Limiting sshfs access to a specific directory, or tunneling nfs over ssh.
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Limiting sshfs access to a specific directory, or tunneling nfs over ssh.
Howdy all.
I have a server with a /data/ directory, everything in the /data/ folder has "-rwxrw-rw- 1 root root" permissions. The /data/ directory is listed in /etc/exports:
This all works fine, multiple users are mounting this over a lan and everyone is able to modify files. However I would like to be able to access the /data/music/ directory from the internet. My first thought was to change /etc/exports to the following:
However nfs isn't really secure enough for this, ssh seems to way to go.
The problem is that sshfs will give unrestricted access to the whole server. There are two options here.
Is it possible to configure sshfs to only accept logins from a user restricted to reading the /data/music directory, or would it be possible to tunnel nfs over ssh in such a way that everyone on the lan 192.168.0.xxx has unrestricted access to the data directory, but something coming from outside only has read access to the music directory. Although is one were tunneling nfs over ssh, the nfs mount request would appear to come from the server itself. The router is at 192.168.0.1 and the server is at 192.168.0.3.
This Seems very much like what I want to do, however I'm having a bit of trouble getting this to work well with other users mounting with full rights over the lan too.
I don't remember the details but there is an option in sshd_config for per user config options. The manpage has an example.
You might try creating a user account just for using sftp. Use rssh for this user's default shell and /data/music for its HOME directory entry in /etc/passwd. Rssh allows restricting shell access and rooting the user to the current directory. Alternatively you could use vsftp over an ssh tunnel.
Your export entry isn't correct. Using the router's IP address won't allow remote access unless you can ssh into the router and from there sftp to the server.
If you were to go the nfs over ssh tunnel approach, google for "nfsv4 over ssh". NFSv4 can use a single tcp port making it suitable for an ssh tunnel. It also has a number of security models more suitable for remote access.
I'm sure that that would work, however nfs seems to have all the features I need built in, "/data/music" limits the directory, and "(ro)" limits the mount to just reading files.
the trouble is getting nfs to tunnel over ssh, and allowing raw nfs mounting from within the lan. While keeping the whole system secure from the www.
You can allow nfs access for the LAN as you do now, and sftp access from the internet.
Using NFS4 would be more suitable for an ssh tunnel because it can use a single TCP port. It also has additional security models. The default UID based method of restricting file access is suitable for a trusted LAN but not for remote access.
It is my understanding that when mounting an nfs share over ssh. The server gets the request from itself, although would it come from 127.0.0.1 or 192.168.0.3? In the case of the latter obviously the /etc/exports example above would allow someone to mount with rw permissions /data.
Assuming that that is working, in /etc/ssh/sshd_config it only has one option for Listenaddress, and I can't seem to figure out how to manipulate AllowUser to do what I want. That is to allow anyone to access from inside the lan, but only one user to access it from outside the lan, so I couldn't ssh in as a privileged user from the internet.
Thanks
Edit:
I believe that this in /etc/ssh/sshd_config should do the trick
Code:
AllowUsers *@192.168.0.* sleeper
This should allow sleeper (the user used to create the ssh tunnel) access from anywhere, but allow anyone to ssh in from the lan.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.