Re: sshfs has fubared mount
On Tuesday 09 February 2021 16:00:23 David Christensen wrote:
> On 2021-02-09 05:15, Gene Heskett wrote:
> > On Tuesday 09 February 2021 02:29:02 David Christensen wrote:
> >> On 2021-02-08 21:01, Gene Heskett wrote:
> >>> Greetings all;
> >>>
> >>> I have sshfs setup so I can move files around between this box and
> >>> 4 others, 3 of which are now running buster. Works only for the
> >>> user, me.
> >>
> >> I have previously installed my public SSH key from the local
> >> computer 'tinkywinky' to the remote computer 'po' with
> >> ssh-copy-id(1):
> >
> > Don't recall doing this, plz describe>
>
> I initially created an SSH keypair with a passphrase using
> ssh-keygen(1). If a villian gets my SSH keypair, he also has to get
> my SSH passphrase to access the computers and accounts where I have
> installed the SSH public key.
>
>
> When I open a terminal, I run ssh-agent(1) and ssh-add(1) to manage my
> SSH keys. I enter my passphrase once, and ssh-agent(1) will provide
> it to SSH-aware software for me:
>
> 2021-02-09 12:32:30 dpchrist@tinkywinky ~
> $ ssh-agent bash -l
>
> 2021-02-09 12:32:32 dpchrist@tinkywinky ~
> $ ssh-add
> Enter passphrase for /home/dpchrist/.ssh/id_rsa:
> Identity added: /home/dpchrist/.ssh/id_rsa
> (/home/dpchrist/.ssh/id_rsa)
>
>
> If I remove my SSH public key from po, I can demonstrate
> ssh-copy-id(1). ssh-agent(1) will provide my SSH passphrase, but I
> will need to enter the password for the account on the remote host:
>
> 2021-02-09 12:12:02 dpchrist@tinkywinky ~
> $ ssh-copy-id po
> /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s),
> to filter out any that are already installed
> /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you
> are prompted now it is to install the new keys
> dpchrist@po's password:
>
> Number of key(s) added: 1
>
> Now try logging into the machine, with: "ssh 'po'"
> and check to make sure that only the key(s) you wanted were added.
>
>
> I can now login in to 'po' using ssh(1). ssh-agent(1) will provide my
> passphrase. I do not need to enter my SSH passphrase or my remote
> account password:
>
> 2021-02-09 12:12:10 dpchrist@tinkywinky ~
> $ ssh po
> Linux po 4.9.0-9-amd64 #1 SMP Debian 4.9.168-1 (2019-04-12) x86_64
> Last login: Tue Feb 9 12:10:11 2021 from 192.168.5.74
>
> 2021-02-09 12:12:12 dpchrist@po ~
> $
>
>
> Similarly, scp(1), rsync(1), and others will operate without requiring
> passphrases or passwords. This is especially useful for scripts,
> cron(8) jobs, etc..
>
> >> I created an fstab(5) entry on the local machine for mounting the
> >> remote root directory with my unprivileged account. Note the
> >> options:
> >>
> >> 2021-02-08 22:37:51 dpchrist@tinkywinky ~
> >> $ grep 'po:/' /etc/fstab | perl -pe 's/\t+/ /g'
> >> po:/ /po fuse.sshfs ro,noauto,user 0 0
> >
> > I've never had any of this below in my fstab, haven't needed it for
> > the other 4 machines.
>
> fstab(1) is the canonical location for mount information. By putting
> it there, standard tools will know where to find it.
>
> >> I created a mount point and I set the owner and group to match my
> >> unprivileged account. The directory is empty:
> >>
> >> 2021-02-08 22:39:38 dpchrist@tinkywinky ~
> >> $ ls -la /po
> >> total 8
> >> drwxr-xr-x 2 dpchrist dpchrist 4096 Jan 21 13:32 .
> >> drwxr-xr-x 27 root root 4096 Jan 21 13:32 ..
> >
> > Matches mine. Difference is that I put all those mountpoints in the
> > /sshnet subdir gene@coyote:~$ ls -la /sshnet/
> > total 36
> > drwxr-xr-x 9 gene gene 4096 Feb 9 07:37 .
> > drwxr-xr-x 28 root root 4096 Dec 12 03:44 ..
> > drwxr-xr-x 1 root root 4096 Feb 4 15:59 GO704
> > drwxr-xr-x 2 root root 4096 Feb 8 10:10 Hardinge1
> > drwxr-xr-x 1 root root 4096 Feb 3 14:16 lathe
> > drwxr-xr-x 2 root root 4096 Apr 25 2019 redpitaya
> > drwxr-xr-x 1 root root 4096 Feb 1 04:46 rpi4
> > drwxr-xr-x 1 root root 4096 Feb 4 15:43 sixty40
> > drwxr-xr-x 2 root root 4096 May 2 2019 vna
>
> Assuming that command was run when /sshnet/Hardingel was not mounted
> (see below), the owner and group of Hardingel is root:root, not
> gene:gene.
>
> On 2021-02-09 07:05, David Wright wrote:
> > Change the ownership of Hardinge1.
>
> Yes, that is the correct solution.
>
>
> We were all confused by a feature of mount(1) -- mounting a remote
> filesystem changes the owner and group of the mount point on the local
> machine while the remote filesystem is mounted:
>
> 2021-02-09 12:13:43 dpchrist@tinkywinky ~
> $ mount | grep '/po'
>
> 2021-02-09 12:23:26 dpchrist@tinkywinky ~
> $ ls -ld /po
> drwxr-xr-x 2 dpchrist dpchrist 4096 Jan 21 13:32 /po
>
> 2021-02-09 12:23:29 dpchrist@tinkywinky ~
> $ mount /po
>
> 2021-02-09 12:24:14 dpchrist@tinkywinky ~
> $ mount | grep '/po'
> po:/ on /po type fuse.sshfs
> (ro,nosuid,nodev,noexec,relatime,user_id=13250,group_id=13250,user=dpc
>hrist)
>
> 2021-02-09 12:24:17 dpchrist@tinkywinky ~
> $ ls -ld /po
> drwxr-xr-x 1 root root 4096 Aug 30 18:09 /po
>
>
> The owner and group are restored when the filesystem is unmounted:
>
> 2021-02-09 12:24:21 dpchrist@tinkywinky ~
> $ fusermount -u /po
>
> 2021-02-09 12:25:45 dpchrist@tinkywinky ~
> $ ls -ld /po
> drwxr-xr-x 2 dpchrist dpchrist 4096 Jan 21 13:32 /po
>
>
> Finally, you might want to make the 'mount-machines' script
> idempotent:
>
> https://en.wikipedia.org/wiki/Idempotent
>
>
> E.g. add a conditional to check if a given filesystem is already
> mounted, and only mount the filesystem when it is not. This would
> prevent the "fuse: mountpoint is not empty" and "fuse: if you are sure
> this is safe, use the 'nonempty' mount option" error messages and
> resulting confusion. (Similarly, 'unmount-machines'.)
>
>
> David
Thanks David, all rather complex, so I put it on a piece of dead tree for
future reference.
I need to clean up my known-hosts anyway.
Cheers, Gene Heskett
--
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
If we desire respect for the law, we must first make the law respectable.
- Louis D. Brandeis
Genes Web page <http://geneslinuxbox.net:6309/gene>
Reply to: