[Tutorial] Using SSHFS to Share Folders Among Your VPS

[Tutorial] Using SSHFS to Share Folders Among Your VPS

howardsl2howardsl2 Member
edited March 2014 in Tutorials

Hello guys, to contribute back to the community, here is my tutorial for setting up SSHFS to create shared folder(s) among your VPS. We will be using autossh which has the nice "automatic reconnect" capability whenever the link goes down. Also implemented are settings such as "chroot" and "key use restrictions" which will strengthen security. These instructions have been tested on both Ubuntu 12.04 LTS and CentOS 6.5 Server. However, use at your own risk. Note that if you want to use this tutorial on an OpenVZ VPS, your provider MUST enable FUSE for your container.

First, you need to decide on a "master" server where your shared folder will be physically stored. Your other "slave" server(s) will connect to this master server via SSHFS to share that folder's content. For the purpose of this tutorial, the folder to be shared on master server is named /opt/sshfs_export, while each slave server will create a folder named /opt/sshfs to hold the shared content.

All commands below run as user "root" unless otherwise noted. Alternatively you can use "sudo".

The first step is to install the necessary software packages. Follow separate instructions below for Ubuntu and CentOS:

For Ubuntu:

apt-get update
apt-get install nano fuse sshfs autossh -y

For CentOS:

# Make sure you install the "EPEL" repository first. 
# Check "/etc/yum.repos.d/". If already installed, skip this step.
yum install wget -y
wget http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
rpm -Uvh epel-release-6*.rpm

# Next, proceed to install the needed packages:
yum check-update
yum install nano fuse fuse-sshfs autossh -y

The instructions below are applicable for BOTH Ubuntu and CentOS.

Create fuse.conf, set correct permissions and allow all users to access shared folder:

[ -f /etc/fuse.conf ] && cp /etc/fuse.conf /etc/fuse.conf.old
echo "user_allow_other" > /etc/fuse.conf
chown root:fuse /etc/fuse.conf
chmod 640 /etc/fuse.conf

Add user autossh and ensure it's a member of the fuse group:

useradd -m -s /bin/false -G fuse autossh

Prepare shared folder on "slave" server(s):

mkdir /opt/sshfs
chown autossh:autossh /opt/sshfs

Now we switch to user autossh and generate SSH key to be used for authentication:

su - autossh -s /bin/bash
ssh-keygen
(Accept the defaults to generate SSH key for "autossh". Leave passphrase empty.)
exit

Now, repeat steps above on ALL your other servers ("master" AND "slave") until they are all set up.

Next, log on to each of your "slave" server, and do:

cat /home/autossh/.ssh/id_rsa.pub

Copy and paste the entire contents of the public key file displayed by the command above into a text editor. You should get one line for each "slave" server, beginning with "ssh-rsa" and ending with "[email protected]_HOSTNAME".

Now, in your text editor, prefix every line with this (without the quotes):

"no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-user-rc,no-pty  "

This will strengthen security so that only SFTP is permitted. If you need to allow port forwarding, replace the "no-port-forwarding" to something like "permitopen="127.0.0.1:8888"", where 8888 is the port to be allowed.

Go back to your "master" server. Run commands:

mkdir -p /home/autossh/.ssh; chmod 700 /home/autossh/.ssh
cd /home/autossh/.ssh
touch authorized_keys; chmod 600 authorized_keys
chown autossh:autossh authorized_keys
nano authorized_keys

Paste the entire contents of your text editor at the end of the file, Ctrl-O and Enter to save, Ctrl-X to exit nano.

Prepare the folder to be shared on "master" server:

mkdir /opt/sshfs_export
chown root:root /opt/sshfs_export
cd /opt/sshfs_export
mkdir test_dir
touch test_dir/test_file
chown -hR autossh:autossh *

Edit your sshd_config in nano editor (on "master" server ONLY):

nano /etc/ssh/sshd_config

Make sure the settings below are correct in the sshd_config file. In addition, if there is any "AllowUsers" line present in sshd_config, be sure to add "autossh" to it. If not, there is nothing to worry about:

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile  .ssh/authorized_keys
UsePAM yes
ClientAliveInterval 15
ClientAliveCountMax 6
Subsystem  sftp  internal-sftp
TCPKeepAlive yes

Finally, add these lines at the end of sshd_config, Ctrl-O and Enter to save, Ctrl-X to exit nano:

Match User autossh
       ChrootDirectory /opt/sshfs_export
       ForceCommand internal-sftp 
       X11Forwarding no
       AllowAgentForwarding no
       AllowTcpForwarding no

If you need to allow port forwarding, replace the last line above with these two lines, where 8888 is the port to be allowed:

       AllowTcpForwarding yes
       PermitOpen 127.0.0.1:8888

Reload the configuration of sshd on "master" server with:

# If Ubuntu:
service ssh reload  
# If CentOS:
service sshd reload

Now you are almost done! Go ahead and login to each "slave" server, connect to the "master" server using the command below. This is a one-line command. Be sure to replace MASTER_SERVER_IP and MASTER_SERVER_SSH_PORT to appropriate values:

su - autossh -s /bin/bash -c "/usr/bin/sshfs -o reconnect,compression=yes,auto_cache,cache_timeout=5,transform_symlinks,allow_other,idmap=user,ServerAliveInterval=60,ServerAliveCountMax=3,StrictHostKeyChecking=no,UserKnownHostsFile=/dev/null,ssh_command='autossh -M 0' [email protected]_SERVER_IP:/ /opt/sshfs -p MASTER_SERVER_SSH_PORT"

You can then test the shared folder on each "slave" server. Enter command below and you should now see the "test_dir" and "test_file" we created on the "master" server.

ls -lR /opt/sshfs

Note that the "slave" servers cannot create files at the root of shared folder (e.g. /opt/sshfs). This is "by design" and must be done on the "master" server. However, the "slave" servers have full control of everything below that level. If you add content to the shared folder /opt/sshfs_export on "master" server, don't forget to change their ownership so that the "slave" servers can write to them.

For example:

chown -hR autossh:autossh /opt/sshfs_export/*

To unmount the shared folder from each "slave" server, run the command:

# First try the "normal" unmount command:
/bin/fusermount -u /opt/sshfs
# If above is unsuccessful, try doing a "forced" unmount. Data loss may occur.
/bin/fusermount -uz /opt/sshfs

The latest version of this tutorial (and others) is also available at my tech blog.
Please browse to: https://blog.ls20.com

Any questions or suggestions are welcome. Feel free to leave a comment.

Thanked by 2tchen Silvenga
Sign In or Register to comment.