Re: sshfs has fubared mount

Tue, 09 Feb 2021 13:00:49 -0800 

On 2021-02-09 05:15, Gene Heskett wrote:

On Tuesday 09 February 2021 02:29:02 David Christensen wrote:


On 2021-02-08 21:01, Gene Heskett wrote:

Greetings all;

I have sshfs setup so I can move files around between this box and 4
others, 3 of which are now running buster.  Works only for the user,
me.



I have previously installed my public SSH key from the local computer
'tinkywinky' to the remote computer 'po' with ssh-copy-id(1):


Don't recall doing this, plz describe>
I initially created an SSH keypair with a passphrase using ssh-keygen(1). If a villian gets my SSH keypair, he also has to get my SSH passphrase to access the computers and accounts where I have installed the SSH public key.
When I open a terminal, I run ssh-agent(1) and ssh-add(1) to manage my SSH keys. I enter my passphrase once, and ssh-agent(1) will provide it to SSH-aware software for me: 

2021-02-09 12:32:30 dpchrist@tinkywinky ~
$ ssh-agent bash -l

2021-02-09 12:32:32 dpchrist@tinkywinky ~
$ ssh-add
Enter passphrase for /home/dpchrist/.ssh/id_rsa:
Identity added: /home/dpchrist/.ssh/id_rsa (/home/dpchrist/.ssh/id_rsa)
If I remove my SSH public key from po, I can demonstrate ssh-copy-id(1). ssh-agent(1) will provide my SSH passphrase, but I will need to enter the password for the account on the remote host: 

2021-02-09 12:12:02 dpchrist@tinkywinky ~
$ ssh-copy-id po
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys 
dpchrist@po's password:

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'po'"
and check to make sure that only the key(s) you wanted were added.
I can now login in to 'po' using ssh(1). ssh-agent(1) will provide my passphrase. I do not need to enter my SSH passphrase or my remote account password: 

2021-02-09 12:12:10 dpchrist@tinkywinky ~
$ ssh po
Linux po 4.9.0-9-amd64 #1 SMP Debian 4.9.168-1 (2019-04-12) x86_64
Last login: Tue Feb  9 12:10:11 2021 from 192.168.5.74

2021-02-09 12:12:12 dpchrist@po ~
$
Similarly, scp(1), rsync(1), and others will operate without requiring passphrases or passwords. This is especially useful for scripts, cron(8) jobs, etc.. 



I created an fstab(5) entry on the local machine for mounting the
remote root directory with my unprivileged account. Note the options: 
2021-02-08 22:37:51 dpchrist@tinkywinky ~
$ grep 'po:/' /etc/fstab | perl -pe 's/\t+/ /g'
po:/ /po fuse.sshfs ro,noauto,user 0 0


I've never had any of this below in my fstab, haven't needed it for the
other 4 machines.
fstab(1) is the canonical location for mount information. By putting it there, standard tools will know where to find it. 



I created a mount point and I set the owner and group to match my
unprivileged account.  The directory is empty:

2021-02-08 22:39:38 dpchrist@tinkywinky ~
$ ls -la /po
total 8
drwxr-xr-x  2 dpchrist dpchrist 4096 Jan 21 13:32 .
drwxr-xr-x 27 root     root     4096 Jan 21 13:32 ..


Matches mine. Difference is that I put all those mountpoints in the /sshnet 
subdir
gene@coyote:~$ ls -la /sshnet/
total 36
drwxr-xr-x  9 gene gene 4096 Feb  9 07:37 .
drwxr-xr-x 28 root root 4096 Dec 12 03:44 ..
drwxr-xr-x  1 root root 4096 Feb  4 15:59 GO704
drwxr-xr-x  2 root root 4096 Feb  8 10:10 Hardinge1
drwxr-xr-x  1 root root 4096 Feb  3 14:16 lathe
drwxr-xr-x  2 root root 4096 Apr 25  2019 redpitaya
drwxr-xr-x  1 root root 4096 Feb  1 04:46 rpi4
drwxr-xr-x  1 root root 4096 Feb  4 15:43 sixty40
drwxr-xr-x  2 root root 4096 May  2  2019 vna
Assuming that command was run when /sshnet/Hardingel was not mounted (see below), the owner and group of Hardingel is root:root, not gene:gene. 


On 2021-02-09 07:05, David Wright wrote:
> Change the ownership of Hardinge1.

Yes, that is the correct solution.
We were all confused by a feature of mount(1) -- mounting a remote filesystem changes the owner and group of the mount point on the local machine while the remote filesystem is mounted: 

2021-02-09 12:13:43 dpchrist@tinkywinky ~
$ mount | grep '/po'

2021-02-09 12:23:26 dpchrist@tinkywinky ~
$ ls -ld /po
drwxr-xr-x 2 dpchrist dpchrist 4096 Jan 21 13:32 /po

2021-02-09 12:23:29 dpchrist@tinkywinky ~
$ mount /po

2021-02-09 12:24:14 dpchrist@tinkywinky ~
$ mount | grep '/po'
po:/ on /po type fuse.sshfs (ro,nosuid,nodev,noexec,relatime,user_id=13250,group_id=13250,user=dpchrist) 

2021-02-09 12:24:17 dpchrist@tinkywinky ~
$ ls -ld /po
drwxr-xr-x 1 root root 4096 Aug 30 18:09 /po


The owner and group are restored when the filesystem is unmounted:

2021-02-09 12:24:21 dpchrist@tinkywinky ~
$ fusermount -u /po

2021-02-09 12:25:45 dpchrist@tinkywinky ~
$ ls -ld /po
drwxr-xr-x 2 dpchrist dpchrist 4096 Jan 21 13:32 /po


Finally, you might want to make the 'mount-machines' script idempotent:

https://en.wikipedia.org/wiki/Idempotent
E.g. add a conditional to check if a given filesystem is already mounted, and only mount the filesystem when it is not. This would prevent the "fuse: mountpoint is not empty" and "fuse: if you are sure this is safe, use the 'nonempty' mount option" error messages and resulting confusion. (Similarly, 'unmount-machines'.) 


David

Reply via email to