Hello guys, to contribute back to the community, here is my tutorial for setting up SSHFS to create shared folder(s) among your VPS. We will be using autossh which has the nice "automatic reconnect" capability whenever the link goes down. Also implemented are settings such as "chroot" and "key use restrictions" which will strengthen security. These instructions have been tested on both Ubuntu 12.04 LTS and CentOS 6.5 Server. However, use at your own risk. Note that if you want to use this tutorial on an OpenVZ VPS, your provider MUST enable FUSE for your container.
First, you need to decide on a "master" server where your shared folder will be physically stored. Your other "slave" server(s) will connect to this master server via SSHFS to share that folder's content. For the purpose of this tutorial, the folder to be shared on master server is named /opt/sshfs_export, while each slave server will create a folder named /opt/sshfs to hold the shared content.
All commands below run as user "root" unless otherwise noted. Alternatively you can use "sudo".
The first step is to install the necessary software packages. Follow separate instructions below for Ubuntu and CentOS:
For Ubuntu:
apt-get update apt-get install nano fuse sshfs autossh -y
For CentOS:
# Make sure you install the "EPEL" repository first. # Check "/etc/yum.repos.d/". If already installed, skip this step. yum install wget -y wget http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm rpm -Uvh epel-release-6*.rpm # Next, proceed to install the needed packages: yum check-update yum install nano fuse fuse-sshfs autossh -y
The instructions below are applicable for BOTH Ubuntu and CentOS.
Create fuse.conf, set correct permissions and allow all users to access shared folder:
[ -f /etc/fuse.conf ] && cp /etc/fuse.conf /etc/fuse.conf.old echo "user_allow_other" > /etc/fuse.conf chown root:fuse /etc/fuse.conf chmod 640 /etc/fuse.conf
Add user autossh and ensure it's a member of the fuse group:
useradd -m -s /bin/false -G fuse autossh
Prepare shared folder on "slave" server(s):
mkdir /opt/sshfs chown autossh:autossh /opt/sshfs
Now we switch to user autossh and generate SSH key to be used for authentication:
su - autossh -s /bin/bash ssh-keygen (Accept the defaults to generate SSH key for "autossh". Leave passphrase empty.) exit
Now, repeat steps above on ALL your other servers ("master" AND "slave") until they are all set up.
Next, log on to each of your "slave" server, and do:
cat /home/autossh/.ssh/id_rsa.pub
Copy and paste the entire contents of the public key file displayed by the command above into a text editor. You should get one line for each "slave" server, beginning with "ssh-rsa" and ending with "autossh@YOUR_HOSTNAME".
Now, in your text editor, prefix every line with this (without the quotes):
"no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-user-rc,no-pty "
This will strengthen security so that only SFTP is permitted. If you need to allow port forwarding, replace the "no-port-forwarding" to something like "permitopen="127.0.0.1:8888"", where 8888 is the port to be allowed.
Go back to your "master" server. Run commands:
mkdir -p /home/autossh/.ssh; chmod 700 /home/autossh/.ssh cd /home/autossh/.ssh touch authorized_keys; chmod 600 authorized_keys chown autossh:autossh authorized_keys nano authorized_keys
Paste the entire contents of your text editor at the end of the file, Ctrl-O and Enter to save, Ctrl-X to exit nano.
Prepare the folder to be shared on "master" server:
mkdir /opt/sshfs_export chown root:root /opt/sshfs_export cd /opt/sshfs_export mkdir test_dir touch test_dir/test_file chown -hR autossh:autossh *
Edit your sshd_config in nano editor (on "master" server ONLY):
nano /etc/ssh/sshd_config
Make sure the settings below are correct in the sshd_config file. In addition, if there is any "AllowUsers" line present in sshd_config, be sure to add "autossh" to it. If not, there is nothing to worry about:
RSAAuthentication yes PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys UsePAM yes ClientAliveInterval 15 ClientAliveCountMax 6 Subsystem sftp internal-sftp TCPKeepAlive yes
Finally, add these lines at the end of sshd_config, Ctrl-O and Enter to save, Ctrl-X to exit nano:
Match User autossh
ChrootDirectory /opt/sshfs_export
ForceCommand internal-sftp
X11Forwarding no
AllowAgentForwarding no
AllowTcpForwarding no
If you need to allow port forwarding, replace the last line above with these two lines, where 8888 is the port to be allowed:
AllowTcpForwarding yes
PermitOpen 127.0.0.1:8888
Reload the configuration of sshd on "master" server with:
# If Ubuntu: service ssh reload # If CentOS: service sshd reload
Now you are almost done! Go ahead and login to each "slave" server, connect to the "master" server using the command below. This is a one-line command. Be sure to replace MASTER_SERVER_IP and MASTER_SERVER_SSH_PORT to appropriate values:
su - autossh -s /bin/bash -c "/usr/bin/sshfs -o reconnect,compression=yes,auto_cache,cache_timeout=5,transform_symlinks,allow_other,idmap=user,ServerAliveInterval=60,ServerAliveCountMax=3,StrictHostKeyChecking=no,UserKnownHostsFile=/dev/null,ssh_command='autossh -M 0' autossh@MASTER_SERVER_IP:/ /opt/sshfs -p MASTER_SERVER_SSH_PORT"
You can then test the shared folder on each "slave" server. Enter command below and you should now see the "test_dir" and "test_file" we created on the "master" server.
ls -lR /opt/sshfs
Note that the "slave" servers cannot create files at the root of shared folder (e.g. /opt/sshfs). This is "by design" and must be done on the "master" server. However, the "slave" servers have full control of everything below that level. If you add content to the shared folder /opt/sshfs_export on "master" server, don't forget to change their ownership so that the "slave" servers can write to them.
For example:
chown -hR autossh:autossh /opt/sshfs_export/*
To unmount the shared folder from each "slave" server, run the command:
# First try the "normal" unmount command: /bin/fusermount -u /opt/sshfs # If above is unsuccessful, try doing a "forced" unmount. Data loss may occur. /bin/fusermount -uz /opt/sshfs
The latest version of this tutorial (and others) is also available at my tech blog.
Please browse to: https://blog.ls20.com
Any questions or suggestions are welcome. Feel free to leave a comment.