IntelliJ IDEA 2024.3 Help

Security model

When your work includes accessing remote servers you want to be sure that the connection between your local machine and the backend is secured and any data going back and forth is well encrypted.

The remote development security model lets you control almost all the security aspects of your work.

There are IDE components running both on the server-side and on the client-side. Any information loaded by the backend may be forwarded to the client without further user interaction, and any information provided to the client may be forwarded to the server-side process without further user interaction as well.

Connection security

The communication between JetBrains Client and the IDE backend is end-to-end encrypted with the 1.3 TLS even if performed in a secure SSH tunnel. JetBrains uses TLS 1.3 and on top of that, the SSH security connection is used.

Since in Remote Development there is no trust hierarchy from root certificates, the additional manual check is performed to ensure that there is no man-in-the-middle attack.

The regular connection link looks as follows:

tcp://0.0.0.0:5990#jt=71b0a870-e082-4e6b-aaf6-757398801cd2&p=IU&fp=17DC5CAB759FD8BB4298AF1116EA7D5E1F1D3C4D520CFC99748DBD0A88840B36&cb=223.2951&jb=17.0.4b535.2
  • Upon the connection, a client checks that the fingerprint of a host certificate is exactly fp. It verifies for the client that the host is correct (not hijacked by a third-party)

  • Upon the connection, a host checks that the client provides a one-time connection token jt. It denies connection for anyone on this port who does not know this token.

It is safe to transfer any authentication information via this connection or pass this connection data via public space. It is done the same way for Code With Me as well.

Collecting logs and statistics

JetBrains collects statistics and logs with your permissions. By default, data sharing is disabled in all release versions and enabled in the Preview and Early Access Program (EAP) versions of IntelliJ IDEA.

Configure data sharing

Select the Send usage statistics checkbox to allow JetBrains to collect anonymous statistics on the features and actions that you use when working with IntelliJ IDEA.

Data Sharing dialog

Select the Send usage statistics when using EAP versions checkbox to allow JetBrains to collect statistics on the features and actions that you use when working with IntelliJ IDEA.

Data Sharing dialog in the EAP version

For more information about the collection and usage of this data, refer to data sharing settings.

Collect logs

When JetBrains asks you to collect and send logs, it also warns you that the logs might contain the sensitive data.

  1. In the main menu, go to Help | Collect Logs and Diagnostic Data.

  2. In the dialog that opens, click Show in Finder if you agree to send the data to JetBrains.

    the Sensitive Data dialog

For the full information on JetBrains privacy policy, refer to JetBrains website.

Opening arbitrary links

The IDE can require opening a browser for various features. Keep in mind that there is no browser on the server side. In this case, the request is redirected to JetBrains Client.

Before opening any arbitrary links on the client machine, JetBrains displays a confirmation dialog.

Confirmation dialog

Copy and paste actions

The Copy / Paste action sends the content of the clipboard only before the actual paste and allows the backend to change the clipboard only during the actual copying.

SSH forwarding settings

The SSH forwarding settings let you use SSH key forwarding to authenticate access to Git repositories from your remote server. Alternatively, you can use the SSH-agent helper to achieve the same result.

Access SSH forwarding settings

  1. Press Ctrl+Alt+S to open settings and then select Tools | SSH Forwarding.

  2. From the options on the right, select Enable SSH agent Forwarding and click OK to save the changes.

    SSH Agent Forwarding

Port forwarding

You can access a port on the remote server by forwarding it to a local machine. It might be helpful for debugging purposes or bypassing a firewall.

Forward a remote port through the Run tool window

  1. Start a remote session and open your project.

  2. Run the application.

    In the Run tool window, the application displays listening ports.

    Application is listening on ports
  3. Click a port you want to forward and from the list of options, select Forward Port.

    Forward port

    If you want to open the browser after forwarding, select Forward Port and open in browser.

    As a result, the remote port is forwarded to the local machine.

  4. Click the created port, to check the result in the browser.

    Port forwarding result

    The forwarded port is also added to the backend control center.

    Backend control center

Manage port forwarding through the backend control center

You can add, delete, or edit ports through the backend control center.

Add a port

  1. Open your remote project.

  2. On the main toolbar, click the name of the backend to open the backend control center window.

  3. In the window that opens, on the Ports tab, click Add new to add the new port.

    You can use Remove port to delete a port. It will be also removed from the forwardedPorts.xml file on the restart of the project.

  4. In the suggested field, type the port number and click Apply to save the changes.

    Adding the new port
  5. The added port is saved in the forwardedPorts.xml file.

    Restart your project to see the added port inside the forwardedPorts.xml file.

