153 lines
4.7 KiB
Bash
153 lines
4.7 KiB
Bash
#!/usr/bin/env bash
|
|
# Copyright (c) 2025. LUXIM d.o.o., Slovenia - Matjaž Mozetič.
|
|
|
|
# backtunnel-access: Mount a folder shared over reverse SSH
|
|
# Usage: backtunnel-access /path/to/folder from remoteuser:remotehost [-p PORT] [-m MOUNTPOINT]
|
|
|
|
set -euo pipefail
|
|
|
|
PORT=2222
|
|
MOUNTPOINT="$HOME/remote-rssh"
|
|
|
|
usage() {
|
|
echo "Usage: $0 /path/to/folder from remoteuser:remotehost [-p PORT] [-m MOUNTPOINT]" >&2
|
|
exit 1
|
|
}
|
|
|
|
# --- parse positional args ---
|
|
[[ $# -lt 3 ]] && usage
|
|
|
|
FOLDER=$1
|
|
KEYWORD=$2
|
|
REMOTE=$3
|
|
shift 3 || true
|
|
|
|
[[ "$KEYWORD" != "from" ]] && usage
|
|
|
|
# Optional flags
|
|
while [[ $# -gt 0 ]]; do
|
|
case "$1" in
|
|
-p|--port)
|
|
[[ $# -lt 2 ]] && usage
|
|
PORT=$2
|
|
shift 2
|
|
;;
|
|
-m|--mount-point)
|
|
[[ $# -lt 2 ]] && usage
|
|
MOUNTPOINT=$2
|
|
shift 2
|
|
;;
|
|
-h|--help)
|
|
usage
|
|
;;
|
|
*)
|
|
echo "Unknown option: $1" >&2
|
|
usage
|
|
;;
|
|
esac
|
|
done
|
|
|
|
# --- normalize and prepare mount point ---
|
|
# Expand leading '~' even if quoted or passed via GUI
|
|
# Note: default uses $HOME; still expand '~' if passed via CLI/GUI
|
|
if [[ "${MOUNTPOINT:-}" == "~"* ]]; then
|
|
MOUNTPOINT="${MOUNTPOINT/#\~/$HOME}"
|
|
fi
|
|
# Make absolute if realpath exists (doesn't fail if missing)
|
|
if command -v realpath >/dev/null 2>&1; then
|
|
MOUNTPOINT="$(realpath -m -- "$MOUNTPOINT")"
|
|
fi
|
|
# Create if missing, with restrictive perms
|
|
if [[ ! -d "$MOUNTPOINT" ]]; then
|
|
mkdir -p -- "$MOUNTPOINT"
|
|
chmod 700 -- "$MOUNTPOINT" 2>/dev/null || true
|
|
fi
|
|
# Must be user-writable and empty (warn if non-empty to avoid masking files)
|
|
if [[ ! -w "$MOUNTPOINT" ]]; then
|
|
echo "Mount point '$MOUNTPOINT' is not writable by $(id -un)." >&2
|
|
exit 1
|
|
fi
|
|
|
|
# Warn if non-empty to avoid masking existing files
|
|
if [[ -n "$(ls -A -- "$MOUNTPOINT" 2>/dev/null || true)" ]]; then
|
|
echo "⚠️ Mount point '$MOUNTPOINT' is not empty; its contents will be hidden while mounted." >&2
|
|
fi
|
|
|
|
# --- split remote user/host (supports user:host or user@host) ---
|
|
REMOTE_USER=""
|
|
REMOTE_HOST=""
|
|
|
|
if [[ "$REMOTE" == *:* ]]; then
|
|
REMOTE_USER=${REMOTE%%:*}
|
|
REMOTE_HOST=${REMOTE#*:}
|
|
elif [[ "$REMOTE" == *"@"* ]]; then
|
|
REMOTE_USER=${REMOTE%%@*}
|
|
REMOTE_HOST=${REMOTE#*@}
|
|
else
|
|
echo "Invalid remote format. Use remoteuser:remotehost or remoteuser@remotehost" >&2
|
|
exit 1
|
|
fi
|
|
|
|
# --- deps check ---
|
|
command -v sshfs >/dev/null 2>&1 || { echo "sshfs not found. Install sshfs first."; exit 1; }
|
|
command -v mountpoint >/dev/null 2>&1 || { echo "mountpoint utility not found."; exit 1; }
|
|
|
|
command -v sftp >/dev/null 2>&1 || { echo "sftp not found (usually provided by openssh)."; exit 1; }
|
|
|
|
# Avoid double-mount
|
|
if mountpoint -q -- "$MOUNTPOINT"; then
|
|
echo "Mount point '$MOUNTPOINT' is already mounted. Unmount it first (e.g., 'fusermount -u \"$MOUNTPOINT\"')." >&2
|
|
exit 1
|
|
fi
|
|
|
|
echo "🔗 Mounting '$FOLDER' from '$REMOTE_USER@$REMOTE_HOST' via reverse-tunnel localhost:$PORT → '$MOUNTPOINT' ..."
