howardsl2
New Member
Hello guys, here is my tutorial for setting up "SSHFS" to create shared folder(s) among your VPS. We will be using "autossh" which has the nice "automatic reconnect" capability whenever the link goes down. Also implemented are settings such as "chroot" and "key use restrictions" which will strengthen security. These instructions have been tested on both Ubuntu 12.04 LTS and CentOS 6.5 Server. However, use at your own risk. Note that if you want to use this tutorial on an OpenVZ VPS, your provider MUST enable "FUSE" for your container.
First, you need to decide on a "master" server where your shared folder will be physically stored. Your other "slave" server(s) will connect to this master server via SSHFS to share that folder's content. For the purpose of this tutorial, the folder to be shared on master server is named "/opt/sshfs_export", while each slave server will create a folder named "/opt/sshfs" to hold the shared content.
All commands below run as user "root" unless otherwise noted. Alternatively you can use "sudo".
The first step is to install the necessary software packages. Follow separate instructions below for Ubuntu and CentOS:
For Ubuntu:
apt-get update
apt-get install nano fuse sshfs autossh -y
For CentOS:
# Make sure you install the "EPEL" repository first.
# Check "/etc/yum.repos.d/". If already installed, skip this step.
yum install wget -y
wget http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
rpm -Uvh epel-release-6*.rpm
# Next, proceed to install the needed packages:
yum check-update
yum install nano fuse fuse-sshfs autossh -y
The instructions below are applicable for BOTH Ubuntu and CentOS.
Create "fuse.conf", set correct permissions and allow all users to access shared folder:
[ -f /etc/fuse.conf ] && cp /etc/fuse.conf /etc/fuse.conf.old
echo "user_allow_other" > /etc/fuse.conf
chown root:fuse /etc/fuse.conf
chmod 640 /etc/fuse.conf
Add user "autossh" and ensure it's a member of the "fuse" group:
useradd -m -s /bin/false -G fuse autossh
Prepare shared folder on "slave" server(s):
mkdir /opt/sshfs
chown autossh:autossh /opt/sshfs
Now we switch to user "autossh" and generate SSH key to be used for authentication:
su - autossh -s /bin/bash
ssh-keygen
(Accept the defaults to generate SSH key for "autossh". Leave passphrase empty.)
exit
Now, repeat steps above on ALL your other servers ("master" AND "slave") until they are all set up.
Next, log on to each of your "slave" server, and do:
cat /home/autossh/.ssh/id_rsa.pub
Copy and paste the entire contents of the public key file displayed by the command above into a text editor. You should get one line for each "slave" server, beginning with "ssh-rsa" and ending with "autossh@YOUR_HOSTNAME".
Now, in your text editor, prefix every line with this (without the quotes):
"no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-user-rc,no-pty "
This will strengthen security so that only SFTP is permitted. If you need to allow port forwarding, replace the "no-port-forwarding" to something like "permitopen="127.0.0.1:8888"", where 8888 is the port to be allowed.
Go back to your "master" server. Edit the file:
mkdir -p /home/autossh/.ssh; chmod 700 /home/autossh/.ssh
cd /home/autossh/.ssh
touch authorized_keys; chmod 600 authorized_keys
nano authorized_keys
Paste the entire contents of your text editor at the end of the file, Ctrl-O and Enter to save, Ctrl-X to exit nano.
