Using SSHFS to Share Folders between Your Servers

In this tutorial I will guide you through the steps to set up SSHFS for sharing folder(s) among your servers. We will use autossh which has the nice "automatic reconnect" capability. Also included are settings such as "chroot" and "SSH key restrictions" which will strengthen security.

SSHFS Logo

These instructions have been fully tested on Ubuntu 14.04/12.04, Debian 8/7 and CentOS 6 servers. However, use at your own risk. Note for OpenVZ VPS users ONLY: You must ask your VPS provider to enable FUSE.

First, you need to decide on a "master" server where your shared folder will be physically stored. Your other "slave" server(s) will connect to it via SSHFS to share that folder's content. For the purpose of this tutorial, the folder to be shared on the master server is located at /opt/sshfs_export, while each slave server will hold its content in /opt/sshfs.

All commands below should be run as "root", unless otherwise noted. Alternatively you may use "sudo".

The first step is to install the necessary software packages.

For Ubuntu/Debian:

apt-get update  
apt-get install nano fuse sshfs autossh  

For CentOS/RHEL:

# Enable the EPEL repository  
yum install epel-release  
yum install nano fuse fuse-sshfs autossh  

The instructions below are for both Ubuntu/Debian and CentOS/RHEL.

Create fuse.conf, set correct owner and permissions:

[ -f /etc/fuse.conf ] && cp /etc/fuse.conf /etc/fuse.conf.old  
echo "user_allow_other" > /etc/fuse.conf  
chown root:fuse /etc/fuse.conf  
chmod 640 /etc/fuse.conf  

Note: Any logged in user on your server(s) will have full access to the mounted SSHFS folder. This is because we added user_allow_other to fuse.conf, and specified allow_other in the SSHFS command below.

Add user autossh and ensure it's a member of the fuse group:

useradd -m -s /bin/false -G fuse autossh  

Prepare the folder which will hold shared content:

mkdir /opt/sshfs  
chown autossh:autossh /opt/sshfs  

Switch to user autossh and create an SSH key pair for authentication:

su - autossh -s /bin/bash  
ssh-keygen  # Accept the defaults, leave passphrase empty.  
exit  

Now, repeat ALL steps above on your other "master" AND "slave" servers until they are fully set up.

Next, log on to each "slave" server, and do:

cat /home/autossh/.ssh/id_rsa.pub  

Copy the above command's output and paste into your favorite editor. You should get one line for each "slave" server, beginning with ssh-rsa and ending with autossh@YOUR_HOSTNAME.

In the editor, prefix every line with this (without the quotes):

"no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-user-rc,no-pty  "  

This will strengthen security so that only SFTP is permitted. If you need to allow port forwarding, replace the no-port-forwarding to something like permitopen="127.0.0.1:8888", where 8888 is the port to be allowed.

Go back to your "master" server. Run commands:

mkdir -p /home/autossh/.ssh; chmod 700 /home/autossh/.ssh  
cd /home/autossh/.ssh  
touch authorized_keys; chmod 600 authorized_keys  
chown autossh:autossh authorized_keys  
nano -w authorized_keys  

Copy and paste the entire contents of your favorite editor into nano, Ctrl-O and Enter to save, Ctrl-X to exit.

Prepare the folder to be shared on "master" server:

mkdir /opt/sshfs_export  
chown root:root /opt/sshfs_export  
cd /opt/sshfs_export  
mkdir test_dir  
touch test_dir/test_file  
chown -hR autossh:autossh *  

Edit SSH configuration on "master" server:

nano -w /etc/ssh/sshd_config  

Make sure the settings below are all correct. If any line is missing, add it. In addition, if you see any AllowUsers line in the file, be sure to append autossh to it. Otherwise there is nothing to worry about:

RSAAuthentication yes  
PubkeyAuthentication yes  
AuthorizedKeysFile  .ssh/authorized_keys  
UsePAM yes  
ClientAliveInterval 15  
ClientAliveCountMax 6  
Subsystem  sftp  internal-sftp  
TCPKeepAlive yes  

