Changing User on Remote Machine

[psychofisch]

My problem: On my remote host I have my personal user and users that can only edit specific projects. Only my personal user is configured to be accessible directly with SSH. Usually, when I have to work on source code directly on the machine, I connect via SSH, change my user to the project user and edit the code with VIM. It seems that this workflow is currently not possible with this extension.
Is it possible to change the user after connecting? So I can connect with my personal account, switch user to the one I want (which has no SSH keys but has the permissions to edit certain files) and open the files as that user.

[leiysky]

Same problem.

I've tried to configure RemoteCommand to run su user, but it doesn't work.

[psychofisch]

Any new info on this?

[xiandong79]

Any new info on this?

[Blamo27]

Any new info on this?

[leiysky]

Any new info on this?

[howardlau1999]

Any new info on this?

[chenxu2048]

Any new info on this?

[GHLoeng]

Any new info on this?

[Blamo27]

@roblourens Any new info on this ?

[CavKratos]

I also get this issue. I notice that Windows Remote Desktop won't remember me when I tick the box, maybe it's related?

[facelezzzz]

i can only via ec2-user to ssh aws ec2 .then i need to change user to root for remaining work.but vs code just can not refresh current work folder to user root.please add this function in the future.
infinity ths!

[meermanr]

If RemoteCommand doesn't help, you could try using a remote-side command in ~/.ssh/authorized_keys. You need a dedicated key pair for this to work.

1. On your local machine, create a new SSH identity (key pair) with ssh-keygen -f ~/.ssh/id_vscode
   • This creates two files, the private key which should never leave your local machine id_vscode, and a public key id_vscode.pub which is installed on remote systems
2. On the remote machine, add a line to ~/.ssh/authorized_key which begins (inc. quotes!) command="$SSH_ORIGINAL_COMMAND"
3. and finish the line by pasting your public key, ensuring there is at least one space between the prefix and the key proper
4. Test it on local by running ssh -i ~/.ssh/id_vscode -tt user@hostname bash
   • It should give you a completely ordinary shell
   • If you have a complex ~/.ssh/config on your local, try excluding it and ssh-agent, e.g. env -u SSH_AUTH_SOCK ssh -tt -F /dev/null -i ~/.ssh/id_vscode user@hostname bash

All good? Now go change the command="$SSH_ORIGINAL_COMMAND" to do whatever you need when logging in. For example, command="su -c '$SSH_ORIGINAL_COMMAND' otheruser" or command="sudo -u otheruser $SSH_ORIGINAL_COMMAND"

[JakeRLevy]

If RemoteCommand doesn't help, you could try using a remote-side command in ~/.ssh/authorized_keys. You need a dedicated key pair for this to work.

1. On your local machine, create a new SSH identity (key pair) with ssh-keygen -f ~/.ssh/id_vscode

   • This creates two files, the private key which should never leave your local machine id_vscode, and a public key id_vscode.pub which is installed on remote systems

2. On the remote machine, add a line to ~/.ssh/authorized_key which begins (inc. quotes!) command="$SSH_ORIGINAL_COMMAND"

3. and finish the line by pasting your public key, ensuring there is at least one space between the prefix and the key proper

4. Test it on local by running ssh -i ~/.ssh/id_vscode -tt user@hostname bash

   • It should give you a completely ordinary shell
   • If you have a complex ~/.ssh/config on your local, try excluding it and ssh-agent, e.g. env -u SSH_AUTH_SOCK ssh -tt -F /dev/null -i ~/.ssh/id_vscode user@hostname bash

All good? Now go change the command="$SSH_ORIGINAL_COMMAND" to do whatever you need when logging in. For example, command="su -c '$SSH_ORIGINAL_COMMAND' otheruser" or command="sudo -u otheruser $SSH_ORIGINAL_COMMAND"

I tried this and unfortunately does not work. An error is thrown during login citing the need to run su from a terminal.

[hfisaquiel]

Has once solution, a bit curious.

