SSHFS: Super Easy File Access over SSH

Who needs NFS or Samba when you can mount filesystems with SSHFS?
Automating the Connection

As you can see from the above examples, I needed to type my password to complete the SSH connection to the remote system. This can be eliminated by creating a trust relationship between the local and remote user accounts. This is not appropriate in all situations, because it essentially makes the accounts equivalent from a security perspective. Any malicious activity on one account can spread to other systems via the trust, so take caution and fully understand the implications of setting up trust relationships. To begin setting this up, you need to create an SSH key pair, which consists of public and private key files named id_rsa and id_rsa.pub, respectively.

The public key is copied to the remote system and placed in the $HOME/.ssh/authorized_keys file. Some systems may use the filename authorized_keys2 in addition to or instead of authorized_keys.

This allows any user in possession of the private key to authenticate without a password. We create the key pair using the command ssh-keygen. The files are placed in the proper locations automatically on the local system in the $HOME/.ssh directory. Because we already have my remote home directory mounted, appending the public key to the authorized_keys file is extra easy. Below are all the steps required (assuming you created the equivalent of the randombox_home directory and mounted it):


$ cd $HOME
$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/matt/.ssh/id_rsa): <ENTER>
Enter passphrase (empty for no passphrase):  <ENTER>
Enter same passphrase again:  <ENTER>
Your identification has been saved in /home/matt/.ssh/id_rsa.
Your public key has been saved in /home/matt/.ssh/id_rsa.pub.
The key fingerprint is:
fa:e7:7c:e1:cb:7b:66:8b:67:07:05:99:7f:05:b9:4a matt@myworkstation
$ mkdir randombox_home/.ssh
$ chmod 700 randombox_home/.ssh
$ cat .ssh/id_rsa.pub >> randombox_home/.ssh/authorized_keys
$ chmod 600 randombox_home/.ssh/authorized_keys

In the above example, we create the key pair with an empty passphrase, then append the public key to the authorized_keys file in the remote home directory and set the permissions. After this is done, I no longer need to type the password when connecting to the remote account. To test this, first we unmount the remote home directory with the following command:

$ fusermount -u randombox_home

To test the trust relationship, we can try to run the uptime command on the remote system:

$ ssh matt@my.randombox.com uptime
12:20:40  up 38 days,  4:12,  0 users,  load average: 0.11, 0.04, 0.01

Good, no password needed. The trust relationship is working properly. If you have trouble getting this trust relationship to work, check the permissions on the files in .ssh on both systems. Many times lax permissions prevent SSH from using key files. Also, take a look at the syslog log files. OpenSSH's sshd server logs messages into syslog, which often are helpful in diagnosing key file problems. You may have to increase the logging verbosity level in the sshd_config file, usually found in /etc/ssh/.

You also can debug the connection by running ssh in the above example with the -vvv option to turn up verbosity. Now, let's mount the remote directory again. This time it does not prompt for my password:

$ cd $HOME
$ mkdir randombox_home
$ sshfs  matt@my.randombox.com:  randombox_home
$ ls -l randombox_home/
-rw-r-----  1 matt users     7286 Feb 11 10:33 sshfs.article.main.txt
drwx------  1 matt users     2048 Mar 21  2001 projects
drwx------  1 matt users     2048 Dec  1  2000 Mail
drwxr-xr-x  1 matt users     4096 Jun  8  2002 public_html

Integrating with the GNOME Desktop

In the last example, we configured and automated non-interactive mounting of a remote directory. Because we're no longer being prompted for a password, we can integrate SSHFS mounting into scripts, or better yet the GNOME desktop. To configure GNOME to mount our remote home directory automatically, we configure the SSHFS mount command as a session startup program. This is done from inside the Sessions preferences dialog. Navigate to Desktop→Preferences→More Preferences→Sessions->Add, and fill in the dialog as shown in Figure 1.

Figure 1. Set up a GNOME startup command to mount an SSHFS share.

Upon the next login, GNOME automatically mounts the remote directory for me, as you can see in Figure 2.

Figure 2. GNOME automatically mounts the remote directory.

Note that GNOME does not reliably kill this command upon exiting the session. You can unmount the remote directory manually using the fusermount -u randombox_home command. Another option is to automate the unmount by modifying the $HOME/.Xclients-default file to run the fusermount command as follows:


#!/bin/bash
# (c) 2001 Red Hat, Inc.

