Difference between revisions of "SSHFS"

From ArchWiki
Jump to navigation Jump to search
m (→‎Unmounting: Sshfs updated fusermount to fusermount3)
(Undo revision 587618 by Delapouite (talk) - the 3 is obvious, history is not relevant)
Tag: Undo
 
(17 intermediate revisions by 9 users not shown)
Line 1: Line 1:
[[Category:File systems]]
+
[[Category:FUSE]]
 
[[Category:Secure Shell]]
 
[[Category:Secure Shell]]
 
[[Category:Network sharing]]
 
[[Category:Network sharing]]
 +
[[es:SSHFS]]
 +
[[fr:Sshfs]]
 
[[ja:Sshfs]]
 
[[ja:Sshfs]]
 
[[ru:SSHFS]]
 
[[ru:SSHFS]]
Line 9: Line 11:
 
{{Related|SFTP chroot}}
 
{{Related|SFTP chroot}}
 
{{Related|Pure-FTPd}}
 
{{Related|Pure-FTPd}}
{{Related|SSH}}
 
 
{{Related|sftpman}}
 
{{Related|sftpman}}
 
{{Related articles end}}
 
{{Related articles end}}
  
[https://github.com/libfuse/sshfs SSHFS] is a FUSE-based filesystem client for mounting remote directories over a [[SSH]] connection.
+
[https://github.com/libfuse/sshfs SSHFS] is a [[FUSE]]-based filesystem client for mounting remote directories over a [[Secure Shell]] connection.
  
 
== Installation ==
 
== Installation ==
Line 36: Line 37:
 
Here {{ic|-p 9876}} specifies the port number and {{ic|-C}} enables compression. For more options see the [[#Options]] section.
 
Here {{ic|-p 9876}} specifies the port number and {{ic|-C}} enables compression. For more options see the [[#Options]] section.
  
When not specified, the remote path defaults to the remote user home directory. Default user names and options can be predefined on a host-by-host basis in {{ic|~/.ssh/config}} to simplify the ''sshfs'' usage. For more information see [[Secure Shell#Client usage]].
+
When not specified, the remote path defaults to the remote user home directory. Default user names and options can be predefined on a host-by-host basis in {{ic|~/.ssh/config}} to simplify the ''sshfs'' usage. For more information see [[OpenSSH#Client usage]].
  
 
SSH will ask for the password, if needed. If you do not want to type in the password multiple times a day, see [[SSH keys]].
 
SSH will ask for the password, if needed. If you do not want to type in the password multiple times a day, see [[SSH keys]].
Line 110: Line 111:
 
{{Note|After editing {{ic|/etc/fstab}}, (re)start the required service: {{ic|systemctl daemon-reload && systemctl restart <target>}} where {{ic|<target>}} can be found by running {{ic|systemctl list-unit-files --type automount}} }}
 
{{Note|After editing {{ic|/etc/fstab}}, (re)start the required service: {{ic|systemctl daemon-reload && systemctl restart <target>}} where {{ic|<target>}} can be found by running {{ic|systemctl list-unit-files --type automount}} }}
  
{{Tip|{{AUR|autosshfs-git}} do not require editing {{ic|/etc/fstab}} to add a new mountpoint. Instead, regular users can create one by simply attempting to access it (with e. g. something like {{ic|ls ~/mnt/ssh/[user@]yourremotehost[:port]}}). {{AUR|autosshfs-git}} uses AutoFS. Users need to be enabled to use it with {{ic|autosshfs-user}}.}}
+
{{Tip|{{AUR|autosshfs-git}}{{Broken package link|package not found}} do not require editing {{ic|/etc/fstab}} to add a new mountpoint. Instead, regular users can create one by simply attempting to access it (with e. g. something like {{ic|ls ~/mnt/ssh/[user@]yourremotehost[:port]}}). {{AUR|autosshfs-git}}{{Broken package link|package not found}} uses AutoFS. Users need to be enabled to use it with {{ic|autosshfs-user}}.}}
  
 
=== On boot ===
 
=== On boot ===
Line 148: Line 149:
 
=== Checklist ===
 
=== Checklist ===
  
Read the [[Secure_Shell#Checklist|SSH Checklist]] Wiki entry first. Further issues to check are:
+
Read [[OpenSSH#Checklist]] first. Further issues to check are:
  
