guide Sharing folders over the internet with SSHFS [Arch Linux, Ubuntu, CentOS 7/8]

[Sauron]

What?

This guide will teach you everything you need to know to elegantly and securely share a folder over the internet using ssh on Linux. By the end of this guide you should be able to seamlessly use the shared folder as if it were on your local drive.

Why?

It can be handy to be able to access a personal NAS/storage server through the internet; using SSH ensures a fast, reliable and secure connection with a relatively simple setup. This also works on local networks though at that point there are easier ways of achieving this since security isn't as much of a concern.

 

But more importantly, how?

I'm glad you asked.

 

Step 0: Requirements

Before we start there are a few things you'll need and I will assume you have.

Spoiler

To follow this guide you will need at least:

• A computer running a Linux distribution which hosts the folder you want to share, hereafter referred to as "server". This will have to be always on for obvious reasons so I would recommend using something that doesn't draw too much power. A Raspberry Pi (any generation really) with an external drive would be a good starting option.
• A computer running a Linux distribution which will be used to access the shared folder remotely, hereafter referred to as "client"
• Unrestricted local access to the network the server is connected to.
• Superuser privileges on both the client and the server
• An internet connection for initial setup

If you wish to do this through the internet you will additionally need:

• A router and a modem that support port forwarding (for most people these will be part of a single piece of equipment you got from your ISP)
• A dynamic DNS domain. I will not cover how to set this up because it can vary wildly depending on your network setup and the service you subscribe to; there are plenty of guides on how to do this with various configurations. Personally I use no-ip which offers up to 3 free domain names - the only "catch" being that you need to click on a renewal link every 30 days. (disclaimer - I was not paid by no-ip to say this)

This guide assumes you're using a systemd distribution; you can still do this on a distribution that doesn't use systemd but you'll have to figure out what the equivalent commands for your init system are on your own. Most major distributions - including Arch, Debian, Ubuntu, Fedora and CentOS - use systemd so if you don't know what I'm talking about you'll probably be fine.

 

This *should* also work on FreeBSD, MacOS and Windows (minus the systemd part) but I didn't try it and the setup varies. If you want to try it anyway you should be able to find some guides on how to install the required software.

 

Step 1: Initial server setup

First of all you will need to install and enable OpenSSH on your server, if you haven't already.

Spoiler

Install the OpenSSH server.

 

Arch Linux:

sudo pacman -S openssh

 

Debian/Ubuntu:

sudo apt install openssh-server

or

sudo apt-get install openssh-server

on old releases.

 

Fedora/CentOS/RHEL:

yum install openssh-server

--------------------------------------

 

Next, start and enable the sshd service:

sudo systemctl start sshd

sudo systemctl enable sshd

 

 

Step 2: Initial Client setup

You will need to install OpenSSH on the client as well:

Spoiler

Arch Linux:

sudo pacman -S openssh

 

Debian/Ubuntu:

sudo apt install openssh-client

or

sudo apt-get install openssh-client

on old releases.

 

Fedora/CentOS/RHEL:

yum install openssh-client

 

------------------

 

Unlike the server the client doesn't need the sshd service to be running; to test that both the server and the client have a working OpenSSH configuration try connecting to the server:

ssh <server's username>@<server's ip address>

Enter the password and, if all has gone well, you should now be logged in to your server.

 

 

Step 3: Security

Before we proceed any further we need to take care of security and authentication methods. We will set up the server and client to use public key authentication. Not only is this more secure, it will also allow you to connect automatically without needing to enter your password, which will be useful later.

 

Spoiler

Generate a new key pair on your client:

ssh-keygen -f ~/.ssh/id_rsa -p

and go with the defaults (unless you know what you're doing).

 

Then, copy the public key to the server using scp (it should come with OpenSSH):

scp ~/.ssh/id_rsa.pub <server's user>@<server's ip>

then login to your server and authorize your public key:
 

mkdir -p ~/.ssh

chmod 700 ~/.ssh

cat ~/id_rsa.pub >> ~/.ssh/authorized_keys

rm ~/id_rsa.pub

chmod 600 ~/.ssh/authorized_keys

You should now be able to ssh into the server from the client without entering a password; make sure that is the case before proceeding.

 

Next, we should disable password access. On the server, edit /etc/ssh/sshd_config (as superuser) and add the following line:

PasswordAuthentication no

 

You may want to leave password access enabled on your local network to set up multiple clients more easily; to do that, add the following lines to /etc/ssh/sshd_config:

Match address 192.168.0.0/24
        PasswordAuthentication yes

Where 192.168.0.0/24 is your local network's subnet.

 

Restart sshd on the server:

sudo systemctl restart sshd

and make sure you can still connect from the client.

 

 

Step 4: SSHFS

This is where the meat of the guide starts; SSHFS is the protocol that allows us to mount a remote folder through SSH.

