id:1500902817 --> @ksourdrille commented on GitHub (Apr 8, 2023): Hi @speed47, Do you have any news for me? Kélian

BreizhHardware commented 2026-05-07 00:18:57 +02:00

Author

Owner

Copy link

@speed47 commented on GitHub (Apr 11, 2023):

Yes, I'll be writing the documentation this week. There is one major drawback, unfortunately: due to an OpenSSH bug that is known since at least 2016 but still unfixed (!), one has to enable local port forwarding on the bastion for the vscode plugin to work (even if it doesn't actually require local port forwarding), so that's something to have in mind. It's not really a good practice to enable this on a bastion, but it might be acceptable for dev environments (if you have a separate bastion for production environments, for example).

I'll outline this in the documentation. Stay tuned.

<!-- gh-comment-id:1503346492 --> @speed47 commented on GitHub (Apr 11, 2023): Yes, I'll be writing the documentation this week. There is one major drawback, unfortunately: due to an OpenSSH bug that is known since at least 2016 but still unfixed (!), one has to enable local port forwarding on the bastion for the vscode plugin to work (even if it doesn't actually require local port forwarding), so that's something to have in mind. It's not really a good practice to enable this on a bastion, but it might be acceptable for dev environments (if you have a separate bastion for production environments, for example). I'll outline this in the documentation. Stay tuned.

BreizhHardware commented 2026-05-07 00:18:57 +02:00

Author

Owner

Copy link

@ksourdrille commented on GitHub (Apr 12, 2023):

Hello,

Ok thank you for all :)

Kélian

<!-- gh-comment-id:1505298903 --> @ksourdrille commented on GitHub (Apr 12, 2023): Hello, Ok thank you for all :) Kélian

BreizhHardware commented 2026-05-07 00:18:58 +02:00

Author

Owner

Copy link

@ksourdrille commented on GitHub (May 23, 2023):

Hi @speed47

Do you somes good news about this topic ?

Kélian

<!-- gh-comment-id:1558938119 --> @ksourdrille commented on GitHub (May 23, 2023): Hi @speed47 Do you somes good news about this topic ? Kélian

BreizhHardware commented 2026-05-07 00:18:58 +02:00

Author

Owner

Copy link

@Pierrelefort commented on GitHub (Dec 22, 2023):

I've also attempted to connect to a remote host using the SSH extension without any luck.
If there are any updates or if there's an opportunity for me to lend a hand in debugging, I'd greatly appreciate the information.

<!-- gh-comment-id:1868078129 --> @Pierrelefort commented on GitHub (Dec 22, 2023): I've also attempted to connect to a remote host using the SSH extension without any luck. If there are any updates or if there's an opportunity for me to lend a hand in debugging, I'd greatly appreciate the information.

BreizhHardware commented 2026-05-07 00:18:58 +02:00

Author

Owner

Copy link

@pawcykca commented on GitHub (Nov 18, 2024):

Hi @speed47, did you manage to prepare the mentioned documentation somewhere?
I have tried to setup vscode wit ssh-remote extensiob but I stuck on connecting to installed vscode via bation.

<!-- gh-comment-id:2482324083 --> @pawcykca commented on GitHub (Nov 18, 2024): Hi @speed47, did you manage to prepare the mentioned documentation somewhere? I have tried to setup vscode wit ssh-remote extensiob but I stuck on connecting to installed vscode via bation.

BreizhHardware referenced this issue 2026-05-07 00:19:56 +02:00

[PR #102] [MERGED] feat: accountModify: add --osh-only (closes #97) #235

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

expifix

groupcreate_fix_uid

fix_group_gid_fast

gh-pages

clush

expiration

jsonvalidator

v3.23.01

v3.23.00

v3.22.00

v3.21.00

v3.20.00

v3.19.01

v3.19.00

v3.18.99-rc1

v3.18.00

v3.17.01

v3.17.00

v3.16.99-rc3

v3.16.99-rc2

v3.16.99-rc1

v3.16.01

v3.16.00

v3.15.00

v3.14.16

v3.14.15

v3.14.00

v3.13.01

v3.13.00

v3.12.00

v3.11.02

v3.11.01

v3.11.00

v3.10.00

v3.09.02

v3.09.00-really

v3.09.00

v3.09.00-rc3

v3.09.00-rc2

v3.09.00-rc1

v3.08.01

v3.08.00

v3.07.00

v3.06.00

v3.05.01

v3.05.00

v3.04.00

v3.03.99-rc2

v3.03.99-rc1

v3.03.01

v3.03.00

v3.02.00

v3.01.99-rc4

v3.01.99-rc3

v3.01.99-rc2

v3.01.99-rc1

v3.01.03

v3.01.02

v3.01.01

v3.01.00

v3.00.02

v3.00.01

v3.00.00

Labels

Clear labels   

answered

  

bug

  

documentation

  

enhancement

  

enhancement

  

feature

  

feature

  

kept-open-for-info

  

pull-request

Mirrored from GitHub Pull Request

  

question

No labels

answered

bug

documentation

enhancement

enhancement

feature

feature

kept-open-for-info

pull-request

question

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/the-bastion#102

No description provided.