 
1. Is your SSH login sending additional information from server's {{ic|/etc/issue}} file e.g.? This might confuse SSHFS. You should temporarily deactivate server's {{ic|/etc/issue}} file:
 
1. Is your SSH login sending additional information from server's {{ic|/etc/issue}} file e.g.? This might confuse SSHFS. You should temporarily deactivate server's {{ic|/etc/issue}} file:
Line 178: Line 179:
 
* If that doesn't reveal anything useful, you might also try adding the option '{{ic|debug}}'
 
* If that doesn't reveal anything useful, you might also try adding the option '{{ic|debug}}'
 
* If you are trying to sshfs into a router running DD-WRT or the like, there is a solution [http://www.dd-wrt.com/wiki/index.php/SFTP_with_DD-WRT here]. (note that the -osftp_server=/opt/libexec/sftp-server option can be used to the sshfs command in stead of patching dropbear)
 
* If you are trying to sshfs into a router running DD-WRT or the like, there is a solution [http://www.dd-wrt.com/wiki/index.php/SFTP_with_DD-WRT here]. (note that the -osftp_server=/opt/libexec/sftp-server option can be used to the sshfs command in stead of patching dropbear)
 +
* If you see this only on boot, it may be that systemd is attempting to mount prior to a network connection being available. Enabling the 'wait-online' service appropriate to your network connection (eg. systemd-networkd-wait-online.service) fixes this.
 
* Old Forum thread: [https://bbs.archlinux.org/viewtopic.php?id=27613 sshfs: Connection reset by peer]
 
* Old Forum thread: [https://bbs.archlinux.org/viewtopic.php?id=27613 sshfs: Connection reset by peer]
 
* Make sure your user can log into the server (especially when using AllowUsers)
 
* Make sure your user can log into the server (especially when using AllowUsers)
Line 190: Line 192:
 
* First make sure that the '''remote''' machine has ''sftp'' installed! It will not work, if not.
 
* First make sure that the '''remote''' machine has ''sftp'' installed! It will not work, if not.
 
* Then, check that the path of the {{ic|Subsystem sftp}} in {{ic|/etc/ssh/sshd_config}} on the remote machine is valid.
 
* Then, check that the path of the {{ic|Subsystem sftp}} in {{ic|/etc/ssh/sshd_config}} on the remote machine is valid.
 
=== Freezing apps (e.g. Gnome Files, Gedit) === 
 
 
{{Warning|This prevents the recently used file list from being populated and may lead to possible write errors.}}
 
 
If you experience freezing/hanging (stopped responding) applications, you may need to disable write-access to the {{ic|~/recently-used.xbel}} file.
 
 
# chattr +i /home/USERNAME/.local/share/recently-used.xbel
 
 
See the following [https://bugs.archlinux.org/task/40260 bug report] for more details and/or solutions.
 
  
 
=== fstab mounting issues ===
 
=== fstab mounting issues ===
Line 214: Line 206:
  
 
* [http://wiki.gilug.org/index.php/How_to_mount_SFTP_accesses How to mount chrooted SSH filesystem], with special care with owners and permissions questions.
 
* [http://wiki.gilug.org/index.php/How_to_mount_SFTP_accesses How to mount chrooted SSH filesystem], with special care with owners and permissions questions.
* [http://www.admin-magazine.com/HPC/Articles/Sharing-Data-with-SSHFS SSHFS – Installation and Performance] — Comparison with NFS and optimization tips.
 

Latest revision as of 22:15, 2 November 2019

SSHFS is a FUSE-based filesystem client for mounting remote directories over a Secure Shell connection.

Installation

Install the sshfs package.

Tip:
  • If you often need to mount sshfs filesystems you may be interested in using an sshfs helper, such as qsshfsAUR, sftpman, sshmntAUR or fmount.py.
  • You may want to use Google Authenticator providing additional security as in two-step authentication.
  • SSH keys may be used over traditional password authentication.

Mounting

In order to be able to mount a directory the SSH user needs to be able to access it. Invoke sshfs to mount a remote directory:

$ sshfs [user@]host:[dir] mountpoint [options]

For example:

$ sshfs myuser@mycomputer:/remote/path /local/path -C -p 9876

Here -p 9876 specifies the port number and -C enables compression. For more options see the #Options section.

