amuck-landowner

Using SSHFS to Share Folders Among Your VPS

howardsl2

New Member
Hello guys, here is my tutorial for setting up "SSHFS" to create shared folder(s) among your VPS. We will be using "autossh" which has the nice "automatic reconnect" capability whenever the link goes down. Also implemented are settings such as "chroot" and "key use restrictions" which will strengthen security. These instructions have been tested on both Ubuntu 12.04 LTS and CentOS 6.5 Server. However, use at your own risk. Note that if you want to use this tutorial on an OpenVZ VPS, your provider MUST enable "FUSE" for your container.

First, you need to decide on a "master" server where your shared folder will be physically stored. Your other "slave" server(s) will connect to this master server via SSHFS to share that folder's content. For the purpose of this tutorial, the folder to be shared on master server is named "/opt/sshfs_export", while each slave server will create a folder named "/opt/sshfs" to hold the shared content.

All commands below run as user "root" unless otherwise noted. Alternatively you can use "sudo".

The first step is to install the necessary software packages. Follow separate instructions below for Ubuntu and CentOS:

For Ubuntu:   


apt-get update
apt-get install nano fuse sshfs autossh -y
For CentOS:   


# Make sure you install the "EPEL" repository first.
# Check "/etc/yum.repos.d/". If already installed, skip this step.
yum install wget -y
wget http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
rpm -Uvh epel-release-6*.rpm

# Next, proceed to install the needed packages:
yum check-update
yum install nano fuse fuse-sshfs autossh -y
The instructions below are applicable for BOTH Ubuntu and CentOS.   

Create "fuse.conf", set correct permissions and allow all users to access shared folder:   


[ -f /etc/fuse.conf ] && cp /etc/fuse.conf /etc/fuse.conf.old
echo "user_allow_other" > /etc/fuse.conf
chown root:fuse /etc/fuse.conf
chmod 640 /etc/fuse.conf

Add user "autossh" and ensure it's a member of the "fuse" group:


useradd -m -s /bin/false -G fuse autossh
Prepare shared folder on "slave" server(s):


mkdir /opt/sshfs
chown autossh:autossh /opt/sshfs

Now we switch to user "autossh" and generate SSH key to be used for authentication:  


su - autossh -s /bin/bash
ssh-keygen
(Accept the defaults to generate SSH key for "autossh". Leave passphrase empty.)
exit

Now, repeat steps above on ALL your other servers ("master" AND "slave") until they are all set up.

Next, log on to each of your "slave" server, and do:   


cat /home/autossh/.ssh/id_rsa.pub
Copy and paste the entire contents of the public key file displayed by the command above into a text editor. You should get one line for each "slave" server, beginning with "ssh-rsa" and ending with "autossh@YOUR_HOSTNAME".

Now, in your text editor, prefix every line with this (without the quotes):   


"no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-user-rc,no-pty  "
This will strengthen security so that only SFTP is permitted. If you need to allow port forwarding, replace the "no-port-forwarding" to something like "permitopen="127.0.0.1:8888"", where 8888 is the port to be allowed.
 

Go back to your "master" server. Edit the file:


mkdir -p /home/autossh/.ssh; chmod 700 /home/autossh/.ssh
cd /home/autossh/.ssh
touch authorized_keys; chmod 600 authorized_keys
nano authorized_keys

Paste the entire contents of your text editor at the end of the file, Ctrl-O and Enter to save, Ctrl-X to exit nano.

Prepare the folder to be shared on "master" server:


mkdir /opt/sshfs_export
chown root:root /opt/sshfs_export
cd /opt/sshfs_export
mkdir test_dir
touch test_dir/test_file
chown -hR autossh:autossh *

Edit your sshd_config in nano editor (on "master" server ONLY):   


nano /etc/ssh/sshd_config
Make sure the settings below are correct in the sshd_config file. In addition, if there is any "AllowUsers" line present in sshd_config, be sure to add "autossh" to it. If not, there is nothing to worry about:


RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile  .ssh/authorized_keys
UsePAM yes
ClientAliveInterval 15
ClientAliveCountMax 6
Subsystem  sftp  internal-sftp

Finally, add these lines at the end of sshd_config, Ctrl-O and Enter to save, Ctrl-X to exit nano:


TCPKeepAlive yes

Match User autossh
       ChrootDirectory /opt/sshfs_export
       ForceCommand internal-sftp
       X11Forwarding no
       AllowAgentForwarding no
       AllowTcpForwarding no

If you need to allow port forwarding, replace the last line above with these two lines, where 8888 is the port to be allowed:


       AllowTcpForwarding yes
       PermitOpen 127.0.0.1:8888

Reload the configuration of "sshd" on "master" server with:


# If Ubuntu:
service ssh reload  
# If CentOS:
service sshd reload

Now you are almost done! Go ahead and login to each "slave" server, connect to the "master" server using the command below. This is a one-line command. Be sure to replace MASTER_SERVER_IP and MASTER_SERVER_SSH_PORT to appropriate values:  


su - autossh -s /bin/bash -c "/usr/bin/sshfs -o reconnect,compression=yes,auto_cache,cache_timeout=5,transform_symlinks,allow_other,idmap=user,ServerAliveInterval=60,ServerAliveCountMax=3,StrictHostKeyChecking=no,UserKnownHostsFile=/dev/null,ssh_command='autossh -M 0' autossh@MASTER_SERVER_IP:/ /opt/sshfs -p MASTER_SERVER_SSH_PORT"

You can then test the shared folder on each "slave" server. Enter command below and you should now see the "test_dir" and "test_file" we created on the "master" server.


ls -lR /opt/sshfs
Note that the "slave" servers cannot create files at the root of shared folder (e.g. /opt/sshfs). This is "by design" and must be done on the "master" server. However, the "slave" servers have full control of everything below that level. If you add content to the shared folder /opt/sshfs_export on "master" server, don't forget to change their ownership so that the "slave" servers can write to them.  

For example:


chown -hR autossh:autossh /opt/sshfs_export/*
To unmount the shared folder from each "slave" server, run the command:


# First try the "normal" unmount command:
/bin/fusermount -u /opt/sshfs
# If above is unsuccessful, try doing a "forced" unmount. Data loss may occur.
/bin/fusermount -uz /opt/sshfs

Any questions or suggestions are welcome. Feel free to leave a comment.
 
Last edited by a moderator:

drmike

100% Tier-1 Gogent
Thanks for this.

Long time SSHFS user and fan of autossh... This is more comprehensive than my notes/recipe.  So bound to improve my setups and experiences!
 

howardsl2

New Member
CORRECTION: In the tutorial above, please replace the entire section:

------------------------------------------------------------------------------------------------

Go back to your "master" server. Edit the file:


mkdir -p /home/autossh/.ssh; chmod 700 /home/autossh/.ssh
cd /home/autossh/.ssh
touch authorized_keys; chmod 600 authorized_keys
nano authorized_keys
------------------------------------------------------------------------------------------------

with the corrected text as shown below. (I forgot to change ownership of the "authorized_keys" file).

------------------------------------------------------------------------------------------------

Go back to your "master" server. Run commands:


mkdir -p /home/autossh/.ssh; chmod 700 /home/autossh/.ssh
cd /home/autossh/.ssh
touch authorized_keys; chmod 600 authorized_keys
chown autossh:autossh authorized_keys
nano authorized_keys

------------------------------------------------------------------------------------------------

The latest version of this tutorial (and others) is also available at my tech blog.  

Please browse to: https://blog.ls20.com
 
Last edited by a moderator:
Top
amuck-landowner