    Forwared ports

Remove a port

  1. Open your remote project.

  2. On the main toolbar, click the name of the backend to open the backend control center window.

  3. In the window that opens, on the Ports tab, select a port you want to remove and click Remove port.

    The port will be also removed from the forwardedPorts.xml file on the restart of the project.

Change a port

  1. In the window that opens, on the Ports tab, click Add new to add the new port.

  2. In the suggested field, type the port number and before you click Apply to save the changes, change the port number by clicking the port address field.

    Change port

You should note the following:

  • If you stop forwarding the port, and the port is not used in other open projects, it is removed from the forwardedPorts.xml file.

  • When you close your application, the port forwarding stops. When the project is reopened, the ports are loaded from the forwardedPorts.xml file (per project), forwarded, and displayed in the necessary locations.

Disable port forwarding

For security reasons, you can disable port forwarding settings for a specific user or for the whole system.

The changes should be made on the host IDE side.

For the user-specific settings, create a text file in the following directory:

/Users/UserName/Library/Application Support/JetBrains/portForwarding/enabled

For the system-wide settings, create a text file in the following directory:

/Library/Application Support/JetBrains/portForwarding/enabled

For the user-specific settings, create a text file in the following directory:

$HOME/.config/JetBrains/portForwarding/enabled

For the system-wide settings, create a text file in the following directory:

/etc/xdg/JetBrains/portForwarding/enabled

For the user-specific settings, use the following registry key:

HKEY_CURRENT_USER

For system-wide settings, use the following registry key:

HKEY_LOCAL_MACHINE

In the SOFTWARE\JetBrains\portForwarding directory create a key enabled with value of this setting.

Disable port forwarding for a user or the whole system

For the security purpose, you can disable port forwarding (porForwarding) for a specific user or for the whole system entirely using the OsRegistryConfigProvider OS registry. The location of the registry depends on your OS.

For the user-specific settings, create a text file in the following directory:

/Users/UserName/Library/Application Support/JetBrains/portForwarding/enabled

For the system-wide settings, create a text file in the following directory:

/Library/Application Support/JetBrains/portForwarding/enabled

For the user-specific settings, create a text file in the following directory:

$HOME/.config/JetBrains/portForwarding/enabled

For the system-wide settings, create a text file in the following directory:

/etc/xdg/JetBrains/portForwarding/enabled

For the user-specific settings, use the following registry key:

HKEY_CURRENT_USER

For system-wide settings, use the following registry key:

HKEY_LOCAL_MACHINE

In the SOFTWARE\JetBrains\portForwarding directory create a key enabled with value of this setting.

If the key is absent, the setting is considered true by default.

Reverse port forwarding

You can configure reverse port forwarding to initiate a connection from a remote machine to a local one. This is useful, for example, if you are developing an application on a mobile device or working on a remotely located application that requires access to the database on your local machine.

There are some potential security risks that you need to consider and mitigate when using reverse port forwarding:

Unauthorized access

Ensure that you only use reverse port forwarding with servers or individuals you fully trust.

Data exposure

Ensure that when you forward sensitive data, it is encrypted.

Malware

Ensure that security tools on your machine are regularly updated.

Configure reverse port forwarding

  1. Open your remote project.

  2. Open the backend control center.

  3. In the window that opens, click the Ports tab, then click Add new to add a new port and select Local to Remote.

    Reverse port forwarding
  4. In the port's field, add the port number you need and click Apply.

    Backend Control Center
  5. In the dialog that appears, ensure that you trust the remote server requesting the port forwarding and click Allow.

    Port Forwarding

Change the download location of JetBrains Client

You can redefine where to store the JetBrains Client's folder and files after the download.

For the user-specific settings, create a text file in the following directory:

/Users/UserName/Library/Application Support/JetBrains/JetBrainsClient/downloadDestination

The content of the file is path/to/directory.

For the system-wide settings, create a text file in the following directory:

/Library/Application Support/JetBrains/JetBrainsClient/downloadDestination

The content of the file is path/to/directory.

For the user-specific settings, create a text file in the following directory:

$HOME/.config/JetBrains/JetBrainsClient/downloadDestination

The content of the file is path/to/directory.

For the system-wide settings, create a text file in the following directory:

/etc/xdg/JetBrains/JetBrainsClient/downloadDestination with content path/to/directory

The content of the file is path/to/directory.

For the user-specific settings, use the HKEY_CURRENT_USER registry.

For the system-wide settings, use the HKEY_LOCAL_MACHINE registry.

In SOFTWARE\\JetBrains\\JetBrainsClient create a key downloadDestination with the value containing path/to/directory.

Last modified: 12 August 2024