Spoiler

Install SSHFS on the client:

Arch Linux:

sudo pacman -S sshfs

Debian/Ubuntu:

sudo apt install sshfs

Fedora/CentOS/RHEL:

sudo yum install fuse-sshfs

Warning:

If you're using CentOS or RHEL you'll have to enable the EPEL repository. If you're using CentOS/RHEL 8 then you also need to enable the PowerTools repository.

-------------------

 

Then test it by mounting a folder from your server on your client:

sshfs <server's user>@<server's ip>:/path/to/the/folder/you/want/to/share /path/you/want/it/to/show/up/in/on/the/client

for example:

sshfs user@192.168.0.4:/home/user/Pictures ~/RemotePictures

in this case, opening the RemotePictures folder on the client should allow you to access the content of the Pictures folder on the server (provided it exists). Because we set up public key authentication earlier it shouldn't prompt you for a password.

 

 

Step 5: Automatic mounting and reconnection

Mounting your shared folder manually every time you need it is an unnecessary chore; you can set up your client to do it automatically whenever the server is reachable.

Spoiler

 

Edit /etc/fstab as superuser and add the following line:

<server user>@<server ip>:/shared/folder /local/folder fuse.sshfs noauto,x-systemd.automount,_netdev,users,idmap=user,port=22,IdentityFile=/home/<client user>/.ssh/id_rsa,allow_other,reconnect 0 0

woah, that's a mouthful. Make sure <server user>, <server ip>, <client user> and the paths to the folders are all correct and as you want them to be. You can add multiple lines for different folders if you so wish - just make sure only one server folder is mapped to a given client folder.

 

At this point, reboot your client. When you log in again you should see the remote folder mounted where you specified (assuming you are connected to your network). If you only need this on a local network you can stop here.

 

 

Step 6: Do it through the internet

We're almost done! Now we just need to make our server accessible from the internet.

Spoiler

 

Forward port 22 on your server to an external port on your modem. You should not use 22 as an external port as it is the first port an external attacker (mostly bots) would check to see if you have an open SSH port. Let's say you used port 5122 for the purposes of this guide. I will also assume you have a dynamic DNS domain name set up.

 

Once that is done, check that you can connect to the server using SSH from the internet.

ssh -p 5122 <server user>@<your domain name>

If that doesn't work double check that you forwarded the correct ports and that your domain name actually redirects to your external IP address.

 

Now, change /etc/fstab to reflect the differences; substitute the local network ip with the domain name and the port with the external port. For example:

<server user>@mydomain.net:/shared/folder /local/folder fuse.sshfs noauto,x-systemd.automount,_netdev,users,idmap=user,port=5122,IdentityFile=/home/<client user>/.ssh/id_rsa,allow_other,reconnect 0 0

 

 

and... you're done! Enjoy

[xXCapAwesomeXx]

Awesome guide, Thanks

[wasab]

How would this work if your ip address from your isp is dynamic? You keep switching to new IP each time it changes?

[Mnky313]

4 hours ago, wasab said:

How would this work if your ip address from your isp is dynamic? You keep switching to new IP each time it changes?

you could try using a ddns service (I use no-ip and it works great).

[wasab]

1 minute ago, Mnky313 said:

you could try using a ddns service (I use no-ip and it works great).

Doesn't that cost money tho? I mean you need to buy the domain name don't you?

[Mnky313]

Just now, wasab said:

Doesn't that cost money tho? I mean you need to buy the domain name don't you?

no-ip offers a free version, the only catch is it makes you 'renew' it every 30 days (you just have to click on a link in the email they send every month and complete a captcha, it takes like 2 minutes.)

[wasab]

1 minute ago, Mnky313 said:

no-ip offers a free version, the only catch is it makes you 'renew' it every 30 days (you just have to click on a link in the email they send every month and complete a captcha, it takes like 2 minutes.)

But do you get to pick the domain name or they just assign one to you?

[Mnky313]

7 minutes ago, wasab said:

But do you get to pick the domain name or they just assign one to you?

you get to pick the name, but there is a list of certain endings (I attached a screenshot, you can type whatever in the Hostname box).

Edited September 10, 2019 by Mnky313
can, not cant

[wasab]

Just now, Mnky313 said:

you get to pick the name, but there is a list of certain endings (I attached a screenshot, you cant type whatever in the Hostname box).

Cool, neat stuff . I can use a domain for my cloud web server. 

[Sauron]

On 9/10/2019 at 2:40 PM, wasab said:

How would this work if your ip address from your isp is dynamic? You keep switching to new IP each time it changes?

As I said the guide assumes you already have a DDNS domain.

On 7/1/2019 at 1:25 AM, Sauron said:

I will also assume you have a dynamic DNS domain name set up.