2

I tried this sshfs without shell access, but I realized I should ask opposite way

I would love to mount remote file system automatically, over encrypted tunnel preferably using private/public keys.

It should not mean any security risk (no ssh login or so), only reading/writing to remote sub-folder (like NFS over openVpn / unlike sshfs)

It should preserve user, groups, permissions

It should be easy to configure (like sshfs / unlike NFS overVpn)

It should be in standard repositories (linux)

It should reconnect if connection drops (or ip change)

Is there such thing or am I asking too much ?

Pavel Niedoba
  • 234
  • 1
  • 3
  • 10

1 Answers1

4

On remote server set up a sftp-only non-root account with these contents of sshd_config:

Match User pavel
ForceCommand internal-sftp
# Don't add more lines below, they will be inside a Match block.

On local system install and configure sshfs. Use -o reconnect,ServerAliveInterval=5,ServerAliveCountMax=3 like I describe in another answer. Optionally install and configure autofs, which will provide automatic mount/umount.

No ssh access: check.

Only reading/writing to remote sub-folder: check.

Preserve user, groups: only in a very limited manner (exactly like sftp command).

Preserve permissions: check (but google sftp umask)

Easy to configure (like sshfs): check.

It should be in standard Linux repositories: check.

It should reconnect if connection drops (or ip changes): check.

If you get it to work, you could also play with adding ChrootDirectory /only/this/path to sshd_config for increased security.

kubanczyk
  • 13,502
  • 5
  • 40
  • 55
  • sounds like solution, I didn't know about ForceCommand internal-sftp. I need this to for off site backups, suppose it's needed by many – Pavel Niedoba Mar 23 '18 at 18:21
  • 1
    You can have multiple accounts under chroot. I do this using a group called `sftponly` and a match block in sshd_config for that group. Match can use User, Group or Net. You can nearly duplicate rsync behavior in chroot using **[lftp](https://serverfault.com/questions/836103/replace-scp-with-sftp/836136#836136)** + sftp chroot. – Aaron Mar 26 '18 at 16:51