WM="gnome-session"
WMPATH="/usr/bin /usr/X11R6/bin /usr/local/bin"

# Kludged to run fusermount upon gnome logout.  20060301-MEH
for p in $WMPATH ; do
     [ -x $p/$WM ] && $p/$WM; fusermount  -u randombox_home; exit 0
done

exit 1

Be aware that the .Xclients-default file is rewritten every time you run the switchdesk utility. You have to modify this file every time you use use the switchdesk utility to change your default desktop windowing manager.

Finally, you can add the appropriate sshfs commands in the boot startup file that is appropriate for your distribution. This way, your system will mount all the SSHFS directories automatically each time you boot your desktop.

______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

SSHFS and Apache

Anonymous's picture

What about using sshfs to mount /var/www from a remote filesystem?

I keep getting a very generic 'Permission Denied' error when trying to chown /var/www (even as root) and under Apache I receive a 403 Forbidden error - again, very generic.

WARNING

Anonymous's picture

This is not secure!!!!

SSH keys with empty passphrases are useless - in fact they are worse than useless, they are a liability. You might as well store your passwords to the remote system in plain text in a file called "README_all_passwords.txt"

mount fatfs using fusermount command

Anonymous's picture

dear all,
how can i mount a fat fs using fusermount.. which uses a fusefat ....
thanks in advance,
jomel

one caveat

Anonymous's picture

This is great for users without root access on the storage server. But operations will be performed as the logged in user. I'm guessing that if you logged in as root, it might support automatically chown'ing.. but a) that requires trusted root login (which opens up security issues that even NFS doesn't) and b) uid mapping may become an issue like it is with any network storage.

The only thing better is sshfs+autofs

Thomas Jansson's picture

Instead of having gnome mount the sshfs share upon startup one can use autofs instead. This is even easier. When ever I whish to acces a remote filesystem I just enter the the path /mnt/sshfs/foobar.com and then the autofs daemon mounts the remote filesystem for me.

I've written a small article on how to setup autofs and sshfs on my blog: http://www.tjansson.dk/?p=84 called "Autofs and sshfs - the perfect couple" if anybody is interested. :)

Password without security weakness

Super Mike's picture

Instead of an empty passphrase, is there an smbpasswd-like way where I can generate the user/pass combo in an encrypted file and use that?

Or, what if I edited the C code with a hard-coded user/pass combo and compiled with that?

Great Think

WarDragon's picture

Yes, unlike nfs, this is what we want, easy to use and secure. Great

Thank you!

Shannon Coen's picture

This was just the solution I was looking for!

Very curious about FUSE now (GmailFS? cool!).

Thanks again,
Shannon Coen

sshfs article

meltedmossy's picture

I don't know if anyone else had this problem, but to get it to work I had to do a chmod root:fuse on /dev/fuse.

Before I did that, logged in as tim(me) it gave me an denied error..had to use sudo and then it didn't work as only root was able to see the directory and use it properly. Kind of pointless if someone doesn't have sudo access!

White Paper
Linux Management with Red Hat Satellite: Measuring Business Impact and ROI

Linux has become a key foundation for supporting today's rapidly growing IT environments. Linux is being used to deploy business applications and databases, trading on its reputation as a low-cost operating environment. For many IT organizations, Linux is a mainstay for deploying Web servers and has evolved from handling basic file, print, and utility workloads to running mission-critical applications and databases, physically, virtually, and in the cloud. As Linux grows in importance in terms of value to the business, managing Linux environments to high standards of service quality — availability, security, and performance — becomes an essential requirement for business success.

Learn More

Sponsored by Red Hat

White Paper
Private PaaS for the Agile Enterprise

If you already use virtualized infrastructure, you are well on your way to leveraging the power of the cloud. Virtualization offers the promise of limitless resources, but how do you manage that scalability when your DevOps team doesn’t scale? In today’s hypercompetitive markets, fast results can make a difference between leading the pack vs. obsolescence. Organizations need more benefits from cloud computing than just raw resources. They need agility, flexibility, convenience, ROI, and control.

Stackato private Platform-as-a-Service technology from ActiveState extends your private cloud infrastructure by creating a private PaaS to provide on-demand availability, flexibility, control, and ultimately, faster time-to-market for your enterprise.

Learn More

Sponsored by ActiveState