2025-09-20 17:17:26 +02:00
|
|
|
|
.TH backtunnel 1 "September 2025" "1.3" "BackTunnel – Reverse SSH Sharing Toolkit"
|
2025-09-14 11:29:21 +02:00
|
|
|
|
|
|
|
|
|
|
.SH NAME
|
2025-09-20 17:17:26 +02:00
|
|
|
|
backtunnel-share, backtunnel-access \- Secure reverse SSH folder sharing and access (with profiles, temporary key authorization)
|
2025-09-14 11:29:21 +02:00
|
|
|
|
|
|
|
|
|
|
.SH SYNOPSIS
|
|
|
|
|
|
.B backtunnel-share
|
2025-09-14 19:44:37 +02:00
|
|
|
|
/path/to/folder with {remoteuser:remotehost|remoteuser@remotehost|@profilename} for <duration> [options]
|
2025-09-14 11:29:21 +02:00
|
|
|
|
|
|
|
|
|
|
.B backtunnel-access
|
2025-09-14 19:44:37 +02:00
|
|
|
|
/path/to/folder from {remoteuser:remotehost|remoteuser@remotehost} [options]
|
2025-09-14 11:29:21 +02:00
|
|
|
|
|
|
|
|
|
|
.SH DESCRIPTION
|
2025-09-14 19:44:37 +02:00
|
|
|
|
\fBbacktunnel-share\fR starts a reverse SSH tunnel from the local (sharing) machine to a remote,
|
|
|
|
|
|
reachable host. The tunnel exposes the local sshd (typically port 22) on a loopback port on the
|
|
|
|
|
|
remote host using \fBssh -R\fR. Sharing ends automatically after the given \fIduration\fR via \fBtimeout\fR.
|
2025-09-14 11:29:21 +02:00
|
|
|
|
|
2025-09-14 19:44:37 +02:00
|
|
|
|
\fBbacktunnel-access\fR mounts the shared folder from the remote side using \fBsshfs\fR by connecting
|
|
|
|
|
|
to \fBlocalhost:<port>\fR on the remote host (the port exposed by \fBbacktunnel-share\fR).
|
2025-09-14 11:29:21 +02:00
|
|
|
|
|
2025-09-20 17:17:26 +02:00
|
|
|
|
The tools support \fIprofiles\fR (named remotes and defaults) and a secure workflow without
|
|
|
|
|
|
password exchange using temporary, restricted keys.
|
|
|
|
|
|
|
2025-09-14 11:29:21 +02:00
|
|
|
|
.SH OPTIONS
|
|
|
|
|
|
.SS backtunnel-share options
|
|
|
|
|
|
.TP
|
|
|
|
|
|
.B -p, --tunnel-port <PORT>
|
2025-09-20 17:17:26 +02:00
|
|
|
|
Remote port to bind with \fB-R\fR (default: 2222).
|
2025-09-14 11:29:21 +02:00
|
|
|
|
.TP
|
|
|
|
|
|
.B -l, --local-ssh-port <PORT>
|
2025-09-20 17:17:26 +02:00
|
|
|
|
Local sshd port to forward to (default: 22).
|
2025-09-14 12:54:06 +02:00
|
|
|
|
.TP
|
|
|
|
|
|
.B -i, --invite
|
2025-09-20 17:17:26 +02:00
|
|
|
|
Print a ready-to-copy access command for the remote side. With \fB--allow-key\fR
|
|
|
|
|
|
or \fB--allow-known\fR, the invite includes only the mount command (no auth step).
|
2025-09-14 12:54:06 +02:00
|
|
|
|
.TP
|
|
|
|
|
|
.B --invite-mount <PATH>
|
2025-09-20 17:17:26 +02:00
|
|
|
|
Mount point suggested in invite (default: \fI$HOME/remote-rssh\fR).
|
2025-09-14 12:54:06 +02:00
|
|
|
|
.TP
|
|
|
|
|
|
.B --invite-file <FILE>
|
2025-09-20 17:17:26 +02:00
|
|
|
|
Also write the invite text (with unmount hint) to FILE.
