Re: fuse-sshfs and Automounter

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: fuse-sshfs and Automounter

Joachim Zach
Hello,

I have set up automounting with sshfs in our LAN. It is not using amd
but the linux kernel autofs. I don't know, whether this makes some
difference.

This is my setup:

The /etc/auto.master file has an entry

/auto   /etc/auto.misc  --timeout=150 --ghost

For some reason, I don't understand,  the --ghost option is essential.
If it is left out, the automounter immediately tries to remount the
sshfs-link and thereby screws up the entire automounter.

In /etc/auto.misc I have an entry

myhost            -fstype=sshfs,allow_other sshfsuser@myhost:

sshfsuser is a user, who has a private key on the local host and its
public key is known at "myhost" for the same user and grants
passwordless access via ssh. I did not use root for sshfsuser, because I
did not want to have passwordless root login throughout the LAN. This
generates some sort of host-based authentication. It may be possible to
extend this to user-based authentication by creating entries of the form

user@myhost            -fstype=sshfs user@myhost:

Of course passwordless authentication has to be set up for the user.
root, who runs the automounter, needs to know the private key of the
user, which is not very nice.

I have also used wildcard entries successfully:

*           -fstype=sshfs,allow_other sshfsuser@&:

The keys for sshfsuser need of course to be setup correctly for all
hosts envolved.

To do the actual mount, I created a small executable script
/sbin/mount.sshfs:

#!/bin/bash
sshfs $* &> /dev/null

The redirection of all output to /dev/null or some logfile is important.
Otherwise the script does not return properly and the mount command,
which called the script, goes Zombie and blocks the automounter.

This has all been tested for only half a day, so there may be some
problems left. Try it at your own risk.

Joachim

P.S.: If this is of some interest, I am running debian sarge with some
2.6.10 kernel from http://puga.vdu.lt. All other packages envolved are
directly from debian. Also the fuse module was built using debian's
module-assistant package. It just took a few seconds without any
problems. The ssh servers, I connected to, where on several kinds of
Linux like debian sarge, woody and also some old Caldera Linux with a
2.2.?? kernel.


--
Dr. Joachim Zach Englerstr. 28 Tel: +49 6221 89467-12
CEOS GmbH D-69126 Heidelberg Fax: +49 6221 89467-29
                        Germany



-------------------------------------------------------
This SF.Net email is sponsored by the 'Do More With Dual!' webinar happening
July 14 at 8am PDT/11am EDT. We invite you to explore the latest in dual
core and dual graphics technology at this free one hour event hosted by HP,
AMD, and NVIDIA.  To register visit http://www.hp.com/go/dualwebinar
_______________________________________________
fuse-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/fuse-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Re: fuse-sshfs and Automounter

Joachim Zach-2
Hello Petr,

I have tested a user-based setup for the automounter, using your
suggestion with the IdentityFile option, which seems to work.

The automounter map entry now looks as follows:

*               -fstype=sshfs,allow_other,default_permissions &:/home

It should mount the home directory on some host. Of course also specific
entries instead of the wildcard are possible. The mount has to be called
by an access to /auto/user@myhost.

> The problem is that "/sbin/mount.sshfs" is run by root within root
> environment ...
>
> It has no way (i has, but tricky) to decide what private key to use ...
>
>
> BUT you (maybe ) can use "IdentityFile" from ssh_options
>
>
> this should work on commandline
>
> sshfs user@myhost: /mnt/net -o IdentityFile=/home/user/.ssh/identity
>
>
> format for automount is your part of investigation :-)
>
>
I have used this idea by modifying /sbin/mount.sshfs as follows:

#!/bin/bash
name=`echo $1 | grep -q '@' && echo $1 | cut -f1 -d@ `
if [ $name ]
    then sshfs $* -o IdentityFile=/home/$name/.ssh/id_rsa &> /dev/null
    else sshfs $* & >/dev/null
fi

There may be some security problem, because any user can enable the
mount using another user's key. However, permission checking seems to
work. The "wrong" user has the same priviledges as he would have on a
NFS mount. At least one of the big drawbacks of NFS is avoided here: If
someone plugs in his notebook into an LAN and pretends to be someone
else, he can get access to NFS exports, but does not get access here,
because he doesn't have the key.

If a mount is requested without a username, mounting is attempted as
root, which will normally fail, because the root key should not allow
passwordless login. The mountprogram itself can anyway be used in this
case from the command line by typing the proper password.

Joachim

--
Dr. Joachim Zach Englerstr. 28 Tel: +49 6221 89467-12
CEOS GmbH D-69126 Heidelberg Fax: +49 6221 89467-29
                        Germany



-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
_______________________________________________
fuse-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/fuse-devel
Loading...