Prepare the folder to be shared on "master" server:
mkdir /opt/sshfs_export
chown root:root /opt/sshfs_export
cd /opt/sshfs_export
mkdir test_dir
touch test_dir/test_file
chown -hR autossh:autossh *
Edit your sshd_config in nano editor (on "master" server ONLY):
nano /etc/ssh/sshd_config
Make sure the settings below are correct in the sshd_config file. In addition, if there is any "AllowUsers" line present in sshd_config, be sure to add "autossh" to it. If not, there is nothing to worry about:
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
UsePAM yes
ClientAliveInterval 15
ClientAliveCountMax 6
Subsystem sftp internal-sftp
Finally, add these lines at the end of sshd_config, Ctrl-O and Enter to save, Ctrl-X to exit nano:
TCPKeepAlive yes
Match User autossh
ChrootDirectory /opt/sshfs_export
ForceCommand internal-sftp
X11Forwarding no
AllowAgentForwarding no
AllowTcpForwarding no
If you need to allow port forwarding, replace the last line above with these two lines, where 8888 is the port to be allowed:
AllowTcpForwarding yes
PermitOpen 127.0.0.1:8888
Reload the configuration of "sshd" on "master" server with:
# If Ubuntu:
service ssh reload
# If CentOS:
service sshd reload
Now you are almost done! Go ahead and login to each "slave" server, connect to the "master" server using the command below. This is a one-line command. Be sure to replace MASTER_SERVER_IP and MASTER_SERVER_SSH_PORT to appropriate values:
su - autossh -s /bin/bash -c "/usr/bin/sshfs -o reconnect,compression=yes,auto_cache,cache_timeout=5,transform_symlinks,allow_other,idmap=user,ServerAliveInterval=60,ServerAliveCountMax=3,StrictHostKeyChecking=no,UserKnownHostsFile=/dev/null,ssh_command='autossh -M 0' autossh@MASTER_SERVER_IP:/ /opt/sshfs -p MASTER_SERVER_SSH_PORT"
You can then test the shared folder on each "slave" server. Enter command below and you should now see the "test_dir" and "test_file" we created on the "master" server.
ls -lR /opt/sshfs
Note that the "slave" servers cannot create files at the root of shared folder (e.g. /opt/sshfs). This is "by design" and must be done on the "master" server. However, the "slave" servers have full control of everything below that level. If you add content to the shared folder /opt/sshfs_export on "master" server, don't forget to change their ownership so that the "slave" servers can write to them.
For example:
chown -hR autossh:autossh /opt/sshfs_export/*
To unmount the shared folder from each "slave" server, run the command:
# First try the "normal" unmount command:
/bin/fusermount -u /opt/sshfs
# If above is unsuccessful, try doing a "forced" unmount. Data loss may occur.
/bin/fusermount -uz /opt/sshfs
Any questions or suggestions are welcome. Feel free to leave a comment.
First, you need to decide on a "master" server where your shared folder will be physically stored. Your other "slave" server(s) will connect to this master server via SSHFS to share that folder's content. For the purpose of this tutorial, the folder to be shared on master server is named "/opt/sshfs_export", while each slave server will create a folder named "/opt/sshfs" to hold the shared content.
All commands below run as user "root" unless otherwise noted. Alternatively you can use "sudo".
The first step is to install the necessary software packages. Follow separate instructions below for Ubuntu and CentOS:
For Ubuntu:
apt-get update
apt-get install nano fuse sshfs autossh -y
For CentOS:
# Make sure you install the "EPEL" repository first.
# Check "/etc/yum.repos.d/". If already installed, skip this step.
yum install wget -y
wget http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
rpm -Uvh epel-release-6*.rpm
# Next, proceed to install the needed packages:
yum check-update
yum install nano fuse fuse-sshfs autossh -y
The instructions below are applicable for BOTH Ubuntu and CentOS.
Create "fuse.conf", set correct permissions and allow all users to access shared folder:
[ -f /etc/fuse.conf ] && cp /etc/fuse.conf /etc/fuse.conf.old
echo "user_allow_other" > /etc/fuse.conf
chown root:fuse /etc/fuse.conf
chmod 640 /etc/fuse.conf
Add user "autossh" and ensure it's a member of the "fuse" group:
useradd -m -s /bin/false -G fuse autossh
Prepare shared folder on "slave" server(s):
mkdir /opt/sshfs
chown autossh:autossh /opt/sshfs
Now we switch to user "autossh" and generate SSH key to be used for authentication:
su - autossh -s /bin/bash
ssh-keygen
(Accept the defaults to generate SSH key for "autossh". Leave passphrase empty.)
exit
Now, repeat steps above on ALL your other servers ("master" AND "slave") until they are all set up.