|
2025-09-14 12:54:06 +02:00
|
|
|
|
.TP
|
|
|
|
|
|
.B --qr
|
2025-09-20 17:17:26 +02:00
|
|
|
|
Also print a QR code (requires \fBqrencode\fR).
|
|
|
|
|
|
.TP
|
|
|
|
|
|
.B --allow-key <FILE>
|
|
|
|
|
|
Temporarily authorize the accessor’s public key for the session by injecting a restricted
|
|
|
|
|
|
entry into \fI~/.ssh/authorized_keys\fR and removing it on exit. The line is prefixed with:
|
|
|
|
|
|
\fCfrom="127.0.0.1",command="internal-sftp",restrict\fR.
|
2025-09-14 19:44:37 +02:00
|
|
|
|
.TP
|
2025-09-20 17:17:26 +02:00
|
|
|
|
.B --allow-known <NAME>
|
|
|
|
|
|
Authorize a public key from \fI~/.config/backtunnel/authorized/NAME.pub\fR (same restrictions
|
|
|
|
|
|
and auto-removal as \fB--allow-key\fR).
|
2025-09-14 12:54:06 +02:00
|
|
|
|
|
2025-09-14 11:29:21 +02:00
|
|
|
|
.SS backtunnel-access options
|
|
|
|
|
|
.TP
|
|
|
|
|
|
.B -p, --port <PORT>
|
|
|
|
|
|
Remote port on which the reverse tunnel listens (default: 2222).
|
|
|
|
|
|
.TP
|
|
|
|
|
|
.B -m, --mount-point <PATH>
|
2025-09-20 17:17:26 +02:00
|
|
|
|
Local mount point for sshfs (default: \fI$HOME/remote-rssh\fR).
|
2025-09-14 11:29:21 +02:00
|
|
|
|
|
2025-09-20 17:17:26 +02:00
|
|
|
|
.SH PROFILES
|
|
|
|
|
|
Profiles allow you to use \fB@name\fR instead of \fIuser@host\fR and to set defaults.
|
2025-09-14 11:29:21 +02:00
|
|
|
|
|
2025-09-20 17:17:26 +02:00
|
|
|
|
The configuration search order is:
|
2025-09-14 11:29:21 +02:00
|
|
|
|
.TP
|
2025-09-20 17:17:26 +02:00
|
|
|
|
\fB~/.config/backtunnel/profiles.ini\fR
|
|
|
|
|
|
Per-user configuration file containing defaults and named profiles.
|
2025-09-14 19:44:37 +02:00
|
|
|
|
.TP
|
2025-09-20 17:17:26 +02:00
|
|
|
|
\fB/etc/backtunnel/profiles.ini\fR
|
|
|
|
|
|
System-wide default profiles (editable by admins).
|
2025-09-14 11:29:21 +02:00
|
|
|
|
.TP
|
2025-09-20 17:17:26 +02:00
|
|
|
|
\fB/usr/share/backtunnel/profiles.ini\fR
|
|
|
|
|
|
Packaged example/fallback used when user/system config is absent.
|
2025-09-14 19:44:37 +02:00
|
|
|
|
|
2025-09-20 17:17:26 +02:00
|
|
|
|
An example:
|
|
|
|
|
|
.PP
|
2025-09-14 19:44:37 +02:00
|
|
|
|
.nf
|
2025-09-20 17:17:26 +02:00
|
|
|
|
[default]
|
|
|
|
|
|
tunnel_port=2222
|
|
|
|
|
|
invite=true
|
|
|
|
|
|
invite_mount=$HOME/remote-rssh
|
|
|
|
|
|
|
|
|
|
|
|
[work]
|
|
|
|
|
|
user=alice
|
|
|
|
|
|
host=vps.example.com
|
|
|
|
|
|
tunnel_port=4422
|
2025-09-14 19:44:37 +02:00
|
|
|
|
.fi
|
2025-09-20 17:17:26 +02:00
|
|
|
|
|
|
|
|
|
|
Usage:
|
|
|
|
|
|
.PP
|
|
|
|
|
|
\fBbacktunnel-share ~/docs with @work for 6h -i --allow-known alice\fR
|
|
|
|
|
|
|
|
|
|
|
|
.SH SECURITY MODEL
|
|
|
|
|
|
The temporary authorized key is restricted with:
|
|
|
|
|
|
.PP
|
|
|
|
|
|
\fCfrom="127.0.0.1",command="internal-sftp",restrict\fR
|
|
|
|
|
|
.PP
|
|
|
|
|
|
This limits usage to the reverse tunnel (localhost on the remote end) and SFTP only (no shell,
|
|
|
|
|
|
no agent/X11/port forwarding). The entry is removed when the share ends or the process exits.