Performed on Centos7 server, with user on the sudoers list. BE CAREFULL, this will ALWAYS redirect you to the another user.

Create or edit the file .bashrc on your server current user folder and add the following at the end of file

sudo su - <another_user_name>

Save the file and reload VSCode window.

[omniproc]

Create or edit the file .bashrc on your server current user folder and add the following at the end of file

sudo su - <another_user_name>

Save the file and reload VSCode window.

Doesn't work for me. VSCode will just hang in the connecting state if I try to do this. Tested on RHEL 7.

[omniproc]

I wonder if this gets the attention it needs. Currently, this is a showstopper. It makes the ssh-remote plugin UI integration useless if one is using security best practise and seperates the application execution user - with limited permissions - from the actual ssh users.

[arashilmg]

I do this as a workaround to run vscode as root but not ssh as root:
https://gist.github.com/arashilmg/d0e52c03338ecd043122bd698a9c9826

After login via vscode-remote-ssh for the first time (vscode-server will gets installed), run these in the integrated terminal:

ctrl + `

make node run as root

sed -i "/node/s/^/sudo /" ~/.vscode-server/bin/*/server.sh

Restart remote vscode

pkill -f vscode

[Hanaasagi]

@arashilmg It works for me.

[mmahacek]

None of these are working for me to connect to Cent7.
I can do the tests in #690 (comment) but it still runs as the limited user, and doesn't switch to the user I set in the command=""

[ijesonchen]

@arashilmg Thank you, it works.
This actually start vscode server with sudo (add sudo when start vscode-server in server.sh) but not configurable.
If the extention support change the user or sudo cmd will be perfect.

I do this as a workaround to run vscode as root but not ssh as root:
https://gist.github.com/arashilmg/d0e52c03338ecd043122bd698a9c9826

After login via vscode-remote-ssh for the first time (vscode-server will gets installed), run these in the integrated terminal:

ctrl + `

make node run as root

sed -i "/node/s/^/sudo /" ~/.vscode-server/bin/*/server.sh

Restart remote vscode

pkill -f vscode

[ThaDaVos]

Any updates on this?

We're using a special user in combination with our deployer.php setup - and we cannot SSH into the server as this deploy user - only as a generic one

[maliknajjar]

@eleanorjboyd I tried it. but it does not work. I think that you should tell it to listen and prompt to the user when a value like a password is needed (for the RemoteCommand). it will ask you for password for the first ssh connection but it will not work with the su - command which is executed by the RemoteCommand.

[eleanorjboyd]

Hello! This looks to be the same issue in this issue. Please reference this issue for tips on how you might get around this and this is where any updates will be given on the ongoing issue.

[NicolasGoeddel]

Hello! This looks to be the same issue in this issue. Please reference this issue for tips on how you might get around this and this is where any updates will be given on the ongoing issue.

No, it has nothing to do with #1688. In #1688 people want to be able to create and modify files if the remote user has sudo privileges. In this ticket we want to change the user completely after ssh-ing into a remote.

[ecoop3r]

I do this as a workaround to run vscode as root but not ssh as root: https://gist.github.com/arashilmg/d0e52c03338ecd043122bd698a9c9826

After login via vscode-remote-ssh for the first time (vscode-server will gets installed), run these in the integrated terminal:

ctrl + `

make node run as root

sed -i "/node/s/^/sudo /" ~/.vscode-server/bin/*/server.sh

Restart remote vscode

pkill -f vscode

I had to go one step further and apply it to code-server file:

so in theory should just
do above and
sed -i "/node/s/^/sudo /" ~/.vscode-server/bin/*/bin/code-server.sh

[maliknajjar]

@ecoop3r that works .. but for example we dont even have a sudo group for security reasons
your solution wont work for me

[maliknajjar]

my solution was to permit ssh connection to root only from the local machine in the sshd config file .. so I connect as a normal user and then ssh to the root and use sshpass package in the ssh config file command property to set the password in the same ssh command

[1-off]

Something that should be so easy because ssh is around forever, cannot be figured out by Microsoft?

