automounting sshfs and authentication

cfr · 2013-07-07 21:14:34

I decided I would try to enable automounting of a remote file system using sshfs.

I use gpg-agent to manage authentication for ssh:

/usr/bin/gpg-agent -s --enable-ssh-support --daemon --pinentry-program /usr/bin/pinentry-qt4 --write-env-file

Normally, I connect using

sshfs -o idmap=user,transform_symlinks <hostalias>:/ /mnt/<mountpoint>/

In that case, gpg-agent produces a dialog asking for a password so that it can access the password for my ssh key in order to authenticate me to the remote server. <hostalias> is set up in /etc/ssh/ssh_config. This all works fine.

Following the instructions at https://wiki.archlinux.org/index.php/Sshfs#Automounting and, to a lesser extent, https://wiki.archlinux.org/index.php/Systemd#Automount, I added the following to fstab:

<username>@<hostalias>:/   /mnt/<mountpoint> fuse.sshfs defaults,nofail,noauto,x-systemd.automount,_netdev,users,idmap=user,transform_symlinks,reconnect,x-systemd.device-timeout=30s 0 0

<username> corresponds to my username on both local and remote systems. I don't normally need this because it is the same in both cases but for fstab I assume I do because that's being parsed, I guess, as root rather than as any particular user.

With the line added in fstab, however, I seem to have access to the remote system without needing to enter any password at all (although I still need to authenticate if I want to ssh to the host normally, say). Is that expected? Why do I not get asked for a password by gpg-agent in that case? And is this a security risk?

Also, the wiki notes that it may be problematic if sshfs mounts are active at shutdown in the case that they were mounted manually. If they are automounted like this, will systemd or the system take care of them automatically? If so, would this also apply if I suspend the computer to RAM or disk? The description in the wiki labels this method "On demand" but it doesn't seem as though there is any provision for unmounting the system if it is not being used. Is that even possible?

Last edited by cfr (2013-07-07 21:18:41)

WonderWoofy · 2013-07-08 01:22:50

I dunno if this is something you would be interested in.... but I remembered seeing it a little while back and being curious about it.

https://bbs.archlinux.org/viewtopic.php?pid=1288579

cfr · 2013-07-08 02:41:27

Thanks. That is interesting although it does not look terribly reliable (just judging from the thread).

I guess if I find out the systemd method has irresolvable security issues I might try it... though it might be easier to just stick to the manual method in that case. I don't need to create sshfs mounts on the fly or anything like that - just one place I ssh to regularly, basically, and that's it. I'm just a bit alarmed not to be asked for a password.

WonderWoofy · 2013-07-08 04:21:41

Yeah, it does look a bit unreliable. But I thougt if nothing else, maybe you could take a look at the sources and see how it is taken care of there. But then I guess that means that it has nothing to do with systemd at that point.

Strike0 · 2013-07-08 20:08:19

I seem to remember you use KDE. Do you have "kde-agent" installed?

cfr · 2013-07-08 23:36:16

No. I use gpg-agent but not kde-agent.

This is my /etc/kde/env/gpg-agent-startup.sh

#!/bin/sh

GPG_AGENT=/usr/bin/gpg-agent
## Run gpg-agent only if not already running, and available
if [ -x "${GPG_AGENT}" ] ; then

  # check validity of GPG_SOCKET (in case of session crash)
  GPG_AGENT_INFO_FILE=${HOME}/.gpg-agent-info
  if [ -f "${GPG_AGENT_INFO_FILE}" ]; then
    GPG_AGENT_PID=`cat ${GPG_AGENT_INFO_FILE} | grep GPG_AGENT_INFO | cut -f2 -d:`
    GPG_PID_NAME=`cat /proc/${GPG_AGENT_PID}/comm`
    if [ ! "x${GPG_PID_NAME}" = "xgpg-agent" ]; then
      rm -f "${GPG_AGENT_INFO_FILE}" 2>&1 >/dev/null
    else
       GPG_SOCKET=`cat "${GPG_AGENT_INFO_FILE}" | grep GPG_AGENT_INFO | cut -f1 -d: | cut -f2 -d=`
       if ! test -S "${GPG_SOCKET}" -a -O "${GPG_SOCKET}" ; then
         rm -f "${GPG_AGENT_INFO_FILE}" 2>&1 >/dev/null
       fi
    fi
    unset GPG_AGENT_PID GPG_SOCKET GPG_PID_NAME SSH_AUTH_SOCK
  fi

  if [ -f "${GPG_AGENT_INFO_FILE}" ]; then
    eval "$(cat "${GPG_AGENT_INFO_FILE}")"
    eval "$(cut -d= -f 1 "${GPG_AGENT_INFO_FILE}" | xargs echo export)"
    export GPG_TTY=$(tty)
  else
    eval "$(${GPG_AGENT} -s --enable-ssh-support --daemon --pinentry-program /usr/bin/pinentry-qt4 --write-env-file)"
  fi

fi

If I remember correctly, I got rid of kde-agent because I wanted to use gpg-agent's ssh support and kde-agent got in the way. (I needed precisely one process and kde-agent was starting gpg-agent without the relevant options.)

I've actually commented the fstab line for now because it messes up if I sleep the laptop - basically, it hangs afterwards if I try to access the remote fs and I have to kill the process. Then I have to mount it manually anyway so it seems a bit pointless.

Last edited by cfr (2013-07-08 23:38:44)

Arch Linux

#1 2013-07-07 21:14:34

automounting sshfs and authentication

#2 2013-07-08 01:22:50

Re: automounting sshfs and authentication

#3 2013-07-08 02:41:27

Re: automounting sshfs and authentication

#4 2013-07-08 04:21:41

Re: automounting sshfs and authentication

#5 2013-07-08 20:08:19

Re: automounting sshfs and authentication

#6 2013-07-08 23:36:16

Re: automounting sshfs and authentication

Board footer