PMISuite/BackTunnel
5
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update default mount point to $HOME/remote-rssh for consistency, and introduce backtunnel-auth-setup script for restricted SFTP-only key management. Update docs, scripts, and uninstall/install logic to reflect changes. Ensure robust handling of user-specified mount points in backtunnel-access.

Browse Source
This commit is contained in:
Matjaž Mozetič
2025-09-20 10:49:45 +02:00
parent c46a1da405
commit 85e73ca4da
9 changed files with 144 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

75
scripts/backtunnel-access
View File

@@ -7,7 +7,7 @@
set -euo pipefail
PORT=2222
MOUNTPOINT="/mnt/remote-rssh"
MOUNTPOINT="$HOME/remote-rssh"
usage() {
echo "Usage: $0 /path/to/folder from remoteuser:remotehost [-p PORT] [-m MOUNTPOINT]" >&2
@@ -47,6 +47,32 @@ while [[ $# -gt 0 ]]; do
esac
done
# --- normalize and prepare mount point ---
# Expand leading '~' even if quoted or passed via GUI
# Note: default uses $HOME; still expand '~' if passed via CLI/GUI
if [[ "${MOUNTPOINT:-}" == "~"* ]]; then
MOUNTPOINT="${MOUNTPOINT/#\~/$HOME}"
fi
# Make absolute if realpath exists (doesn't fail if missing)
if command -v realpath >/dev/null 2>&1; then
MOUNTPOINT="$(realpath -m -- "$MOUNTPOINT")"
fi
# Create if missing, with restrictive perms
if [[ ! -d "$MOUNTPOINT" ]]; then
mkdir -p -- "$MOUNTPOINT"
chmod 700 -- "$MOUNTPOINT" 2>/dev/null || true
fi
# Must be user-writable and empty (warn if non-empty to avoid masking files)
if [[ ! -w "$MOUNTPOINT" ]]; then
echo "Mount point '$MOUNTPOINT' is not writable by $(id -un)." >&2
exit 1
fi
# Warn if non-empty to avoid masking existing files
if [[ -n "$(ls -A -- "$MOUNTPOINT" 2>/dev/null || true)" ]]; then
echo "⚠️ Mount point '$MOUNTPOINT' is not empty; its contents will be hidden while mounted." >&2
fi
# --- split remote user/host (supports user:host or user@host) ---
REMOTE_USER=""
REMOTE_HOST=""
@@ -66,10 +92,7 @@ fi
command -v sshfs >/dev/null 2>&1 || { echo "sshfs not found. Install sshfs first."; exit 1; }
command -v mountpoint >/dev/null 2>&1 || { echo "mountpoint utility not found."; exit 1; }
# --- prepare mountpoint ---
if [[ ! -d "$MOUNTPOINT" ]]; then
mkdir -p -- "$MOUNTPOINT"
fi
command -v sftp >/dev/null 2>&1 || { echo "sftp not found (usually provided by openssh)."; exit 1; }
# Avoid double-mount
if mountpoint -q -- "$MOUNTPOINT"; then
@@ -79,13 +102,51 @@ fi
echo "🔗 Mounting '$FOLDER' from '$REMOTE_USER@$REMOTE_HOST' via reverse-tunnel localhost:$PORT → '$MOUNTPOINT' ..."
# --- ensure passwordless auth via tunnel (optional but user-friendly) ---
SSH_IDENTITY_OPTS=()
if [[ -f "$HOME/.ssh/id_ed25519_backtunnel" ]]; then
SSH_IDENTITY_OPTS+=( -o IdentityFile="$HOME/.ssh/id_ed25519_backtunnel" -o IdentitiesOnly=yes )
fi
SFTP_ID_OPTS=()
if [[ -f "$HOME/.ssh/id_ed25519_backtunnel" ]]; then
SFTP_ID_OPTS+=( -o IdentityFile="$HOME/.ssh/id_ed25519_backtunnel" -o IdentitiesOnly=yes )
fi
if ! ssh -o BatchMode=yes -o StrictHostKeyChecking=accept-new \
-p "$PORT" "${SSH_IDENTITY_OPTS[@]}" "$REMOTE_USER@localhost" true 2>/dev/null; then cat >&2 <<EOF
⚠️ Passwordless auth not set for $REMOTE_USER@localhost:$PORT.
You can initialize a tunnel-only, SFTP-only key with:
backtunnel-auth-setup -p $PORT $REMOTE_USER@localhost
(It will ask once for the server password to install and restrict the key.)
EOF
# continue anyway; sshfs may prompt for password
fi
echo "Checking remote path visibility via SFTP ..."
if ! sftp -q -P "$PORT" -o StrictHostKeyChecking=accept-new "${SFTP_ID_OPTS[@]}" \
"$REMOTE_USER@localhost" <<< "ls -1 \"$FOLDER\"" >/dev/null 2>&1; then
echo "⚠️ Remote path '$FOLDER' not listable via SFTP. It may not exist or permissions deny access." >&2
echo " Proceeding to mount; sshfs may fail if the path is invalid." >&2
fi
SSH_CMD="ssh -o ConnectTimeout=10 -o StrictHostKeyChecking=accept-new"
# If identity options are present, append them to SSH_CMD
if [[ ${#SSH_IDENTITY_OPTS[@]} -gt 0 ]]; then
# Join array safely
for opt in "${SSH_IDENTITY_OPTS[@]}"; do
SSH_CMD+=" $opt"
done
fi
sshfs \
-p "$PORT" \
-o reconnect \
-o ServerAliveInterval=15 \
-o ServerAliveCountMax=3 \
-o ssh_command="ssh -o ConnectTimeout=10" \
-o ssh_command="$SSH_CMD" \
-- "$REMOTE_USER@localhost:$FOLDER" "$MOUNTPOINT"
echo "✅ Mounted at: $MOUNTPOINT"
echo "To unmount: fusermount -u \"$MOUNTPOINT\""
echo "To unmount: fusermount -u \"$MOUNTPOINT\" || fusermount3 -u \"$MOUNTPOINT\""