When not specified, the remote path defaults to the remote user home directory. Default user names and options can be predefined on a host-by-host basis in ~/.ssh/config to simplify the sshfs usage. For more information see OpenSSH#Client usage.

SSH will ask for the password, if needed. If you do not want to type in the password multiple times a day, see SSH keys.

Unmounting

To unmount the remote system:

$ fusermount3 -u mountpoint

Example:

$ fusermount3 -u /local/path

Options

sshfs can automatically convert between local and remote user IDs. Use the idmap=user option to translate the UID of the connecting user to the remote user myuser (GID remains unchanged):

$ sshfs myuser@mycomputer:/remote/path /local/path -o idmap=user

If you need more control over UID and GID translation, look at the options idmap=file, uidfile and gidfile.

A complete list of options can be found in sshfs(1).

Chrooting

You may want to restrict a specific user to a specific directory on the remote system. This can be done by editing /etc/ssh/sshd_config:

/etc/ssh/sshd_config
.....
Match User someuser 
       ChrootDirectory /chroot/%u
       ForceCommand internal-sftp
       AllowTcpForwarding no
       X11Forwarding no
.....
Note: The chroot directory must be owned by root, otherwise you will not be able to connect.

See also SFTP chroot. For more information check the sshd_config(5) man page for Match, ChrootDirectory and ForceCommand.

Automounting

Tango-view-refresh-red.pngThis article or section is out of date.Tango-view-refresh-red.png

Reason: This requires to install fuse2 for mount.fuse, or create a symbolic link from mount.fuse3. See FS#55564 (Discuss in Talk:SSHFS#)

Tango-view-refresh-red.pngThis article or section is out of date.Tango-view-refresh-red.png

Reason: fuse3 API doesn't accept options _netdev and user anymore. Discussion (Discuss in Talk:SSHFS#)

Automounting can happen on boot, or on demand (when accessing the directory). For both, the setup happens in the fstab.

Note: Keep in mind that automounting is done through the root user, therefore you cannot use hosts configured in .ssh/config of your normal user.

To let the root user use an SSH key of a normal user, specify its full path in the IdentityFile option.

And most importantly, use each sshfs mount at least once manually while root so the host's signature is added to the /root/.ssh/known_hosts file.

On demand

Tango-view-fullscreen.pngThis article or section needs expansion.Tango-view-fullscreen.png

Reason: Is there a way to make this work with a passphrase-protected private key? E.g. it prompts for the passphrase at first access. Alternatively, clearly state that it's not possible and why. (Discuss in Talk:SSHFS#)

With systemd on-demand mounting is possible using /etc/fstab entries.

Example:

user@host:/remote/folder /mount/point  fuse.sshfs noauto,x-systemd.automount,_netdev,users,idmap=user,IdentityFile=/home/user/.ssh/id_rsa,allow_other,reconnect 0 0

The important mount options here are noauto,x-systemd.automount,_netdev.

  • noauto tells it not to mount at boot
  • x-systemd.automount does the on-demand magic
  • _netdev tells it that it is a network device, not a block device (without it "No such device" errors might happen)
Note: After editing /etc/fstab, (re)start the required service: systemctl daemon-reload && systemctl restart <target> where <target> can be found by running systemctl list-unit-files --type automount
Tip: autosshfs-gitAUR[broken link: package not found] do not require editing /etc/fstab to add a new mountpoint. Instead, regular users can create one by simply attempting to access it (with e. g. something like ls ~/mnt/ssh/[user@]yourremotehost[:port]). autosshfs-gitAUR[broken link: package not found] uses AutoFS. Users need to be enabled to use it with autosshfs-user.

On boot

An example on how to use sshfs to mount a remote filesystem through /etc/fstab

USERNAME@HOSTNAME_OR_IP:/REMOTE/DIRECTORY  /LOCAL/MOUNTPOINT  fuse.sshfs  defaults,_netdev  0  0

Take for example the fstab line

llib@192.168.1.200:/home/llib/FAH  /media/FAH2  fuse.sshfs  defaults,_netdev  0  0

The above will work automatically if you are using an SSH key for the user. See Using SSH Keys.

If you want to use sshfs with multiple users:

user@domain.org:/home/user  /media/user   fuse.sshfs    defaults,allow_other,_netdev    0  0

Again, it is important to set the _netdev mount option to make sure the network is available before trying to mount.