|
|
|
|
# --- ensure passwordless auth via tunnel (optional but user-friendly) ---
|
|
SSH_IDENTITY_OPTS=()
|
|
if [[ -f "$HOME/.ssh/id_ed25519_backtunnel" ]]; then
|
|
SSH_IDENTITY_OPTS+=( -o IdentityFile="$HOME/.ssh/id_ed25519_backtunnel" -o IdentitiesOnly=yes )
|
|
fi
|
|
|
|
SFTP_ID_OPTS=()
|
|
if [[ -f "$HOME/.ssh/id_ed25519_backtunnel" ]]; then
|
|
SFTP_ID_OPTS+=( -o IdentityFile="$HOME/.ssh/id_ed25519_backtunnel" -o IdentitiesOnly=yes )
|
|
fi
|
|
|
|
if ! ssh -o BatchMode=yes -o StrictHostKeyChecking=accept-new \
|
|
-p "$PORT" "${SSH_IDENTITY_OPTS[@]}" "$REMOTE_USER@localhost" true 2>/dev/null; then cat >&2 <<EOF
|
|
⚠️ Passwordless auth not set for $REMOTE_USER@localhost:$PORT.
|
|
You can initialize a tunnel-only, SFTP-only key with:
|
|
backtunnel-auth-setup -p $PORT $REMOTE_USER@localhost
|
|
(It will ask once for the server password to install and restrict the key.)
|
|
EOF
|
|
# continue anyway; sshfs may prompt for password
|
|
fi
|
|
|
|
echo "Checking remote path visibility via SFTP ..."
|
|
|
|
if ! sftp -q -P "$PORT" -o StrictHostKeyChecking=accept-new "${SFTP_ID_OPTS[@]}" \
|
|
"$REMOTE_USER@localhost" <<< "ls -1 \"$FOLDER\"" >/dev/null 2>&1; then
|
|
echo "⚠️ Remote path '$FOLDER' not listable via SFTP. It may not exist or permissions deny access." >&2
|
|
echo " Proceeding to mount; sshfs may fail if the path is invalid." >&2
|
|
fi
|
|
|
|
SSH_CMD="ssh -o ConnectTimeout=10 -o StrictHostKeyChecking=accept-new"
|
|
# If identity options are present, append them to SSH_CMD
|
|
if [[ ${#SSH_IDENTITY_OPTS[@]} -gt 0 ]]; then
|
|
# Join array safely
|
|
for opt in "${SSH_IDENTITY_OPTS[@]}"; do
|
|
SSH_CMD+=" $opt"
|
|
done
|
|
fi
|
|
|
|
sshfs \
|
|
-p "$PORT" \
|
|
-o reconnect \
|
|
-o ServerAliveInterval=15 \
|
|
-o ServerAliveCountMax=3 \
|
|
-o ssh_command="$SSH_CMD" \
|
|
-- "$REMOTE_USER@localhost:$FOLDER" "$MOUNTPOINT"
|
|
|
|
echo "✅ Mounted at: $MOUNTPOINT"
|
|
echo "To unmount: fusermount -u \"$MOUNTPOINT\" || fusermount3 -u \"$MOUNTPOINT\""
|