2025-09-14 11:29:21 +02:00
# BackTunnel –
Share and mount folders between Linux machines behind NAT/firewalls using two friendly commands.
## ✨ Commands
### `backtunnel-share`
Start a reverse SSH tunnel from the * sharing * machine for a limited time.
```bash
backtunnel-share /path/to/folder with remoteuser:remotehost for <duration> [options]
# or: remoteuser@remotehost
```
**Duration formats:** `30m` , `2h` , `1d` (passed to `timeout` )
**Options**
- `-p, --tunnel-port <PORT>` : Remote port to expose with `-R` (default: 2222)
- `-l, --local-ssh-port <PORT>` : Local sshd port to forward to (default: 22)
2025-09-14 12:54:06 +02:00
- `-i, --invite` : Print a ready-to-copy access command for the remote user
- `--invite-mount <PATH>` : Suggest mount point in the invite (default: `/mnt/remote-rssh` )
- `--invite-file <FILE>` : Also write the invite text (including unmount hint) to a file
- `--qr` : Render the invite as a QR code (requires `qrencode` )
**Examples**
```bash
# Share for 2h
backtunnel-share ~/projects with alice@vps .example.com for 2h
# Share and print a one-liner invite for chat
backtunnel-share ~/projects with alice@vps .example.com for 2h -i
# Share with custom ports and QR invite
backtunnel-share ~/projects with alice@vps .example.com for 1d -p 4422 -l 2222 -i --qr
```
The invite will look like this and can be pasted on the remote host:
```bash
backtunnel-access '/home/user/projects' from alice@vps .example.com -p 4422 -m '/mnt/remote-rssh'
```
Unmount on the remote side with:
```bash
fusermount -u /mnt/remote-rssh
```
2025-09-14 11:29:21 +02:00
### `backtunnel-access`
Mount a folder from the * remote * side via SSHFS.
```bash
backtunnel-access /path/to/folder from remoteuser:remotehost [options]
# or: remoteuser@remotehost
```
**Options**
- `-p, --port <PORT>` : Port on the remote host where the reverse tunnel listens (default: 2222)
- `-m, --mount-point <PATH>` : Local mount point (default: `/mnt/remote-rssh` )
2025-09-14 12:54:06 +02:00
---
2025-09-14 19:44:37 +02:00
## 📁 Profiles (named remotes)
BackTunnel supports **profiles ** to simplify connections. Instead of typing
`user@host -p PORT -l PORT …` every time, you can define defaults and named remotes in:
📖 Example config: see [docs/profiles.ini.example ](docs/profiles.ini.example )
System-wide default: /etc/backtunnel/profiles.ini (admins can edit)
Packaged example: /usr/share/backtunnel/profiles.ini
---
2025-09-14 22:02:48 +02:00
## 🔒 Temporary, tunnel-only access (restricted key)
By default, if you install a normal SSH key on the sharing machine, that key could also be used for direct SSH (if the server is reachable). To keep access **strictly temporary ** and **usable only through the reverse tunnel ** , use a **restricted key ** in `authorized_keys` .
This approach:
- **Allows SFTP/sshfs only** (no shell).
- **Only works via the reverse tunnel** (server sees the client as `127.0.0.1` ).
- **Stops working** automatically when the reverse tunnel (started by `backtunnel-share` ) ends.
### 1) Create a dedicated key on the client (access side)
```bash
ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519_backtunnel -C backtunnel
```
### 2) Copy the public key to the server via the tunnel once
You’
```bash
ssh-copy-id -p 2222 -i ~/.ssh/id_ed25519_backtunnel.pub user@localhost
```
### 3) Restrict that key in authorized_keys on the server
Edit the newly added line for this key in ~/.ssh/authorized_keys on the server and prefix it with:
```ini
from="127.0.0.1",command="internal-sftp",restrict
```
The final line should look like:
```ini
from="127.0.0.1",command="internal-sftp",restrict ssh-ed25519 AAAAC3... backtunnel
```
- from="127.0.0.1" limits use to connections that arrive via the reverse tunnel.
- command="internal-sftp" forces SFTP only (sshfs uses SFTP).
- restrict implies no-pty,no-agent-forwarding,no-port-forwarding,no-X11-forwarding.
