Nausea Medialis

My server used to run NFS v3 so I could easily manage my multimedia collection from my local laptop. I found out a few months ago NFS v4 boasts quite some improvements over v3, so I planned to migrate. Unfortunately that never got further than the stage of building the required packages, and yesterday I decided to give SSHFS another go. Compared to v3, NFS v4 brings a more secure solution, but at the cost of slightly more complicated configuration. SSHFS, on the other hand, is childishly easy to set up.

Here's how it goes:

• Install the sshfs package. Pacman will pull in the fuse (file system in userspace) module automatically.
• Load the fuse module and add it also to your modules array in /etc/rc.conf so it gets autoloaded at boot.
• Mount your 'export' with the command sshfs user@host:$path /mountpoint

SSH wil prompt you for your password (or passphrase if you use a key setup). The one drawback compared to NFS is you have to give this password/passphrase every single time you mount it (umounting is done with fusermount -u /mountpoint and requires no authentication). This poses problems if you want it done non-interactively - I have it integrated into my Openbox menu and it's kind of ugly to have a terminal pop up to ask for the password every time. That's where ssh-agent comes in.

I will not cover setting up SSH keys; this is a fairly easy process and has been documented extensively already. Ssh-agent allows you to cache your keys so you only have to type keys once during your session. There seems to be no way to script it to parse multiple keys and accept redirected output - the documentation says it will work with STDIN via a tty (or a virtual terminal) or X. This means you have to feed it the keys one at a time - having it accept redirected output would have allowed to script and loop over the keys, feeding it the passphrase(s). Of course, having your passphrase(s) in plain text in a script is just another potential security hole - I use one passphrase for all my keys however and by putting it into a variable, feeding that to the loop, and unsetting it afterwards I think one is pretty safe. A real pity it does not work...
Anyways - back ontopic. Ssh-agent needs to be run at login to work properly (read: export environment variables so your user can talk to it). This can be handled through XDM or KDM; however, an alternate method is to have your ~/.bashrc or ~/.bash_profile do the job:

SSHAGENT=/usr/bin/ssh-agent
SSHAGENTARGS="-s"
if [ -z "$SSH_AUTH_SOCK" -a -x "$SSHAGENT" ]; then
eval `$SSHAGENT $SSHAGENTARGS`
trap "kill $SSH_AGENT_PID" 0


This piece of code will launch ssh-agent the right way. Either log out and back in again or source your .bashrc, and open a terminal to add an SSH key:

[stijn@hermes ~]$ ssh-add .ssh/id_rsa-amalthea
Enter passphrase for .ssh/id_rsa-amalthea:
Identity added: .ssh/id_rsa-amalthea (.ssh/id_rsa-amalthea)

Voilà, that should do the job. Your key is now cached and during this session you won't be asked for the password anymore. Let's put it to the test:

[stijn@hermes ~]$ ssh amalthea
Arch Linux (Core Dump) 2.6.24.3-server
Welcome home :-)
Last login: Mon Apr 14 14:05:28 2008 from hermes.borromini.net
[stijn@amalthea ~]$

Did you see a passphrase prompt? I know I didnt ;-). Ssh-add does a lot more than just add keys - the name is a bit unlucky actually. It can for example also list the loaded keys and their fingerprints (FYI - they have been altered):

[stijn@hermes ~]$ ssh-add -l
2048 e7:7c:1f:b4:07:77:91:6e:e0:92:c7:fc:8f:9b:4e:53 .ssh/id_rsa-zeus (RSA)
2048 1b:b0:69:e9:8b:5e:b1:27:0b:24:49:ba:c4:37:66:d5 .ssh/id_rsa-amalthea (RSA)

Using an uppercase -L, ssh-add will print the (public!) keys. Similarly, ssh-add -d $key will delete a key, and ssh-add -D will make ssh-agent delete all loaded keys.
We don't want ssh-agent to remain active after we logged out, so you put the following code in your ~/.logout file:

if ( "$SSH_AGENT_PID" != "" ); then
eval `ssh-agent -k`
fi


That snippet will kill ssh-agent and unset its environment variables. Up till now I have not done heavy transfers over SSHFS, but browsing remote folders seems to go pretty well - I do remember NFS had problems with that. So it surely looks promising :-).