Then add the following lines at the very end of the file, Ctrl-O and Enter to save, Ctrl-X to exit nano:

Match User autossh  
  ChrootDirectory /opt/sshfs_export
  ForceCommand internal-sftp 
  X11Forwarding no
  AllowAgentForwarding no
  AllowTcpForwarding no

If you need to allow port forwarding, replace the last line above with these two lines, where 8888 is the port to be allowed:

  AllowTcpForwarding yes  
  PermitOpen 127.0.0.1:8888

Reload SSH configuration on "master" server with:

# For Ubuntu/Debian:  
service ssh reload  
# For CentOS/RHEL:
service sshd reload  

Now you are almost done! Login to EACH "slave" server and run these commands to save the master server's host key. Replace these variables with actual values: MASTER_SERVER_IP and MASTER_SERVER_SSH_PORT.

su - autossh -s /bin/bash  
ssh -p MASTER_SERVER_SSH_PORT autossh@MASTER_SERVER_IP  
# IMPORTANT: At the prompt, answer "yes" to save the host key.
exit  

Finally, mount the SSHFS shared folder using this one-liner. Be sure to replace the two variables as stated above. To improve performance, you may optionally add Ciphers=arcfour128 to SSHFS options (References: [1] [2]).

su - autossh -s /bin/bash -c "/usr/bin/sshfs -o reconnect,compression=yes,auto_cache,cache_timeout=5,transform_symlinks,allow_other,idmap=user,ServerAliveInterval=60,ServerAliveCountMax=3,ssh_command='autossh -M 0' autossh@MASTER_SERVER_IP:/ /opt/sshfs -p MASTER_SERVER_SSH_PORT"  

You can then test by listing the shared folder, and should now see the test_dir and test_file we created on the "master" server.

ls -lR /opt/sshfs  

Note that the "slave" server(s) cannot create files at the "root" of shared folder (e.g. /opt/sshfs). This is by design. However, they should have full access to everything below that level. If you add content to the shared folder /opt/sshfs_export on master server, don't forget to set correct ownership to allow full access by the slave server(s):

chown -hR autossh:autossh /opt/sshfs_export/*  

Alternatively, you can create /opt/sshfs also on the "master" server and mount the SSHFS folder there using 127.0.0.1 as the server IP. If you do this and always access the shared folder via path /opt/sshfs, all new files created within will automatically have the correct ownership autossh:autossh.

To unmount the shared folder, use the following command:

# Unmount SSHFS folder the normal way:  
cd /root; /bin/fusermount -u /opt/sshfs  
# If above was unsuccessful, try a "forced" unmount:
# WARNING: Data loss may occur!
/bin/fusermount -uz /opt/sshfs

Congratulations! You have successfully set up SSHFS and can now use the shared folder across all your servers.

Please share this post if you like it, and do not hesitate to write your comments or questions in the Disqus form below.


Next article: Check Your Server for Malware from SSH Attacks
Previous article: IPsec VPN Server Auto Setup with Libreswan

Return to Lin's Tech Blog Homepage

Lin Song

Final year U.S. Ph.D. candidate in Electrical and Computer Engineering (ECE). As a hobby, I love computers, Linux and programming. Seeking opportunities. Feel free to connect with me on LinkedIn, or



View or Post


Disclaimer: All content provided on this blog is for informational purposes only. The owner of this blog makes no representations as to the accuracy or completeness of any information on this site or found by following any link on this site. All trademarks mentioned herein belong to their respective owners.
    The owner of this blog will not be liable for any errors or omissions in this information nor for the availability of it. The owner will not be liable for any losses, injuries, or damages from the display or use of this information.

Your name:

Email address:

Website URL:

Please leave a comment:

You agree that this form is for A N T I-S P A M B O T S!
     D O-N O T-S U B M I T !