In this tutorial I will guide you through the steps to set up SSHFS for sharing folder(s) among your servers. We will use autossh which has the nice "automatic reconnect" capability. Also included are settings such as "chroot" and "SSH key restrictions" which will strengthen security.
These instructions have been fully tested on Ubuntu 14.04/12.04, Debian 8/7 and CentOS 6 servers. However, use at your own risk. Note for OpenVZ VPS users ONLY: You must ask your VPS provider to enable FUSE.
First, you need to decide on a "master" server where your shared folder will be physically stored. Your other "slave" server(s) will connect to it via SSHFS to share that folder's content. For the purpose of this tutorial, the folder to be shared on the master server is located at /opt/sshfs_export, while each slave server will hold its content in /opt/sshfs.
All commands below should be run as "root", unless otherwise noted. Alternatively you may use "sudo".
The first step is to install the necessary software packages.
For Ubuntu/Debian:
apt-get update apt-get install nano fuse sshfs autossh
For CentOS/RHEL:
# Enable the EPEL repository yum install epel-release yum install nano fuse fuse-sshfs autossh
The instructions below are for both Ubuntu/Debian and CentOS/RHEL.
Create fuse.conf, set correct owner and permissions:
[ -f /etc/fuse.conf ] && cp /etc/fuse.conf /etc/fuse.conf.old echo "user_allow_other" > /etc/fuse.conf chown root:fuse /etc/fuse.conf chmod 640 /etc/fuse.conf
Note: Any logged in user on your server(s) will have full access to the mounted SSHFS folder. This is because we added user_allow_other to fuse.conf, and specified allow_other in the SSHFS command below.
Add user autossh and ensure it's a member of the fuse group:
useradd -m -s /bin/false -G fuse autossh
Prepare the folder which will hold shared content:
mkdir /opt/sshfs chown autossh:autossh /opt/sshfs
Switch to user autossh and create an SSH key pair for authentication:
su - autossh -s /bin/bash ssh-keygen # Accept the defaults, leave passphrase empty. exit
Now, repeat ALL steps above on your other "master" AND "slave" servers until they are fully set up.
Next, log on to each "slave" server, and do:
cat /home/autossh/.ssh/id_rsa.pub
Copy the above command's output and paste into your favorite editor. You should get one line for each "slave" server, beginning with ssh-rsa and ending with autossh@YOUR_HOSTNAME.
In the editor, prefix every line with this (without the quotes):
"no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-user-rc,no-pty "
This will strengthen security so that only SFTP is permitted. If you need to allow port forwarding, replace the no-port-forwarding to something like permitopen="127.0.0.1:8888", where 8888 is the port to be allowed.
Go back to your "master" server. Run commands:
mkdir -p /home/autossh/.ssh; chmod 700 /home/autossh/.ssh cd /home/autossh/.ssh touch authorized_keys; chmod 600 authorized_keys chown autossh:autossh authorized_keys nano -w authorized_keys
Copy and paste the entire contents of your favorite editor into nano, Ctrl-O and Enter to save, Ctrl-X to exit.
Prepare the folder to be shared on "master" server:
mkdir /opt/sshfs_export chown root:root /opt/sshfs_export cd /opt/sshfs_export mkdir test_dir touch test_dir/test_file chown -hR autossh:autossh *
Edit SSH configuration on "master" server:
nano -w /etc/ssh/sshd_config
Make sure the settings below are all correct. If any line is missing, add it. In addition, if you see any AllowUsers line in the file, be sure to append autossh to it. Otherwise there is nothing to worry about:
RSAAuthentication yes PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys UsePAM yes ClientAliveInterval 15 ClientAliveCountMax 6 Subsystem sftp internal-sftp TCPKeepAlive yes
Then add the following lines at the very end of the file, Ctrl-O and Enter to save, Ctrl-X to exit nano:
Match User autossh ChrootDirectory /opt/sshfs_export ForceCommand internal-sftp X11Forwarding no AllowAgentForwarding no AllowTcpForwarding no
If you need to allow port forwarding, replace the last line above with these two lines, where 8888 is the port to be allowed:
AllowTcpForwarding yes PermitOpen 127.0.0.1:8888
Reload SSH configuration on "master" server with:
# For Ubuntu/Debian: service ssh reload # For CentOS/RHEL: service sshd reload
Now you are almost done! Login to EACH "slave" server and run these commands to save the master server's host key. Replace these variables with actual values: MASTER_SERVER_IP and MASTER_SERVER_SSH_PORT.
su - autossh -s /bin/bash ssh -p MASTER_SERVER_SSH_PORT autossh@MASTER_SERVER_IP # IMPORTANT: At the prompt, answer "yes" to save the host key. exit
Finally, mount the SSHFS shared folder using this one-liner. Be sure to replace the two variables as stated above. To improve performance, you may optionally add Ciphers=arcfour128 to SSHFS options (References: [1] [2]).
su - autossh -s /bin/bash -c "/usr/bin/sshfs -o reconnect,compression=yes,auto_cache,cache_timeout=5,transform_symlinks,allow_other,idmap=user,ServerAliveInterval=60,ServerAliveCountMax=3,ssh_command='autossh -M 0' autossh@MASTER_SERVER_IP:/ /opt/sshfs -p MASTER_SERVER_SSH_PORT"
You can then test by listing the shared folder, and should now see the test_dir and test_file we created on the "master" server.
ls -lR /opt/sshfs
Note that the "slave" server(s) cannot create files at the "root" of shared folder (e.g. /opt/sshfs). This is by design. However, they should have full access to everything below that level. If you add content to the shared folder /opt/sshfs_export on master server, don't forget to set correct ownership to allow full access by the slave server(s):
chown -hR autossh:autossh /opt/sshfs_export/*
Alternatively, you can create /opt/sshfs also on the "master" server and mount the SSHFS folder there using 127.0.0.1 as the server IP. If you do this and always access the shared folder via path /opt/sshfs, all new files created within will automatically have the correct ownership autossh:autossh.
To unmount the shared folder, use the following command:
# Unmount SSHFS folder the normal way: cd /root; /bin/fusermount -u /opt/sshfs # If above was unsuccessful, try a "forced" unmount: # WARNING: Data loss may occur! /bin/fusermount -uz /opt/sshfs
Congratulations! You have successfully set up SSHFS and can now use the shared folder across all your servers.
Please share this post if you like it, and do not hesitate to write your comments or questions in the Disqus form below.
Next article: Check Your Server for Malware from SSH Attacks
Previous article: IPsec VPN Server Auto Setup with Libreswan
Return to Lin's Tech Blog Homepage