Secure user access

When automounting via fstab, the filesystem will generally be mounted by root. By default, this produces undesireable results if you wish access as an ordinary user and limit access to other users.

An example mountpoint configuration:

USERNAME@HOSTNAME_OR_IP:/REMOTE/DIRECTORY  /LOCAL/MOUNTPOINT  fuse.sshfs noauto,x-systemd.automount,_netdev,user,idmap=user,follow_symlinks,identityfile=/home/USERNAME/.ssh/id_rsa,allow_other,default_permissions,uid=USER_ID_N,gid=USER_GID_N 0 0

Summary of the relevant options:

  • allow_other - Allow other users than the mounter (i.e. root) to access the share.
  • default_permissions - Allow kernel to check permissions, i.e. use the actual permissions on the remote filesystem. This allows prohibiting access to everybody otherwise granted by allow_other.
  • uid, gid - set reported ownership of files to given values; uid is the numeric user ID of your user, gid is the numeric group ID of your user.

Troubleshooting

Checklist

Read OpenSSH#Checklist first. Further issues to check are:

1. Is your SSH login sending additional information from server's /etc/issue file e.g.? This might confuse SSHFS. You should temporarily deactivate server's /etc/issue file:

$ mv /etc/issue /etc/issue.orig

2. Keep in mind that most SSH related troubleshooting articles you will find on the web are not Systemd related. Often /etc/fstab definitions wrongly begin with sshfs#user@host:/mnt/server/folder ... fuse ... instead of using the syntax user@host:/mnt/server/folder ... fuse.sshfs ... x-systemd, ....

3. Check that the owner of server's source folder and content is owned by the server's user.

$ chown -R USER_S: /mnt/servers/folder

4. The server's user ID can be different from the client's one. Obviously both user names have to be the same. You just have to care for the client's user IDs. SSHFS will translate the UID for you with the following mount options:

uid=USER_C_ID,gid=GROUP_C_ID

5. Check that the client's target mount point (folder) is owned by the client user. This folder should have the same user ID as defined in SSHFS's mount options.

$ chown -R USER_C: /mnt/client/folder

6. Check that the client's mount point (folder) is empty. By default you cannot mount SSHFS folders to non-empty folders.

Connection reset by peer

  • If you are trying to access the remote system with a hostname, try using its IP address, as it can be a domain name solving issue. Make sure you edit /etc/hosts with the server details.
  • If you are using non-default key names and are passing it as -i .ssh/my_key, this will not work. You have to use -o IdentityFile=/home/user/.ssh/my_key, with the full path to the key.
  • If your /root/.ssh/config is a symlink, you will be getting this error as well. See this serverfault topic
  • Adding the option 'sshfs_debug' (as in 'sshfs -o sshfs_debug user@server ...') can help in resolving the issue.
  • If that doesn't reveal anything useful, you might also try adding the option 'debug'
  • If you are trying to sshfs into a router running DD-WRT or the like, there is a solution here. (note that the -osftp_server=/opt/libexec/sftp-server option can be used to the sshfs command in stead of patching dropbear)
  • If you see this only on boot, it may be that systemd is attempting to mount prior to a network connection being available. Enabling the 'wait-online' service appropriate to your network connection (eg. systemd-networkd-wait-online.service) fixes this.
  • Old Forum thread: sshfs: Connection reset by peer
  • Make sure your user can log into the server (especially when using AllowUsers)
  • Make sure Subsystem sftp /usr/lib/ssh/sftp-server is enabled in /etc/ssh/sshd_config.
Note: When providing more than one option for sshfs, they must be comma separated. Like so: 'sshfs -o sshfs_debug,IdentityFile=</path/to/key> user@server ...')

Remote host has disconnected

If you receive this message directly after attempting to use sshfs:

  • First make sure that the remote machine has sftp installed! It will not work, if not.
  • Then, check that the path of the Subsystem sftp in /etc/ssh/sshd_config on the remote machine is valid.

fstab mounting issues

To get verbose debugging output, add the following to the mount options:

ssh_command=ssh\040-vv,sshfs_debug,debug
Note: Here, \040 represents a space which fstab uses to separate fields.

To be able to run mount -av and see the debug output, remove the following:

 noauto,x-systemd.automount

See also