Howdy all.

I have a server with a /data/ directory, everything in the /data/ folder has "-rwxrw-rw- 1 root root" permissions. The /data/ directory is listed in /etc/exports:
This all works fine, multiple users are mounting this over a lan and everyone is able to modify files. However I would like to be able to access the /data/music/ directory from the internet. My first thought was to change /etc/exports to the following:

However nfs isn't really secure enough for this, ssh seems to way to go.
The problem is that sshfs will give unrestricted access to the whole server. There are two options here.
Is it possible to configure sshfs to only accept logins from a user restricted to reading the /data/music directory, or would it be possible to tunnel nfs over ssh in such a way that everyone on the lan 192.168.0.xxx has unrestricted access to the data directory, but something coming from outside only has read access to the music directory. Although is one were tunneling nfs over ssh, the nfs mount request would appear to come from the server itself. The router is at 192.168.0.1 and the server is at 192.168.0.3.

This Seems very much like what I want to do, however I'm having a bit of trouble getting this to work well with other users mounting with full rights over the lan too.

Thanks very much.

I don't remember the details but there is an option in sshd_config for per user config options. The manpage has an example.

You might try creating a user account just for using sftp. Use rssh for this user's default shell and /data/music for its HOME directory entry in /etc/passwd. Rssh allows restricting shell access and rooting the user to the current directory. Alternatively you could use vsftp over an ssh tunnel.

http://www.cyberciti.biz/tips/rhel-c...ssh-shell.html
This page goes through instructions to jailroot users.
http://www.cyberciti.biz/tips/howto-...ail-setup.html

Your export entry isn't correct. Using the router's IP address won't allow remote access unless you can ssh into the router and from there sftp to the server.

If you were to go the nfs over ssh tunnel approach, google for "nfsv4 over ssh". NFSv4 can use a single tcp port making it suitable for an ssh tunnel. It also has a number of security models more suitable for remote access.

Thanks for the prompt reply.

I'm sure that that would work, however nfs seems to have all the features I need built in, "/data/music" limits the directory, and "(ro)" limits the mount to just reading files.
the trouble is getting nfs to tunnel over ssh, and allowing raw nfs mounting from within the lan. While keeping the whole system secure from the www.

Thanks.

I added a line to my original message.

You can allow nfs access for the LAN as you do now, and sftp access from the internet.
Using NFS4 would be more suitable for an ssh tunnel because it can use a single TCP port. It also has additional security models. The default UID based method of restricting file access is suitable for a trusted LAN but not for remote access.

It seems like nfsv4 over ssh is the way to go then.

I should be able to do something like this.
/etc/exports should look like this:
It is my understanding that when mounting an nfs share over ssh. The server gets the request from itself, although would it come from 127.0.0.1 or 192.168.0.3? In the case of the latter obviously the /etc/exports example above would allow someone to mount with rw permissions /data.

Assuming that that is working, in /etc/ssh/sshd_config it only has one option for Listenaddress, and I can't seem to figure out how to manipulate AllowUser to do what I want. That is to allow anyone to access from inside the lan, but only one user to access it from outside the lan, so I couldn't ssh in as a privileged user from the internet.

Thanks

Edit:

I believe that this in /etc/ssh/sshd_config should do the trick
This should allow sleeper (the user used to create the ssh tunnel) access from anywhere, but allow anyone to ssh in from the lan.

This page may have better information on what you want for exports, and fstab: http://www.vanemery.com/Linux/NFSv4/...ec.html#sshtun
It doesn't use rpcsec.