[pavitsu]

Any update on this?

For security reason, I can only switch user with sudo -i -u <username> without full access sudo command

[maliknajjar]

no, They didn't do anything yet
@pavitsu

[519seven]

Will this work if su - <user> requires a password? I've quadruple-checked my settings and have read over this thread a few times (so, sorry if I missed this part).

settings.json contains:

    "remote.SSH.useLocalServer": true,
    "remote.SSH.enableRemoteCommand": true,

My .ssh/config file contains:

Host myhost
    HostName myhost.example.local
    Port 250
    User myuser
    ForwardX11 yes
    ForwardX11Trusted yes
    RemoteCommand su - elevuser
    RequestTTY yes

I do see a password prompt in VS Code terminal but it's non-interactive and I receive no prompt for a password where I can type it in. After 10 seconds or so, the terminal says "su: Authentication failure" and I end up with:

[14:47:35.587] You have RemoteCommand in your SSH Config for this remote which could be the cause for this crash. Try reconnecting with enableRemoteCommand set to false.

Thanks!

[eleanorjboyd]

@roblourens regarding the question above. Thanks!

[maliknajjar]

hi @eleanorjboyd .. how are you?
is it technically hard to implement this feature?

[lundybox]

My problem: Resolver error: Error: Connecting with SSH timed out

I've used #690 (comment) instructions for 1 year+ (thank you @sewan-aprodhomme!!). I received a Windows update and Remote-SSH with sudo su - elevated_user RemoteCommand began to throw Resolver error: Error: Connecting with SSH timed out. If I change "remote.SSH.useLocalServer": true to false I'm able to connect although end up connected as the non-elevated user. I've noticed only one thing in the VSCode Output which is OpenSSH_for_Windows_8.6p1, LibreSSL 3.4.3 (previously was an earlier version--maybe 8.5--don't remember--but it was older). Below is my environment and the output which ends with the timeout.

My Environment:

Local Machine Microsoft Windows 11 Enterprise (Version 10.0.22621 Build 22621)
VSCode Version: 1.80.1
Remote-SSH version: v0.102.0 (preview)
Remote Server CentOS Linux" VERSION="7 (Core)"

Any suggestions for a fix or how I might troubleshoot? Thank you!

[lundybox]

Hi @eleanorjboyd & @roblourens, related to the previous post, would either of you be able/willing to post a few comments about how one might troubleshoot Remote-ssh with local server enabled and a RemoteCommand to switch user?

[danielfleischer]

This seems to work, Version: 1.81.1.

Host myhost
    HostName myhost.example.local
    Port 250
    User original
    RemoteCommand sudo -i -u dan
    RequestTTY yes

With "remote.SSH.useLocalServer": true,"remote.SSH.enableRemoteCommand": true.

[khalidx]

I added a solution to this problem here! It is clean, doesn't require an extension, and just works.

#1688 (comment)

[davidlukac-wisi]

This seems to work, Version: 1.81.1.

Host myhost
    HostName myhost.example.local
    Port 250
    User original
    RemoteCommand sudo -i -u dan
    RequestTTY yes

With "remote.SSH.useLocalServer": true,"remote.SSH.enableRemoteCommand": true.

plus the target host has to be removed from remote.SSH.remotePlatform list

[deonchia]

This seems to work, Version: 1.81.1.

Host myhost
    HostName myhost.example.local
    Port 250
    User original
    RemoteCommand sudo -i -u dan
    RequestTTY yes

With "remote.SSH.useLocalServer": true,"remote.SSH.enableRemoteCommand": true.

plus the target host has to be removed from remote.SSH.remotePlatform list

Additionally, I had to remove the target host entries from settings.json as well.

[chgreer]

Echoing @519seven, I also cannot get this to work where sudo su - <nonrootuser> requires a password.

