MFA Support for Remote Containers

[ChrisSchipper]

Versions

VSCode Version: 1.52.1
Remote Extension/Connection Type: Docker
Local OS Version: Windows 10 Pro OS Build 19041.685
Remote OS Version: Ubuntu 20.04 LTS

Feature Request

It would be useful to have support for MFA on the remote containers extension.

The container I am attempting to connect to is hosted on a server that requires key-based (RSA) connection with 2FA enabled. Technically, the remote containers extension works with this today; however, I receive ~22 push notifications for 2FA via Duo Mobile (the MFA service being used) when remoting into the docker container via the extension. After I am successfully loaded up inside the container, I receive 2-3 push notifications every minute or so until I close the remote container.

I am able to reproduce the 22 push notifications with only the Remote Containers extension enabled and the following devcontainer.json file:

{
    "name": "C# Sample",
    "build": {
            "dockerfile": "Dockerfile",
            "args": {
                    "VARIANT": "3.1",
                    "INSTALL_NODE": "false",
                    "NODE_VERSION": "lts/*",
                    "INSTALL_AZURE_CLI": "false"
            }
    },

    "settings": {
            "terminal.integrated.shell.linux": "/bin/bash"
    },

    "extensions": [
            "ms-dotnettools.csharp"
    ],

    "forwardPorts": [5000, 5001],

    "remoteUser": "vscode"
}

and the following Dockerfile:

ARG VARIANT="3.1"
FROM mcr.microsoft.com/vscode/devcontainers/dotnetcore:0-${VARIANT}

ARG INSTALL_NODE="true"
ARG NODE_VERSION="lts/*"
RUN if [ "${INSTALL_NODE}" = "true" ]; then su vscode -c "source /usr/local/share/nvm/nvm.sh && nvm install ${NODE_VERSION} 2>&1"; fi

ARG INSTALL_AZURE_CLI="false"
COPY library-scripts/azcli-debian.sh /tmp/library-scripts/
RUN if [ "$INSTALL_AZURE_CLI" = "true" ]; then bash /tmp/library-scripts/azcli-debian.sh; fi \
    && apt-get clean -y && rm -rf /var/lib/apt/lists/* /tmp/library-scripts

Additionally, #4154 describes support for password entry when using remote containers. Would this allow for text-based MFA (i.e. Google Authenticator)?

[chrmarti]

Try reusing the existing SSH connection: #3938

Additionally, #4154 describes support for password entry when using remote containers. Would this allow for text-based MFA (i.e. Google Authenticator)?

Possibly, it might still suffer from the problem you describe here because Docker opens a new SSH connection for each command.

[ChrisSchipper]

Try reusing the existing SSH connection: #3938

I attempted this and am receiving the following error: err=getsockname failed: Not a socket

Based on the docs for remote-ssh and some other issue posts such as #629 (comment), it seems these settings are not supported on Windows.

Is there a supported workaround that allows Windows machines to take advantage of these .ssh/config settings, or is there a separate setting that can be used on Windows that allows reuse of existing SSH connections?

[chrmarti]

I wasn't aware of this not being supported on Windows. Thanks for the feedback.

You could try using WSL on Windows:

• Open a WSL Window (after installing the Remote-WSL extension).
• Clone / copy your repository there.
• Reopen in Container.
• Then add the suggested SSH config to the ~/.ssh/config in WSL and retry.

[github-actions]

This issue has been closed automatically because it needs more information and has not had recent activity. See also our issue reporting guidelines.

Happy Coding!