Reverse SSHFS mounts (fs push)

sshfs is a neat way of mounting a file system from one machine to another over an encrypted ssh channel. However, for machine CLIENT to access a file system that resides on machine HOST, CLIENT must generally be able to log in to HOST. In addition, CLIENT must be able to connect to HOST in the first place, though a tunnel from HOST to CLIENT can easily mediate this if a connection can only be initiated in that direction.

However, the login itself may still be an issue. You might not want to type your password for HOST on CLIENT, or set up a keyless login using public/private keys. You might not entirely trust CLIENT, from which you want to access the file system.

dpipe to the rescue.

Using dpipe, available in the “vde2” package on Debian (and, likely, derivatives), you can initiate the connection the other way and use sshfs in “slave mode”, in which it communicates over standard input and output instead of an SSH connection directly.

Consider this is what you’d normally do:

sshfs YOU@HOST:/mnt/host/path /mnt/client/path

.. from CLIENT

Instead, you can do:

dpipe /usr/lib/openssh/sftp-server = ssh CLIENT sshfs :/mnt/host/path /mnt/client/path -o slave

.. from HOST!

Add any options you want as usual, and you’ve got a reverse SSHFS mount.

One cautionary note: While this setup allows you to initiate the connection from HOST, keeping your login details for HOST private, it will likely still allow for clever people to access the entire file structure of HOST as the client initiating the connection, the same as could happen if you initiate the connection from CLIENT. Thus, some trust in CLIENT is still required, though perhaps considerably less trust than you’d need to do the connection as per usual.

Have fun!

6 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *