How do I specify the key file for sshfs?
Asked Answered
K

2

26

I looked at the sshfs --help and there's nothing mentioning a key file. I have multiple pub/priv key pairs (for different servers) on my computer and I want to specify which key to use. How would I do this?

  usage: sshfs [user@]host:[dir] mountpoint [options]

  general options:
  -o opt,[opt...]        mount options
  -h   --help            print help
  -V   --version         print version

  SSHFS options:
  -p PORT                equivalent to '-o port=PORT'
  -C                     equivalent to '-o compression=yes'
  -F ssh_configfile      specifies alternative ssh configuration file
  -1                     equivalent to '-o ssh_protocol=1'
  -o reconnect           reconnect to server
  -o delay_connect       delay connection to server
  -o sshfs_sync          synchronous writes
  -o no_readahead        synchronous reads (no speculative readahead)
  -o sshfs_debug         print some debugging information
  -o cache=BOOL          enable caching {yes,no} (default: yes)
  -o cache_timeout=N     sets timeout for caches in seconds (default: 20)
  -o cache_X_timeout=N   sets timeout for {stat,dir,link} cache
  -o workaround=LIST     colon separated list of workarounds
      none             no workarounds enabled
      all              all workarounds enabled
      [no]rename       fix renaming to existing file (default: off)
      [no]nodelaysrv   set nodelay tcp flag in sshd (default: off)
      [no]truncate     fix truncate for old servers (default: off)
      [no]buflimit     fix buffer fillup bug in server (default: on)
  -o idmap=TYPE          user/group ID mapping, possible types are:
      none             no translation of the ID space (default)
      user             only translate UID of connecting user
  -o ssh_command=CMD     execute CMD instead of 'ssh'
  -o ssh_protocol=N      ssh protocol to use (default: 2)
  -o sftp_server=SERV    path to sftp server or subsystem (default: sftp)
  -o directport=PORT     directly connect to PORT bypassing ssh
  -o transform_symlinks  transform absolute symlinks to relative
  -o follow_symlinks     follow symlinks on the server
  -o no_check_root       don't check for existence of 'dir' on server
  -o password_stdin      read password from stdin (only for pam_mount!)
  -o SSHOPT=VAL          ssh options (see man ssh_config)

  FUSE options:
  -d   -o debug          enable debug output (implies -f)
  -f                     foreground operation
  -s                     disable multi-threaded operation

  -o allow_other         allow access to other users
  -o allow_root          allow access to root
  -o nonempty            allow mounts over non-empty file/dir
  -o default_permissions enable permission checking by kernel
  -o fsname=NAME         set filesystem name
  -o subtype=NAME        set filesystem type
  -o large_read          issue large read requests (2.4 only)
  -o max_read=N          set maximum size of read requests

  -o hard_remove         immediate removal (don't hide files)
  -o use_ino             let filesystem set inode numbers
  -o readdir_ino         try to fill in d_ino in readdir
  -o direct_io           use direct I/O
  -o kernel_cache        cache files in kernel
  -o [no]auto_cache      enable caching based on modification times (off)
  -o umask=M             set file permissions (octal)
  -o uid=N               set file owner
  -o gid=N               set file group
  -o entry_timeout=T     cache timeout for names (1.0s)
  -o negative_timeout=T  cache timeout for deleted names (0.0s)
  -o attr_timeout=T      cache timeout for attributes (1.0s)
  -o ac_attr_timeout=T   auto cache timeout for attributes (attr_timeout)
  -o intr                allow requests to be interrupted
  -o intr_signal=NUM     signal to send on interrupt (10)
  -o modules=M1[:M2...]  names of modules to push onto filesystem stack

  -o max_write=N         set maximum size of write requests
  -o max_readahead=N     set maximum readahead
  -o async_read          perform reads asynchronously (default)
  -o sync_read           perform reads synchronously
  -o atomic_o_trunc      enable atomic open+truncate support
  -o big_writes          enable larger than 4kB writes
  -o no_remote_lock      disable remote file locking

  Module options:

  [subdir]
  -o subdir=DIR           prepend this directory to all paths (mandatory)
  -o [no]rellinks         transform absolute symlinks to relative

  [iconv]
  -o from_code=CHARSET   original encoding of file names (default: UTF-8)
  -o to_code=CHARSET      new encoding of the file names (default: UTF-8)
Kurland answered 13/3, 2014 at 23:56 Comment(1)
I'm voting to close this question as off-topic because it's off-topic here and already has a duplicate on U&L - unix.stackexchange.com/questions/61567/sshfs-specify-keyProphetic
G
41

Notice this option:

-o SSHOPT=VAL ssh options (see man ssh_config)

And if you look at man ssh_config, there is an option to set the path to your private key file, called IdentityFile, so you can do this:

sshfs -oIdentityFile=/abs/path/to/id_rsa server: path/to/mnt/point

The path to the identity file must be an absolute path.