|
2025-09-14 11:29:21 +02:00
|
|
|
|
|
|
|
|
|
|
.SH EXAMPLES
|
|
|
|
|
|
.TP
|
|
|
|
|
|
Share for 2 hours on default ports:
|
2025-09-20 17:17:26 +02:00
|
|
|
|
\fBbacktunnel-share\fR /home/user/docs with alice@vps.example.com for 2h -i
|
2025-09-14 11:29:21 +02:00
|
|
|
|
.TP
|
2025-09-20 17:17:26 +02:00
|
|
|
|
Share for 1 day, using custom ports and a known key:
|
|
|
|
|
|
\fBbacktunnel-share\fR /home/user/docs with @work for 1d -p 4422 -l 2222 -i --allow-known alice
|
2025-09-14 11:29:21 +02:00
|
|
|
|
.TP
|
|
|
|
|
|
Mount with default port and mount point:
|
2025-09-20 17:17:26 +02:00
|
|
|
|
\fBbacktunnel-access\fR /home/user/docs from alice@vps.example.com
|
2025-09-14 11:29:21 +02:00
|
|
|
|
.TP
|
|
|
|
|
|
Mount with custom port and mount point:
|
2025-09-20 17:17:26 +02:00
|
|
|
|
\fBbacktunnel-access\fR /home/user/docs from alice@vps.example.com -p 4422 -m /mnt/alice-docs
|
2025-09-14 11:29:21 +02:00
|
|
|
|
|
2025-09-14 19:44:37 +02:00
|
|
|
|
.SH FILES
|
|
|
|
|
|
.TP
|
|
|
|
|
|
\fB~/.config/backtunnel/profiles.ini\fR
|
2025-09-20 17:17:26 +02:00
|
|
|
|
Per-user profiles and defaults.
|
2025-09-14 19:44:37 +02:00
|
|
|
|
.TP
|
|
|
|
|
|
\fB/etc/backtunnel/profiles.ini\fR
|
2025-09-20 17:17:26 +02:00
|
|
|
|
System-wide defaults.
|
2025-09-14 19:44:37 +02:00
|
|
|
|
.TP
|
|
|
|
|
|
\fB/usr/share/backtunnel/profiles.ini\fR
|
2025-09-20 17:17:26 +02:00
|
|
|
|
Packaged example.
|
|
|
|
|
|
.TP
|
|
|
|
|
|
\fB~/.config/backtunnel/authorized/*.pub\fR
|
|
|
|
|
|
Accessor public keys saved by \fBbacktunnel-authorize\fR for \fB--allow-known\fR.
|
2025-09-14 12:54:06 +02:00
|
|
|
|
|
2025-09-14 11:29:21 +02:00
|
|
|
|
.SH SEE ALSO
|
2025-09-20 17:17:26 +02:00
|
|
|
|
ssh(1), sshfs(1), timeout(1), autossh(1), fusermount(1),
|
|
|
|
|
|
\fBbacktunnel-keys\fR(1), \fBbacktunnel-auth-setup\fR(1)
|
2025-09-14 11:29:21 +02:00
|
|
|
|
|
|
|
|
|
|
.SH AUTHOR
|
|
|
|
|
|
Matjaž Mozetič
|
