security risk: password authentication is not enabled by default

[natefanaro]

Recently downloaded version 2.1523-vsc1.38.1 to try out. From reading the docs I saw there is some form of password auth 👍. After running code-server, the logs state No authentication 👎

This can be a huge security issue for someone who does not understand what they are doing. Password authentication should be enabled by default and disabled via param or environment variable.

I'll spare you the doomsday scenarios that I have been dreaming up for the past hour. I just want to see the internet a little more secure than it has been.

[sr229]

We don't want to force down everyone's throats password authentication since people might want to do SSO, which is on another issue. We document already that by setting --auth=password then setting the $PASSWORD variable sets this. Again options are better than forcing something by default since there are a lot of ways to secure code-server already, and it'll be more efficient than simple passwords.

[natefanaro]

Ok. Maybe enforcing password authentication isn't the solution. I still think out of the box this is insecure to a novice or someone who is not paying attention. It is trivial to find open instances of this with a tool like shodan.io. I won't post a link to the query here but I was able to find a few unintentionally open instances. This leaves access to the filesystem and terminal open to anyone that finds it.

The different authentication options that code-server provides should be mentioned in README.md, with some kind of warning that a misconfiguration by the user could leave themselves vulnerable.

[Succubussix]

still a risk for docker users.. I dont know now how to enable this using docker thru portainer

[sr229]

Again, I'm pretty sure most users are aware how to set them up correctly, and most users who would run it open on the internet can take measures to secure a instance.

[demyxco]

@Dj-jom2x you can build your own Dockerfile to have it enabled by default, that's what I did.

[Succubussix]

how do you change path? example if you had cpanel on.. and you want it to install under his dir only ..

[demyxco]

@Dj-jom2x you can see all available commands from the code-server binary.

code-server /default/path/for/code-server --user-data-dir=/home/user/.code/data --extensions-dir=/home/user/.code/extensions --disable-telemetry --auth=password

You can take a look at my Dockerfile (I have 3) for reference: https://github.com/demyxco/code-server

[sr229]

@Dj-jom2x you can see all available commands from the code-server binary.

code-server /default/path/for/code-server --user-data-dir=/home/user/.code/data --extensions-dir=/home/user/.code/extensions --disable-telemetry --auth=password

You can take a look at my Dockerfile (I have 3) for reference: https://github.com/demyxco/code-server

You forgot setting environment variables and just appending the --auth=password flag would do the job as would your Dockerfile would do, right?

[code-asher]

I added a security section to the readme; hopefully that goes a long way. https://github.com/cdr/code-server#security If anyone has any thoughts on how to improve that section lemme know.

For a few reasons I felt it was more natural to enable authentication rather than disable it. Is it common for people to manually expose code-server to the open internet without any authentication while expecting it to be secure in some way? If that's the case it may be prudent to enable password authentication by default. I don't love it but I'd prefer not to expose unaware people's private data.

If we're thinking about being secure by default we might want to re-visit the default of responding to HTTP requests, but perhaps users exposing code-server without HTTPS isn't as common a scenario.

[code-asher]

Password authentication is now enabled by default. --auth none to disable it.

[Nosferican]

Post password by default era, how would one set it up for no password?
Example Dockerfile,

version: "3.7"
services:
  vscode:
    image: vscode
    container_name: vscode
    ports:
      - target: 8080
        published: 8080
        protocol: tcp
        mode: host
    volumes:
      - type: bind
        source: ./..
        target: $HOME/coder/project
      - type: bind
        source: ./dev/serve-code/.julia
        target: $HOME/coder/.julia
    environment:
      TZ: AST

How should that be modified for enabling a no authentication?

[demyxco]

@Nosferican look at the comment above yours. For docker-compose, use the command key:

image: vscode
container_name: vscode
command: --auth=none