Reputation: 25810
How do I specify the key file for sshfs?
I looked at the sshfs --help and there's nothing mentioning a key file. I have multiple pub/priv key pairs (for different servers) on my computer and I want to specify which key to use. How would I do this?
usage: sshfs [user@]host:[dir] mountpoint [options]
general options:
-o opt,[opt...] mount options
-h --help print help
-V --version print version
SSHFS options:
-p PORT equivalent to '-o port=PORT'
-C equivalent to '-o compression=yes'
-F ssh_configfile specifies alternative ssh configuration file
-1 equivalent to '-o ssh_protocol=1'
-o reconnect reconnect to server
-o delay_connect delay connection to server
-o sshfs_sync synchronous writes
-o no_readahead synchronous reads (no speculative readahead)
-o sshfs_debug print some debugging information
-o cache=BOOL enable caching {yes,no} (default: yes)
-o cache_timeout=N sets timeout for caches in seconds (default: 20)
-o cache_X_timeout=N sets timeout for {stat,dir,link} cache
-o workaround=LIST colon separated list of workarounds
none no workarounds enabled
all all workarounds enabled
[no]rename fix renaming to existing file (default: off)
[no]nodelaysrv set nodelay tcp flag in sshd (default: off)
[no]truncate fix truncate for old servers (default: off)
[no]buflimit fix buffer fillup bug in server (default: on)
-o idmap=TYPE user/group ID mapping, possible types are:
none no translation of the ID space (default)
user only translate UID of connecting user
-o ssh_command=CMD execute CMD instead of 'ssh'
-o ssh_protocol=N ssh protocol to use (default: 2)
-o sftp_server=SERV path to sftp server or subsystem (default: sftp)
-o directport=PORT directly connect to PORT bypassing ssh
-o transform_symlinks transform absolute symlinks to relative
-o follow_symlinks follow symlinks on the server
-o no_check_root don't check for existence of 'dir' on server
-o password_stdin read password from stdin (only for pam_mount!)
-o SSHOPT=VAL ssh options (see man ssh_config)
FUSE options:
-d -o debug enable debug output (implies -f)
-f foreground operation
-s disable multi-threaded operation
-o allow_other allow access to other users
-o allow_root allow access to root
-o nonempty allow mounts over non-empty file/dir
-o default_permissions enable permission checking by kernel
-o fsname=NAME set filesystem name
-o subtype=NAME set filesystem type
-o large_read issue large read requests (2.4 only)
-o max_read=N set maximum size of read requests
-o hard_remove immediate removal (don't hide files)
-o use_ino let filesystem set inode numbers
-o readdir_ino try to fill in d_ino in readdir
-o direct_io use direct I/O
-o kernel_cache cache files in kernel
-o [no]auto_cache enable caching based on modification times (off)
-o umask=M set file permissions (octal)
-o uid=N set file owner
-o gid=N set file group
-o entry_timeout=T cache timeout for names (1.0s)
-o negative_timeout=T cache timeout for deleted names (0.0s)
-o attr_timeout=T cache timeout for attributes (1.0s)
-o ac_attr_timeout=T auto cache timeout for attributes (attr_timeout)
-o intr allow requests to be interrupted
-o intr_signal=NUM signal to send on interrupt (10)
-o modules=M1[:M2...] names of modules to push onto filesystem stack
-o max_write=N set maximum size of write requests
-o max_readahead=N set maximum readahead
-o async_read perform reads asynchronously (default)
-o sync_read perform reads synchronously
-o atomic_o_trunc enable atomic open+truncate support
-o big_writes enable larger than 4kB writes
-o no_remote_lock disable remote file locking
Module options:
[subdir]
-o subdir=DIR prepend this directory to all paths (mandatory)
-o [no]rellinks transform absolute symlinks to relative
[iconv]
-o from_code=CHARSET original encoding of file names (default: UTF-8)
-o to_code=CHARSET new encoding of the file names (default: UTF-8)
Upvotes: 26
Views: 36102
Answers (2)
Reputation: 281
In principle it works like this (as root, or use sudo): sshfs -o default_permissions,nonempty,IdentityFile=/home/USER/.ssh/id_rsa SRVUSER@SERVER:PATH /mnt/mountpoint
Replace USER with the user who is in the authorized_keys file of the server, SERVER with the server name (or IP, like 192.168.0.11), SRVUSER with the user on the server (e.g. root, which is not recommended but possible and sometimes necessary; setup your /etc/ssh/sshd_config on the server correctly for this, i.e. directives PermitRootLogin and PasswordAuthentication). Also substitute /mnt/mountpoint accordingly.
The option -o nonempty allows mounting /mnt/mountpoint when this directory is not empty. I have to use this since I keep the file .unmounted in this directory to see if it is mounted or not, so if test -e /mnt/mountpoint/.unmounted returns successfull (i.e. file .unmounted exists in /mnt/mountpoint), it isn't mounted.
A real example:
- server name "homeserver"
- mount /home directory on the server
- my mountpoint on the local system is /mnt/homeserver
- user "steve" has the private key
ssh root@homeserver as user steve worked.
sshfs -o default_permissions,nonempty,IdentityFile=/home/steve/.ssh/id_rsa root@homeserver:/home /mnt/homeserver (as root)
This didn't work, I got the error message: read: Connection reset by peer
Solution: Get more verbose output by adding -o debug.
# sshfs -o default_permissions,nonempty,IdentityFile=/home/steve/.ssh/id_rsa,debug
root@homeserver:/home /mnt/homeserver
FUSE library version: 2.9.8
nullpath_ok: 0
nopath: 0
utime_omit_ok: 0
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStT0123
Please contact your system administrator.
Add correct host key in /root/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /root/.ssh/known_hosts:2
ECDSA host key for homeserver has changed and you have requested strict checking.
Host key verification failed.
read: Connection reset by peer
And suddenly it is a lot easier to fix. Because the sshd keys were re-created since the last session but /root/.ssh/known_hosts on the local system still has the old keys – it doesn't work. The solution, in my case, was simply to remove the line starting with homeserver from /root/.ssh/known_hosts using an editor (like nano). Now mounting with sshfs works. At the first mount the new key must be acknowledged:
# mount /mnt/homeserver
The authenticity of host 'homeserver (192.168.0.11)' can't be established.
ECDSA key fingerprint is SHA256:aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsS/1234.
Are you sure you want to continue connecting (yes/no)? yes
BTW, this is the line in /etc/fstab:
root@homeserver:/home /mnt/homeserver fuse.sshfs noauto,nonempty,default_permissions,IdentityFile=/home/steve/.ssh/id_rsa 0 0
So even if it is something else, try -o debug first. It will help tremendously to find the fault.
Upvotes: 1
Reputation: 124648
Notice this option:
-o SSHOPT=VAL ssh options (see man ssh_config)
And if you look at man ssh_config, there is an option to set the path to your private key file, called IdentityFile, so you can do this:
sshfs -oIdentityFile=/abs/path/to/id_rsa server: path/to/mnt/point
The path to the identity file must be an absolute path.
Upvotes: 41
Related Questions
- Setting the default ssh key location
- how to invoke sshfs within python script?
- SSHFS - how does it work when I want to access files
- Can't write to a file with sshfs
- dokan sshfs for windows
- How to selectively sync using sshfs?
- sshfs - device not found
- Bash command aliasing for sshfs
- How to mount a folder on amazon ec2 instance with private key using sshfs
- Using SSHFS on a Mac with a password-protected private key