SSHFS - mount remote directory with SSH

It concerns about FUSE1) module, which is able to attach remote directory via SSH service using SFTP protocol. File operations are converted into the SFTP commands and executed on the server side. The communication on the server side is transparent - i.e. attached directories tree and its files is possible to use almost in the same manner as local files.

SSHFS utilizing protocol SFTP has a problem with hard links. In case you wish to use hard links, we recommend you to use NFS protocol rsync or SCP protocol.
This guide is intended for OS Linux users, eventually other OS from UNIX family (slight differences). Other platforms will be consecutively tested.
If SSH is not trustful for you, you can use additional encryption ENCFS

Required SW

  • package fuse
  • package sshfs

Options for user authorization

Here you can continue with SSH service guide, because the setup is the same.

IPv4 addresses of access servers (hosts) for each data center are:

Ostrava ssh.du4.cesnet.cz
Jihlava ssh.du5.cesnet.cz

IPv6 addresses of access servers (hosts) for each data center are:

Ostrava ssh6.du4.cesnet.cz

Services using IPv6 addresses are currently in testing mode.

During the login process is very important to check if fingerprint of server is valid. To verify server please use fingerprints below. All servers in one datacenter have the same RSA, DSA and ECDSA key.

Ostrava data center (du4):

RSA, SHA256 (du4) LP7QxtJN257nb4gI8JutEwbrplx+MwdrwBtkhovQl+U
ECDSA, SHA256 (du4) 9YvWE2h459dMcLWcLcD1DsrxTjqqMLD16eiSYXBVX9k
ECDSA, MD5 (du4) 23:f8:17:39:9e:18:4e:dc:bb:4a:b6:04:1c:f5:74:de

Jihlava data center (du5):

RSA, MD5 (du5) 4f:b3:b2:31:aa:30:f1:6f:bc:58:4f:2d:39:e7:85:26
RSA, SHA256 (du5) lIJzpmmnnCQReVAaVom/jkZ1hUNWe/4nnbAl58liJbI
ECDSA, MD5 (du5) d1:72:10:45:5b:3b:ac:c6:ae:e8:32:3b:1c:c3:3e:69
ECDSA, SHA256 (du5) YB7YnmuMktwsFxVe5qdzy2bLU9y+0yowEcpZp82P4nk

If the key does not match, stop connecting to the server and contact us at: support@cesnet.cz

Procedure for connecting

Here we create an empty directory (mountpoint).

$ mkdir mnt

Now we will connect remote directory from the data storage into the created mountpoint.

$ sshfs -o idmap=user username@server:/home/username/VO_storage-cache_tape mnt
$ ls -l mnt
total 12540
-rw-r--r-- 1 username users 10485760 Jun 22 14:16 MB10.dat
-rw-r--r-- 1 username users  8388608 May  3 12:51 MB8.dat
drwxr-xr-x 2 username users       10 Jun 13 15:34 backup

After first connection there will be printed RSA fingerprint of server and sshfs will ask you, whether it should continue with the connection (for future connection is the fingerprint stored and the request will not appear anymore. The RSA fingerprint is possible to verify at keys and fingerprints page).

According to the used user authentication can command sshfs require password to your data storage or password to decrypt SSH key (passphrase). By using Kerberos system is necessary before running sshfs obtain the ticket (see options for user authentication)

If you want to allow users to work with SSHFS (mount and dismount of the storage), who do not have root rights, you have to add certain users into the group fuse via command:
gpasswd -a username fuse
You can add following line into /etc/fstab for auto-mount of your storage after Linux startup;
sshfs#username@server:/mnt /home/username/VO_storage-cache_tape fuse defaults,idmap=user 0 0

Please do not forget, that for auto-mount is necessary to use SSH key, i.e. public key must be contained in the file /home/username/.ssh/authorized_keys.

Procedure for disconnection

$ fusermount -u mnt
$ ls -l mnt
total 0

If you operate SSHFS on Mac OS X, then you can meet the problems with the file manager. Tested (functioning) is the Disk Order application, ver. 3.21.

Note to Midnight Commander application

Midnight Commander (MC) contain module for “File transfer over shell filesystem” (FISH), it concerns the technology, which does not use SFTP protocol, but it requires the possibility to send general commands via SSH terminal access.
At the CESNET Data Storage is from the reason of security issues allowed to insert only limited set of commands and the FISH technology is thus not available - we recommend to use SSHFS as more universal substitution, it provides an access to the files not only for MC, but also for another application as well.

Auto-mount of your data storage via AutoFS

We can often require to connect our remote data storage automatically without entering a command i.e. transparently. For this case we can use AutoFS tool, which additionally execute reconnect in case of connection breakdown.

For fully auto-mount is necessary to use SSH keys, which are not secured via password. This could be dangerous, in case someone steal your device.

Required SW

  • repository autofs
We will further assume, that you have already passed the steps related to SSHFS setup and manual mount is already working.

Main configuration file of AutoFS is /etc/auto.master. Here we will insert the line:

/storage /etc/auto.sshfs uid=1000,gid=1000,--timeout=30,--ghost

By this way we specify, that if someone access the /storage directory, so there should be executed auto-mount using the /etc/auto.sshfs definition. Timeout specifies a disconnection after specific time of inactivity. UID and GID belong to the user, which can use FUSE.

We will insert following line into /etc/auto.sshfs

server1 -fstype=fuse,rw,nodev,nonempty,noatime,allow_other,max_read=65536 :sshfs\#username@server\:

Wherein server1 introduces subdirectory of directory /storage, i.e. remote data storage will be after connecting mounted into /storage/server1. Do not forget to change username and server address (username@server).

Now we have AutoFS configured to work with SSHFS.

If you operate SSHFS on Mac OS X, then you can meet the problems with the file manager. Tested (functioning) is the Disk Order application, ver. 3.21.
Filesystem in Userspace
Last modified:: 10.08.2016 11:39