For some reason I tend to forget something in my home office that I just need now. The information I need is sitting somewhere on the server, which is idling away at home, being of not much use to me at the moment. But once there is a network connection to the server there is a cure for this calamity, called sshfs, the secure shell file system.
Using the secure shell file system to lay your hands on data that is stored remotely has one distinct advantage that sets it apart from many other methods, it restricts access to the person that knows the key while the data is mounted on the local computer.
FUSE is just another userspace program used to provide files under a certain directory that serves as a mount point. This in fact gives any user the opportunity to mount and unmount whole filesystems into his or her home directory at leisure, and whats most important, it provides a means to bring a secure tunnel to another network-enabled computer (at home or in the office) into play which radically changes the picture.
Joe's new key pair has now been created. Make sure that you have your secret key (/home/joe/.ssh/id_rsa) at hand when you need to access your server's data.
Using the secure shell file system to lay your hands on data that is stored remotely has one distinct advantage that sets it apart from many other methods, it restricts access to the person that knows the key while the data is mounted on the local computer.
|
Normally any remote data source is mounted on the local computer as part of the universal file system, and while file permissions may restrict access for certain users, the superuser (root) is always able to access the data mounted somewhere, no matter which access method is used to transfer the data to the local system.
Well yes, unless the data is encrypted with a user's public key and mounted on a sshfs. Now even the superuser cannot read the data mounted, making this method particularly interesting for all situations in which private data is used on a system heavily in use by many other people as well. Unlike normal network filesystems like NFS or CIFS that are mounted by a system process during bootup the sshfs is mounted by ordinary users, thanks to the FUSE kernel module. |
FUSE is just another userspace program used to provide files under a certain directory that serves as a mount point. This in fact gives any user the opportunity to mount and unmount whole filesystems into his or her home directory at leisure, and whats most important, it provides a means to bring a secure tunnel to another network-enabled computer (at home or in the office) into play which radically changes the picture.
Preparations
Of course you have to prepare the server you intend to access for this scenario, but the necessary steps are pretty much straightforward. Naturally, using sshfs would require to create a cryptographic key pair (public key and secret key) and to store the public key on the server in the appropriate place:
ssh-keygen -t rsa -b 2048
Generating public/private rsa key pair.
Enter file in which to save the key (/home/joe/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/joe/.ssh/id_rsa.
Your public key has been saved in /home/joe/.ssh/id_rsa.pub.
The key fingerprint is:
fa:aa:96:40:9b:35:0e:91:f5:bd:94:8c:d5:9f:43:b8 joe@kerry-linux.ie
Enter file in which to save the key (/home/joe/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/joe/.ssh/id_rsa.
Your public key has been saved in /home/joe/.ssh/id_rsa.pub.
The key fingerprint is:
fa:aa:96:40:9b:35:0e:91:f5:bd:94:8c:d5:9f:43:b8 joe@kerry-linux.ie
cp /home/joe/.ssh/id_rsa.pub /home/joe/.ssh/authorized_keys
Of course, this has to be done on the server in order to permit the use of Joe's secret key.
Once Joe knows his server's IP address he is ready to mount his home directory on the server onto a directory "secure" at his local computer. But bear in mind that Joe's secret key also has to be there.
sshfs joe@62.156.44.13: $HOME/secure
Once the remote data is being mounted, Joe is happy to see his data but every other user including root will only see the following when looking at Joe's home directory.
[root@localhost]# ls -l /home/joe
drwxr-xr-x 2 joe users 4096 Aug 6 2008 Videos
drwx------ 3 joe users 4096 Sep 1 2008 mail
drwxr-xr-x 2 joe users 4096 Sep 6 2007 proposals
d????????? ? ? ? ? ? secure
drwx------ 3 joe users 4096 Sep 1 2008 mail
drwxr-xr-x 2 joe users 4096 Sep 6 2007 proposals
d????????? ? ? ? ? ? secure
[root@localhost]# ls /home/joe/secure
ls: cannot access /home/joe/secure: Permission denied
And that's exactly how things should be.
Recent Comments