💡 One-liner (no editor): prepend restrictions while appending your key
```bash
( printf 'from="127.0.0.1",command="internal-sftp",restrict '; cat ~/.ssh/id_ed25519_backtunnel.pub ) \
| ssh -p 2222 user@localhost 'umask 077; mkdir -p ~/.ssh; cat >> ~/.ssh/authorized_keys'
```
### 4) Use as normal with BackTunnel
Start the share on the server:
```bash
backtunnel-share /path/to/folder with user@REMOTE for 2h
```
Mount on the client (no password prompts now):
```bash
mkdir -p ~/remote-rssh
backtunnel-access /path/to/folder from user@REMOTE -p 2222 -m ~/remote-rssh
```
### 5) Cleanup (optional)
After you’
> If you keep it, the key does not grant shell access and cannot be used over the network directly thanks to from="127.0.0.1".
---
### Troubleshooting
- If sftp -P 2222 user@localhost or sshfs still asks for a password:
- The restricted key line may be malformed (missing comma or options).
- File permissions: ~/.ssh should be 700, authorized_keys should be 600 on the server.
- Too many keys tried: you can force the key with:
```bash
ssh -i ~/.ssh/id_ed25519_backtunnel -p 2222 user@localhost true
```
- If your mount point is ~-based, don’ ’
If you’ ’ `.1` section too.
---
2025-09-14 20:17:36 +02:00
### 🖥️ Dolphin Service Menus
2025-09-14 11:29:21 +02:00
2025-09-14 20:17:36 +02:00
Two context actions for Dolphin are installed:
2025-09-14 11:29:21 +02:00
2025-09-14 20:17:36 +02:00
- **Share via BackTunnel…** → launches the graphical wrapper `backtunnel-share-gui` , prompting for remote, duration, ports, etc.
- **Access via BackTunnel…** → now uses the new `backtunnel-access-gui` wrapper, providing dialogs for remote, port, and mount point instead of embedding a complex one-liner.
Both wrappers run inside Konsole (or xterm) so you can see live logs, and they honor profile defaults from `~/.config/backtunnel/profiles.ini` (or `/etc` , `/usr/share` ).
2025-09-14 11:29:21 +02:00
2025-09-14 14:34:46 +02:00
### 🖱️ Dolphin (GUI) Flow — Share with Invite
1. **Right-click a folder → “Share via BackTunnel…” **
2. Enter **Remote ** (`user@host` or `user:host` ), choose **Duration ** , **Tunnel port ** (default `2222` ), and **Local SSH port ** (default `22` ).
3. When prompted:
- **Print invite line for chat?** → Yes to get a one-liner your colleague can paste.
- **Show QR code for the invite?** → Yes (requires `qrencode` ) to display a terminal QR.
- **Suggested mount point** → Accept `/mnt/remote-rssh` or set your own.
4. A terminal opens, shows the **invite ** (and QR if selected), and keeps the share open for the chosen duration.
- Stop early with **Ctrl+C ** .
**What the remote user does (on the remote host):**
```bash
# Paste the invite you sent them, e.g.:
backtunnel-access '/path/to/folder' from user@vps .example.com -p 2222 -m '/mnt/remote-rssh'
# Unmount when done:
fusermount -u /mnt/remote-rssh # or: umount /mnt/remote-rssh
```
2025-09-14 12:54:06 +02:00
---
2025-09-14 11:29:21 +02:00
## 🔐 Requirements
- `ssh` , `sshfs` , `timeout` , `konsole` , `kdialog`
2025-09-14 12:54:06 +02:00
- Optional:
- `bash-completion`
- `qrencode` (for QR-code invites)
---
2025-09-14 11:29:21 +02:00
## 📦 Install
```bash
sudo bash scripts/install.sh
```
Uninstall:
```bash
sudo bash scripts/uninstall.sh
```
2025-09-14 12:54:06 +02:00
---
2025-09-14 14:34:46 +02:00
## 📦 Release checklist (BackTunnel v1.2.x)
1. **Version bump ** (if needed) in docs/man where referenced (man page already shows `1.2` ).
2. **Tag the repo ** :
```bash
git tag -a v1.2.0 -m "BackTunnel 1.2.0"
git push --tags
```
2025-09-14 11:29:21 +02:00
## 📖 Man Page
```bash
man backtunnel
```
2025-09-14 12:54:06 +02:00
---
2025-09-14 11:29:21 +02:00
## 🧾 License
Licensed under **GNU GPL v3.0 ** . See `LICENSE` .