~\.ssh\config:

Host <shortcut>
  HostName <myhost>
  User <myuser>
  ForwardX11 yes
  ForwardX11Trusted yes
  RequestTTY yes
  IdentityFile <myuserkey>
  RemoteCommand sudo su - <elevuser>

settings.json remote.SSH.* entries:

    "remote.SSH.useLocalServer": true,
    "remote.SSH.enableRemoteCommand": true,
    "remote.SSH.showLoginTerminal": true,

Results:

OpenSSH_7.9p1, OpenSSL 1.1.1a  20 Nov 2018
debug1: Server host key: <KEYSNIPPED>
Authenticated to <HOSTSNIP> ([<IPSNIP>]:22).
stderr> sudo: no tty present and no askpass program specified
Transferred: sent 3536, received 2912 bytes, in 0.6 seconds
Bytes per second: sent 5652.4, received 4654.9
local-server-2> ssh child died, shutting down

Variations tried:

1. Using a terminal ssh connection and the same ssh config file, I'm prompted for my sudo password, provide it, and I'm logged in as an elevated user.

2. If sudo su - <elevuser> is replaced with su - <elevuser> as the RemoteCommand, I see a password prompt that times out as others (e.g. @519seven) have reported. This wouldn't work for us anyway as sudo is required, but still confirms what's happening.

3. Replacing RemoteCommand with echo <password> | sudo su - <elevuser> results in the same no tty file. This also fails on terminal connection.

4. Replacing the RemoteCommand with a sudo command that doesn't require a password on my account per the sudoers file, but isn't a login command (e.g.: /bin/cat /tmp/testfile.txt where testfile.txt is owned by root) changes the login output in VSCode to look like:

OpenSSH_7.9p1, OpenSSL 1.1.1a  20 Nov 2018
debug1: Server host key: <KEYSNIPPED>
Authenticated to <HOSTSNIP> ([<IPSNIP>]:22).
<CONTENTS OF THE TEST FILE>
Transferred: sent 3552, received 2880 bytes, in 0.7 seconds
Bytes per second: sent 5258.7, received 4263.8
local-server-1> ssh child died, shutting down

It seems like this just fails if a password is required unless I have somehow missed something here. RemoteCommands that aren't prompted for a password will work.

[danielfleischer]

But did you try sudo -i -u <elevuser> ?

[Frier03]

Hello!

Putting sudo su - <user> in .bashrc works for me, and prompts me to enter a password. Though how do I open the file explorer within the new user that I have switched to?

[chgreer]

Hi @danielfleischer ,

But did you try sudo -i -u <elevuser> ?

Yes, I did. Same result as sudo su - <elevuser>: stderr> sudo: no tty present and no askpass program specified

Does your user 'dan' in your example on Aug 28 require a password to assume the elevated role? I can't use sudo passwordless, and I suspect that's the hitch on my end. Pretty sure that if I could set the command passwordless, it would work. Unfortunately, that's not in the cards for me security-wise.

[patrick-csliu]

Experiencing a similar problem. After connecting to EC2, added a new user "steam", but can't access the home folder. Terminal shows chdir(2) failed.: Permission denied when trying to navigate to /home/steam in VSCode. Configuration and user creation details in code snippet below:

# .ssh/config
Host ec2-***.ap-east-1.compute.amazonaws.com
  HostName ec2-***.ap-east-1.compute.amazonaws.com
  IdentityFile C:\...\aws-key.pem
  User ubuntu

sudo useradd -m steam
sudo apt install steamcmd
sudo -u steam -s
cd ~
/usr/games/steamcmd +login anonymous +app_update 2394010 validate +quit

After adding a new user, installing and running the application, a Steam folder is generated in /home/steam. Despite the smooth process in the SSH terminal, the issue arises when attempting to explore the /home/steam directory in VSCode—nothing is visible. Subsequently, upon opening the terminal with Ctrl+`, a chdir(2) failed.: Permission denied error pops up.

Additionally, I believe the remote Windows setup should incorporate these functions. Another issue exists regarding the following:

1. Ability to save as root.
2. A simple method to install a command that can easily utilize the code command.