On Tuesday 09 February 2021 16:00:23 David Christensen wrote: > On 2021-02-09 05:15, Gene Heskett wrote: > > On Tuesday 09 February 2021 02:29:02 David Christensen wrote: > >> On 2021-02-08 21:01, Gene Heskett wrote: > >>> Greetings all; > >>> > >>> I have sshfs setup so I can move files around between this box and > >>> 4 others, 3 of which are now running buster. Works only for the > >>> user, me. > >> > >> I have previously installed my public SSH key from the local > >> computer 'tinkywinky' to the remote computer 'po' with > >> ssh-copy-id(1): > > > > Don't recall doing this, plz describe> > > I initially created an SSH keypair with a passphrase using > ssh-keygen(1). If a villian gets my SSH keypair, he also has to get > my SSH passphrase to access the computers and accounts where I have > installed the SSH public key. > > > When I open a terminal, I run ssh-agent(1) and ssh-add(1) to manage my > SSH keys. I enter my passphrase once, and ssh-agent(1) will provide > it to SSH-aware software for me: > > 2021-02-09 12:32:30 dpchrist@tinkywinky ~ > $ ssh-agent bash -l > > 2021-02-09 12:32:32 dpchrist@tinkywinky ~ > $ ssh-add > Enter passphrase for /home/dpchrist/.ssh/id_rsa: > Identity added: /home/dpchrist/.ssh/id_rsa > (/home/dpchrist/.ssh/id_rsa) > > > If I remove my SSH public key from po, I can demonstrate > ssh-copy-id(1). ssh-agent(1) will provide my SSH passphrase, but I > will need to enter the password for the account on the remote host: > > 2021-02-09 12:12:02 dpchrist@tinkywinky ~ > $ ssh-copy-id po > /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), > to filter out any that are already installed > /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you > are prompted now it is to install the new keys > dpchrist@po's password: > > Number of key(s) added: 1 > > Now try logging into the machine, with: "ssh 'po'" > and check to make sure that only the key(s) you wanted were added. > > > I can now login in to 'po' using ssh(1). ssh-agent(1) will provide my > passphrase. I do not need to enter my SSH passphrase or my remote > account password: > > 2021-02-09 12:12:10 dpchrist@tinkywinky ~ > $ ssh po > Linux po 4.9.0-9-amd64 #1 SMP Debian 4.9.168-1 (2019-04-12) x86_64 > Last login: Tue Feb 9 12:10:11 2021 from 192.168.5.74 > > 2021-02-09 12:12:12 dpchrist@po ~ > $ > > > Similarly, scp(1), rsync(1), and others will operate without requiring > passphrases or passwords. This is especially useful for scripts, > cron(8) jobs, etc.. > > >> I created an fstab(5) entry on the local machine for mounting the > >> remote root directory with my unprivileged account. Note the > >> options: > >> > >> 2021-02-08 22:37:51 dpchrist@tinkywinky ~ > >> $ grep 'po:/' /etc/fstab | perl -pe 's/\t+/ /g' > >> po:/ /po fuse.sshfs ro,noauto,user 0 0 > > > > I've never had any of this below in my fstab, haven't needed it for > > the other 4 machines. > > fstab(1) is the canonical location for mount information. By putting > it there, standard tools will know where to find it. > > >> I created a mount point and I set the owner and group to match my > >> unprivileged account. The directory is empty: > >> > >> 2021-02-08 22:39:38 dpchrist@tinkywinky ~ > >> $ ls -la /po > >> total 8 > >> drwxr-xr-x 2 dpchrist dpchrist 4096 Jan 21 13:32 . > >> drwxr-xr-x 27 root root 4096 Jan 21 13:32 .. > > > > Matches mine. Difference is that I put all those mountpoints in the > > /sshnet subdir gene@coyote:~$ ls -la /sshnet/ > > total 36 > > drwxr-xr-x 9 gene gene 4096 Feb 9 07:37 . > > drwxr-xr-x 28 root root 4096 Dec 12 03:44 .. > > drwxr-xr-x 1 root root 4096 Feb 4 15:59 GO704 > > drwxr-xr-x 2 root root 4096 Feb 8 10:10 Hardinge1 > > drwxr-xr-x 1 root root 4096 Feb 3 14:16 lathe > > drwxr-xr-x 2 root root 4096 Apr 25 2019 redpitaya > > drwxr-xr-x 1 root root 4096 Feb 1 04:46 rpi4 > > drwxr-xr-x 1 root root 4096 Feb 4 15:43 sixty40 > > drwxr-xr-x 2 root root 4096 May 2 2019 vna > > Assuming that command was run when /sshnet/Hardingel was not mounted > (see below), the owner and group of Hardingel is root:root, not > gene:gene. > > On 2021-02-09 07:05, David Wright wrote: > > Change the ownership of Hardinge1. > > Yes, that is the correct solution. > > > We were all confused by a feature of mount(1) -- mounting a remote > filesystem changes the owner and group of the mount point on the local > machine while the remote filesystem is mounted: > > 2021-02-09 12:13:43 dpchrist@tinkywinky ~ > $ mount | grep '/po' > > 2021-02-09 12:23:26 dpchrist@tinkywinky ~ > $ ls -ld /po > drwxr-xr-x 2 dpchrist dpchrist 4096 Jan 21 13:32 /po > > 2021-02-09 12:23:29 dpchrist@tinkywinky ~ > $ mount /po > > 2021-02-09 12:24:14 dpchrist@tinkywinky ~ > $ mount | grep '/po' > po:/ on /po type fuse.sshfs > (ro,nosuid,nodev,noexec,relatime,user_id=13250,group_id=13250,user=dpc >hrist) > > 2021-02-09 12:24:17 dpchrist@tinkywinky ~ > $ ls -ld /po > drwxr-xr-x 1 root root 4096 Aug 30 18:09 /po > > > The owner and group are restored when the filesystem is unmounted: > > 2021-02-09 12:24:21 dpchrist@tinkywinky ~ > $ fusermount -u /po > > 2021-02-09 12:25:45 dpchrist@tinkywinky ~ > $ ls -ld /po > drwxr-xr-x 2 dpchrist dpchrist 4096 Jan 21 13:32 /po > > > Finally, you might want to make the 'mount-machines' script > idempotent: > > https://en.wikipedia.org/wiki/Idempotent > > > E.g. add a conditional to check if a given filesystem is already > mounted, and only mount the filesystem when it is not. This would > prevent the "fuse: mountpoint is not empty" and "fuse: if you are sure > this is safe, use the 'nonempty' mount option" error messages and > resulting confusion. (Similarly, 'unmount-machines'.) > > > David
Thanks David, all rather complex, so I put it on a piece of dead tree for future reference. I need to clean up my known-hosts anyway. Cheers, Gene Heskett -- "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) If we desire respect for the law, we must first make the law respectable. - Louis D. Brandeis Genes Web page <http://geneslinuxbox.net:6309/gene>