Guileless answered 14/3, 2014 at 0:6 Comment(11)
Is there a space between "-o" and "IdentityFile?Kurland
I'm not sure why but it still did not work. It continues to ask for a password. How do I find what's causing this?Kurland
I tested it and it worked for me. Can you ssh without password using the same key file? And when you try to mount, is it asking the remote password, or the passphrase of your key?Guileless
no, it's still not working! :( I also tried using the same key from my other client computer (which does work) - I copied it over to this one - but for some reason it doesn't work on this computer. I thought you could use the same priv/pub key pair on diff. computers?Kurland
It keeps asking for the remote password (not the password for the key file). I've now tried this on 3 different computers, and it only works on the first client I set up. No others work. Why would the server only accept the first one? (Even if I use the same priv/pub key as the first one - to do this, I simply create a .ssh directory on the new client computer and copy the id_rsa and id_rsa.pub into that directory - am I doing that wrong?)Kurland
@DonRhummy you should not copy private keys between computers. To debug this on the other computers, make sure you can login with ssh. If you can login with ssh then the sshfs mount should work too.Guileless
I only did that for testing purposes to try and narrow down the issue because creating a new priv/pub key pair on the 2nd computer didn't work. Yes, I can login with both ssh and sshfs on all computers but it requires a password on all but the first client.Kurland
@DonRhummy on the other computers, is it only sshfs that requires password or ssh too?Guileless
both are requiring a password. A simple ssh [email protected] asks for [email protected]'s password:Kurland
@DonRhummy: I know that you were solving the problem a long time ago but by chance did not you have wrong access rights on the private key file or directory? Did ssh -v (or up to 3 v's) write any relevant information. See for example: https://mcmap.net/q/109410/-ssh-private-key-permissions-using-git-gui-or-ssh-keygen-are-too-openBurhans
@DonRhummy if you are on mac, you should specify absolute path to your private key file, i.e. use /Users/<username>/.ssh/id_rsa rather than ~/.ssh/id_rsaEctoblast
R
1

In principle it works like this (as root, or use sudo): sshfs -o default_permissions,nonempty,IdentityFile=/home/USER/.ssh/id_rsa SRVUSER@SERVER:PATH /mnt/mountpoint

Replace USER with the user who is in the authorized_keys file of the server, SERVER with the server name (or IP, like 192.168.0.11), SRVUSER with the user on the server (e.g. root, which is not recommended but possible and sometimes necessary; setup your /etc/ssh/sshd_config on the server correctly for this, i.e. directives PermitRootLogin and PasswordAuthentication). Also substitute /mnt/mountpoint accordingly.

The option -o nonempty allows mounting /mnt/mountpoint when this directory is not empty. I have to use this since I keep the file .unmounted in this directory to see if it is mounted or not, so if test -e /mnt/mountpoint/.unmounted returns successfull (i.e. file .unmounted exists in /mnt/mountpoint), it isn't mounted.

A real example:

  • server name "homeserver"
  • mount /home directory on the server
  • my mountpoint on the local system is /mnt/homeserver
  • user "steve" has the private key

ssh root@homeserver as user steve worked.

sshfs -o default_permissions,nonempty,IdentityFile=/home/steve/.ssh/id_rsa root@homeserver:/home /mnt/homeserver (as root)

This didn't work, I got the error message: read: Connection reset by peer

Solution: Get more verbose output by adding -o debug.

# sshfs -o default_permissions,nonempty,IdentityFile=/home/steve/.ssh/id_rsa,debug 
root@homeserver:/home /mnt/homeserver
FUSE library version: 2.9.8
nullpath_ok: 0
nopath: 0
utime_omit_ok: 0
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStT0123
Please contact your system administrator.
Add correct host key in /root/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /root/.ssh/known_hosts:2
ECDSA host key for homeserver has changed and you have requested strict checking.
Host key verification failed.
read: Connection reset by peer

And suddenly it is a lot easier to fix. Because the sshd keys were re-created since the last session but /root/.ssh/known_hosts on the local system still has the old keys – it doesn't work. The solution, in my case, was simply to remove the line starting with homeserver from /root/.ssh/known_hosts using an editor (like nano). Now mounting with sshfs works. At the first mount the new key must be acknowledged:

# mount /mnt/homeserver
The authenticity of host 'homeserver (192.168.0.11)' can't be established.
ECDSA key fingerprint is SHA256:aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsS/1234.
Are you sure you want to continue connecting (yes/no)? yes

BTW, this is the line in /etc/fstab:

root@homeserver:/home  /mnt/homeserver  fuse.sshfs noauto,nonempty,default_permissions,IdentityFile=/home/steve/.ssh/id_rsa  0 0

So even if it is something else, try -o debug first. It will help tremendously to find the fault.

Rousing answered 8/8, 2019 at 0:38 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.