Login/Register
Auto-mounting of remote folder with SSHFS without giving shell access?
Asked Answered
sshfs
M

1

1

I have built two VMs inside Proxmox, let's call them A and B, and both of them are running ubuntu 20.04.

For A, it has a 2 TB SSD passed to it which it mounts on boot. I would like system B to mount a folder in A (located at /mnt/SSD/folderB) automatically when B boots. To do so, I have added a user, remoteB, on system A without granting shell access, and I jailed its SFTP access within folderB. On doing so, I could SFTP to system A using the user "remoteB" on any other systems.

By installing SSHFS on system B, I was able to mount the drive on system B with the configurations above (I followed this tutorial:https://linuxize.com/post/how-to-use-sshfs-to-mount-remote-directories-over-ssh/)

Then, I wanted to auto-mount folderB on system B as it boots. From the tutorial, I need to setup "SSH key-based authentication" between system A and system B. It seems I need to grant shell access to a user in order for the above to work, did I misunderstand something?

Is it possible to do so without granting remoteB shell access on systemA?

Melissamelisse answered 18/8, 2020 at 4:21 Comment(2)
Auto-mounting through fstab, it happens before any user is logged in. So I'm assuming the key baswd authentication should be set up between A and the root user of B. I've never done this before, but this only seems logical. Also this way any user but root won't have shell access to A.Fray
Also sshfs fstab mount options include your basic ssh_config options. So you can point to an identity file manually without having to expose that to any random user in B.Fray
M
2

Key-based authentication means that you use public/private key files instead of passwords so that SSH can authenticate the user without waiting for you to enter a password during boot. If you haven't done it yet, start with man ssh-keygen. Copy the public key to A in /home/user/.ssh/authorized_keys and private key to B.

You need a valid user on A in any case (whether authenticating with password or public key).

If you are only using SSH for tunnels and file transfers, you don't need to give this user a shell access. You can achieve this simply by configuring /bin/nologin as the user's shell in /etc/passwd (e.g. usermod -s /bin/nologin user). Note that without a shell, you will also need ForceCommand internal-sftp in A's sshd_config. See here for more info.

To specify private key on B, you can use IdentityFile ssh option, either in mount options or in .ssh/config. Note that the mounting during boot is done by root.

Alternatively, you can also use autofs which will automount your remote filesystem when it's accessed and not during boot. Keep in mind that mounting network shares during boot is problematic because (a) the network might be down or (b) the networking stack might not be started yet. This could cause your system to fail to boot. See here for more info on autofs.

Mourant answered 18/8, 2020 at 5:8 Comment(1)
thanks, I have created the user with /bin/nologin, but then I was stuck when trying to do "ssh-copy-id remote_username@server_ip_address", where it threw an error "This service allows sftp connections only." I then tried to do this manually. With the account remoteB on system A, as I had its home set to /mnt/SSD/folderB. On system B, with an account name localC, I created the public key file, and I tried to make a copy of it in system A at /mnt/SSD/folderB/.ssh/authorized_keys When I tried to login from systemB with "ssh csns@systemA-IP", it still asks for PW, while I expect it wouldn't.Melissamelisse

© 2022 - 2024 — McMap. All rights reserved.