Next, log on to each of your "slave" server, and do:
cat /home/autossh/.ssh/id_rsa.pub
Copy and paste the entire contents of the public key file displayed by the command above into a text editor. You should get one line for each "slave" server, beginning with "ssh-rsa" and ending with "autossh@YOUR_HOSTNAME".
Now, in your text editor, prefix every line with this (without the quotes):
"no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-user-rc,no-pty "
This will strengthen security so that only SFTP is permitted. If you need to allow port forwarding, replace the "no-port-forwarding" to something like "permitopen="127.0.0.1:8888"", where 8888 is the port to be allowed.
Go back to your "master" server. Edit the file:
mkdir -p /home/autossh/.ssh; chmod 700 /home/autossh/.ssh
cd /home/autossh/.ssh
touch authorized_keys; chmod 600 authorized_keys
nano authorized_keys
Paste the entire contents of your text editor at the end of the file, Ctrl-O and Enter to save, Ctrl-X to exit nano.
Prepare the folder to be shared on "master" server:
mkdir /opt/sshfs_export
chown root:root /opt/sshfs_export
cd /opt/sshfs_export
mkdir test_dir
touch test_dir/test_file
chown -hR autossh:autossh *
Edit your sshd_config in nano editor (on "master" server ONLY):
nano /etc/ssh/sshd_config
Make sure the settings below are correct in the sshd_config file. In addition, if there is any "AllowUsers" line present in sshd_config, be sure to add "autossh" to it. If not, there is nothing to worry about:
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
UsePAM yes
ClientAliveInterval 15
ClientAliveCountMax 6
Subsystem sftp internal-sftp
Finally, add these lines at the end of sshd_config, Ctrl-O and Enter to save, Ctrl-X to exit nano:
TCPKeepAlive yes
Match User autossh
ChrootDirectory /opt/sshfs_export
ForceCommand internal-sftp
X11Forwarding no
AllowAgentForwarding no
AllowTcpForwarding no
If you need to allow port forwarding, replace the last line above with these two lines, where 8888 is the port to be allowed:
AllowTcpForwarding yes
PermitOpen 127.0.0.1:8888
Reload the configuration of "sshd" on "master" server with:
# If Ubuntu:
service ssh reload
# If CentOS:
service sshd reload
Now you are almost done! Go ahead and login to each "slave" server, connect to the "master" server using the command below. This is a one-line command. Be sure to replace MASTER_SERVER_IP and MASTER_SERVER_SSH_PORT to appropriate values:
su - autossh -s /bin/bash -c "/usr/bin/sshfs -o reconnect,compression=yes,auto_cache,cache_timeout=5,transform_symlinks,allow_other,idmap=user,ServerAliveInterval=60,ServerAliveCountMax=3,StrictHostKeyChecking=no,UserKnownHostsFile=/dev/null,ssh_command='autossh -M 0' autossh@MASTER_SERVER_IP:/ /opt/sshfs -p MASTER_SERVER_SSH_PORT"
You can then test the shared folder on each "slave" server. Enter command below and you should now see the "test_dir" and "test_file" we created on the "master" server.
ls -lR /opt/sshfs
Note that the "slave" servers cannot create files at the root of shared folder (e.g. /opt/sshfs). This is "by design" and must be done on the "master" server. However, the "slave" servers have full control of everything below that level. If you add content to the shared folder /opt/sshfs_export on "master" server, don't forget to change their ownership so that the "slave" servers can write to them.
For example:
chown -hR autossh:autossh /opt/sshfs_export/*
To unmount the shared folder from each "slave" server, run the command:
# First try the "normal" unmount command:
/bin/fusermount -u /opt/sshfs
# If above is unsuccessful, try doing a "forced" unmount. Data loss may occur.
/bin/fusermount -uz /opt/sshfs
Any questions or suggestions are welcome. Feel free to leave a comment.
Last edited by a moderator:
