Security model
When your work includes accessing remote servers you want to be sure that the connection between your local machine and the backend is secured and any data going back and forth is well encrypted.
The remote development security model lets you control almost all the security aspects of your work.
There are IDE components running both on the server-side and on the client-side. Any information loaded by the backend may be forwarded to the client without further user interaction, and any information provided to the client may be forwarded to the server-side process without further user interaction as well.
Connection security
The communication between JetBrains Client and the IDE backend is end-to-end encrypted with the 1.3 TLS even if performed in a secure SSH tunnel. JetBrains uses TLS 1.3 and on top of that, the SSH security connection is used.
Since in Remote Development there is no trust hierarchy from root certificates, the additional manual check is performed to ensure that there is no man-in-the-middle attack.
The regular connection link looks as follows:
Upon the connection, a client checks that the fingerprint of a host certificate is exactly
fp
. It verifies for the client that the host is correct (not hijacked by a third-party)Upon the connection, a host checks that the client provides a one-time connection token
jt
. It denies connection for anyone on this port who does not know this token.
It is safe to transfer any authentication information via this connection or pass this connection data via public space. It is done the same way for Code With Me as well.
Collecting logs and statistics
JetBrains collects statistics and logs with your permissions. By default, data sharing is disabled in all release versions and enabled in the Preview and Early Access Program (EAP) versions of IntelliJ IDEA.
Configure data sharing
Select the Send usage statistics checkbox to allow JetBrains to collect anonymous statistics on the features and actions that you use when working with IntelliJ IDEA.
Select the Send usage statistics when using EAP versions checkbox to allow JetBrains to collect statistics on the features and actions that you use when working with IntelliJ IDEA.
For more information about the collection and usage of this data, refer to data sharing settings.
Collect logs
When JetBrains asks you to collect and send logs, it also warns you that the logs might contain the sensitive data.
In the main menu, go to
.In the dialog that opens, click Show in Finder if you agree to send the data to JetBrains.
For the full information on JetBrains privacy policy, refer to JetBrains website.
Opening arbitrary links
The IDE can require opening a browser for various features. Keep in mind that there is no browser on the server side. In this case, the request is redirected to JetBrains Client.
Before opening any arbitrary links on the client machine, JetBrains displays a confirmation dialog.
Copy and paste actions
The Copy / Paste action sends the content of the clipboard only before the actual paste and allows the backend to change the clipboard only during the actual copying.
SSH forwarding settings
The SSH forwarding settings let you use SSH key forwarding to authenticate access to Git repositories from your remote server. Alternatively, you can use the SSH-agent helper to achieve the same result.
Access SSH forwarding settings
Press Ctrl+Alt+S to open settings and then select
.From the options on the right, select Enable SSH agent Forwarding and click OK to save the changes.
Port forwarding
You can access a port on the remote server by forwarding it to a local machine. It might be helpful for debugging purposes or bypassing a firewall.
Forward a remote port through the Run tool window
Start a remote session and open your project.
Run the application.
In the Run tool window, the application displays listening ports.
Click a port you want to forward and from the list of options, select Forward Port.
If you want to open the browser after forwarding, select Forward Port and open in browser.
As a result, the remote port is forwarded to the local machine.
Click the created port to check the result in the browser.
The forwarded port is also added to the backend control center.
Manage port forwarding through the backend control center
You can add, delete, or edit ports through the backend control center.
Add a port
Open your remote project.
On the main toolbar, click the name of the backend to open the backend control center window.
In the window that opens, on the Ports tab, click to add the new port.
You can use to delete a port. It will be also removed from the
forwardedPorts.xml
file on the restart of the project.In the suggested field, type the port number and click Apply to save the changes.
The added port is saved in the
forwardedPorts.xml
file.Restart your project to see the added port inside the
forwardedPorts.xml
file.
Remove a port
Open your remote project.
On the main toolbar, click the name of the backend to open the backend control center window.
In the window that opens, on the Ports tab, select a port you want to remove and click .
The port will be also removed from the
forwardedPorts.xml
file on the restart of the project.
Change a port
In the window that opens, on the Ports tab, click to add the new port.
In the suggested field, type the port number and before you click Apply to save the changes, change the port number by clicking the port address field.
You should note the following:
If you stop forwarding the port, and the port is not used in other open projects, it is removed from the
forwardedPorts.xml
file.When you close your application, the port forwarding stops. When the project is reopened, the ports are loaded from the
forwardedPorts.xml
file (per project), forwarded, and displayed in the necessary locations.
Disable port forwarding
For security reasons, you can disable port forwarding settings for a specific user or for the whole system.
The changes should be made on the host IDE side.
For the user-specific settings, create a text file in the following directory:
For the system-wide settings, create a text file in the following directory:
For the user-specific settings, create a text file in the following directory:
For the system-wide settings, create a text file in the following directory:
For the user-specific settings, use the following registry key:
For system-wide settings, use the following registry key:
In the SOFTWARE\JetBrains\portForwarding
directory create a key enabled with value of this setting.
Disable port forwarding for a user or the whole system
For the security purpose, you can disable port forwarding (porForwarding
) for a specific user or for the whole system entirely using the OsRegistryConfigProvider
OS registry. The location of the registry depends on your OS.
For the user-specific settings, create a text file in the following directory:
For the system-wide settings, create a text file in the following directory:
For the user-specific settings, create a text file in the following directory:
For the system-wide settings, create a text file in the following directory:
For the user-specific settings, use the following registry key:
For system-wide settings, use the following registry key:
In the SOFTWARE\JetBrains\portForwarding
directory create a key enabled with value of this setting.
If the key is absent, the setting is considered true by default.
Reverse port forwarding
You can configure reverse port forwarding to initiate a connection from a remote machine to a local one. This is useful, for example, if you are developing an application on a mobile device or working on a remotely located application that requires access to the database on your local machine.
There are some potential security risks that you need to consider and mitigate when using reverse port forwarding:
- Unauthorized access
Ensure that you only use reverse port forwarding with servers or individuals you fully trust.
- Data exposure
Ensure that when you forward sensitive data, it is encrypted.
- Malware
Ensure that security tools on your machine are regularly updated.
Configure reverse port forwarding
Open your remote project.
Open the backend control center.
In the window that opens, click the Ports tab, then click to add a new port and select Local to Remote.
In the port's field, add the port number you need and click Apply.
In the dialog that appears, ensure that you trust the remote server requesting the port forwarding and click Allow.
Change the download location of JetBrains Client
You can redefine where to store the JetBrains Client's folder and files after the download.
For the user-specific settings, create a text file in the following directory:
The content of the file is path/to/directory
.
For the system-wide settings, create a text file in the following directory:
The content of the file is path/to/directory
.
For the user-specific settings, create a text file in the following directory:
The content of the file is path/to/directory
.
For the system-wide settings, create a text file in the following directory:
The content of the file is path/to/directory
.
For the user-specific settings, use the HKEY_CURRENT_USER
registry.
For the system-wide settings, use the HKEY_LOCAL_MACHINE
registry.
In SOFTWARE\\JetBrains\\JetBrainsClient
create a key downloadDestination
with the value containing path/to/directory
.