SSH agent and SSHFS


Updated: 2014-01-24

My server used to run NFS v3 so I could easily manage my multimedia collection from my local laptop. I found out a few months ago NFS v4 boasts quite some improvements over v3, so I planned on migrating. Unfortunately that never got further than the stage of building the required packages, and yesterday I decided to give SSHFS another go. Compared to v3, NFS v4 brings a more secure solution, but at the cost of slightly more complicated configuration. Setting up SSHFS, on the other hand, is child's play.

Here's how it goes:

  • Install the sshfs package. Pacman will pull in the FUSE module automatically.
  • Load the fuse module and add it also to your modules array in /etc/rc.conf to autoload it at boot
  • Mount your share with the command

    $ sshfs $user@$host:$path $mountpoint
    
  • Unmounting works as follows:

    $ fusermount -u $mountpoint
    

Unmounting might require root permissions, depending on your setup. Sudo can help here.

SSH wil prompt you for your password or passphrase. The one drawback compared to NFS is you have to enter your credentials every single time you mount it. This poses problems if you want it done non-interactively - I have it integrated into my Openbox menu and it's kind of ugly to have a terminal pop up to ask for the password every time. This is where ssh-agent comes in.

I will not cover setting up SSH keys; it is a fairly easy process and has been documented extensively already. Ssh-agent allows you to cache your keys so you only have to type keys once during your session. If you use multiple keys, you might want to look into keychain, a nice command-line tool that not only handles SSH but also GPG keys.

Ssh-agent needs to be run at login to work properly (read: export environment variables so your user can talk to it). This can be handled through XDM or KDM; however, an alternate method is to have your ~/.bashrc or ~/.bash_profile do the job:

SSHAGENT=/usr/bin/ssh-agent
SSHAGENTARGS="-s"
if [ -z "$SSH_AUTH_SOCK" -a -x "$SSHAGENT" ]; then
  eval `$SSHAGENT $SSHAGENTARGS`
  trap "kill $SSH_AGENT_PID" 0
fi

This piece of code will launch ssh-agent the right way. Either log out and back in again or source your .bashrc, and open a terminal to add an SSH key:

$ ssh-add .ssh/id_rsa-amalthea
Enter passphrase for .ssh/id_rsa-amalthea: 
Identity added: .ssh/id_rsa-amalthea (.ssh/id_rsa-amalthea)

VoilĂ , that should do the job. Your key is now cached and during this session you won't be asked for the password anymore. Let's put it to the test:

$ ssh amalthea
Arch Linux (Core Dump) 2.6.24.3-server
Welcome home :-)
Last login: Mon Apr 14 14:05:28 2008 from hermes.borromini.net

Ssh-add does a lot more than just add keys. It can for example also list the loaded keys and their fingerprints (the fingerprints have been altered):

ssh-add -l
2048 e7:7c:1f:b4:07:77:91:6e:e0:92:c7:fc:8f:9b:4e:53 .ssh/id_rsa-zeus (RSA)
2048 1b:b0:69:e9:8b:5e:b1:27:0b:24:49:ba:c4:37:66:d5 .ssh/id_rsa-amalthea (RSA)

Using an uppercase -L, ssh-add will print the (public!) keys. Similarly, ssh-add -d $key will delete a key, and ssh-add -D will make ssh-agent delete all loaded keys.

We don't want ssh-agent to remain active after we logged out, so we put the following code in our ~/.logout file:

if ( "$SSH_AGENT_PID" != "" ); then 
  eval `ssh-agent -k`
fi

That snippet will kill ssh-agent and unset its environment variables.