PMISuite/BackTunnel
5
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
f42344ebe80aafa241831555dd89023f3241b47c
BackTunnel/README.md

230 lines
7.4 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# BackTunnel Reverse SSH Folder Sharing Toolkit
Share and mount folders between Linux machines behind NAT/firewalls using two friendly commands.
## ✨ Commands
### `backtunnel-share`
Start a reverse SSH tunnel from the *sharing* machine for a limited time.
```bash
backtunnel-share /path/to/folder with remoteuser:remotehost for <duration> [options]
# or: remoteuser@remotehost
```
**Duration formats:** `30m`, `2h`, `1d` (passed to `timeout`)
**Options**
- `-p, --tunnel-port <PORT>`: Remote port to expose with `-R` (default: 2222)
- `-l, --local-ssh-port <PORT>`: Local sshd port to forward to (default: 22)
- `-i, --invite`: Print a ready-to-copy access command for the remote user
- `--invite-mount <PATH>`: Suggest mount point in the invite (default: `/mnt/remote-rssh`)
- `--invite-file <FILE>`: Also write the invite text (including unmount hint) to a file
- `--qr`: Render the invite as a QR code (requires `qrencode`)
**Examples**
```bash
# Share for 2h
backtunnel-share ~/projects with alice@vps.example.com for 2h
# Share and print a one-liner invite for chat
backtunnel-share ~/projects with alice@vps.example.com for 2h -i
# Share with custom ports and QR invite
backtunnel-share ~/projects with alice@vps.example.com for 1d -p 4422 -l 2222 -i --qr
```
The invite will look like this and can be pasted on the remote host:
```bash
backtunnel-access '/home/user/projects' from alice@vps.example.com -p 4422 -m '/mnt/remote-rssh'
```
Unmount on the remote side with:
```bash
fusermount -u /mnt/remote-rssh
```
### `backtunnel-access`
Mount a folder from the *remote* side via SSHFS.
```bash
backtunnel-access /path/to/folder from remoteuser:remotehost [options]
# or: remoteuser@remotehost
```
**Options**
- `-p, --port <PORT>`: Port on the remote host where the reverse tunnel listens (default: 2222)
- `-m, --mount-point <PATH>`: Local mount point (default: `/mnt/remote-rssh`)
---
## 📁 Profiles (named remotes)
BackTunnel supports **profiles** to simplify connections. Instead of typing
`user@host -p PORT -l PORT …` every time, you can define defaults and named remotes in:
📖 Example config: see [docs/profiles.ini.example](docs/profiles.ini.example)
System-wide default: /etc/backtunnel/profiles.ini (admins can edit)
Packaged example: /usr/share/backtunnel/profiles.ini
---
## 🔒 Temporary, tunnel-only access (restricted key)
By default, if you install a normal SSH key on the sharing machine, that key could also be used for direct SSH (if the server is reachable). To keep access **strictly temporary** and **usable only through the reverse tunnel**, use a **restricted key** in `authorized_keys`.
This approach:
- **Allows SFTP/sshfs only** (no shell).
- **Only works via the reverse tunnel** (server sees the client as `127.0.0.1`).
- **Stops working** automatically when the reverse tunnel (started by `backtunnel-share`) ends.
### 1) Create a dedicated key on the client (access side)
```bash
ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519_backtunnel -C backtunnel
```
### 2) Copy the public key to the server via the tunnel once
Youll be prompted for the server password this one time, while the tunnel is up.
```bash
ssh-copy-id -p 2222 -i ~/.ssh/id_ed25519_backtunnel.pub user@localhost
```
### 3) Restrict that key in authorized_keys on the server
Edit the newly added line for this key in ~/.ssh/authorized_keys on the server and prefix it with:
```ini
from="127.0.0.1",command="internal-sftp",restrict
```
The final line should look like:
```ini
from="127.0.0.1",command="internal-sftp",restrict ssh-ed25519 AAAAC3... backtunnel
```
- from="127.0.0.1" limits use to connections that arrive via the reverse tunnel.
- command="internal-sftp" forces SFTP only (sshfs uses SFTP).
- restrict implies no-pty,no-agent-forwarding,no-port-forwarding,no-X11-forwarding.
💡 One-liner (no editor): prepend restrictions while appending your key
```bash
( printf 'from="127.0.0.1",command="internal-sftp",restrict '; cat ~/.ssh/id_ed25519_backtunnel.pub ) \
| ssh -p 2222 user@localhost 'umask 077; mkdir -p ~/.ssh; cat >> ~/.ssh/authorized_keys'
```
### 4) Use as normal with BackTunnel
Start the share on the server:
```bash
backtunnel-share /path/to/folder with user@REMOTE for 2h
```
Mount on the client (no password prompts now):
```bash
mkdir -p ~/remote-rssh
backtunnel-access /path/to/folder from user@REMOTE -p 2222 -m ~/remote-rssh
```
### 5) Cleanup (optional)
After youre done, remove the restricted key line from ~/.ssh/authorized_keys on the server (or keep it for next time—it's safe: it only works via the tunnel, and only for SFTP).
> If you keep it, the key does not grant shell access and cannot be used over the network directly thanks to from="127.0.0.1".
---
### Troubleshooting
- If sftp -P 2222 user@localhost or sshfs still asks for a password:
- The restricted key line may be malformed (missing comma or options).
- File permissions: ~/.ssh should be 700, authorized_keys should be 600 on the server.
- Too many keys tried: you can force the key with:
```bash
ssh -i ~/.ssh/id_ed25519_backtunnel -p 2222 user@localhost true
```
- If your mount point is ~-based, dont quote it (~/remote-rssh is OK; '~/remote-rssh' wont expand).
If youd also like a brief “restricted key” note in the man page later, say the word and Ill hand you a ready-to-paste `.1` section too.
---
### 🖥️ Dolphin Service Menus
Two context actions for Dolphin are installed:
- **Share via BackTunnel…** → launches the graphical wrapper `backtunnel-share-gui`, prompting for remote, duration, ports, etc.
- **Access via BackTunnel…** → now uses the new `backtunnel-access-gui` wrapper, providing dialogs for remote, port, and mount point instead of embedding a complex one-liner.
Both wrappers run inside Konsole (or xterm) so you can see live logs, and they honor profile defaults from `~/.config/backtunnel/profiles.ini` (or `/etc`, `/usr/share`).
### 🖱️ Dolphin (GUI) Flow — Share with Invite
1. **Right-click a folder → “Share via BackTunnel…”**
2. Enter **Remote** (`user@host` or `user:host`), choose **Duration**, **Tunnel port** (default `2222`), and **Local SSH port** (default `22`).
3. When prompted:
- **Print invite line for chat?** → Yes to get a one-liner your colleague can paste.
- **Show QR code for the invite?** → Yes (requires `qrencode`) to display a terminal QR.
- **Suggested mount point** → Accept `/mnt/remote-rssh` or set your own.
4. A terminal opens, shows the **invite** (and QR if selected), and keeps the share open for the chosen duration.
- Stop early with **Ctrl+C**.
**What the remote user does (on the remote host):**
```bash
# Paste the invite you sent them, e.g.:
backtunnel-access '/path/to/folder' from user@vps.example.com -p 2222 -m '/mnt/remote-rssh'
# Unmount when done:
fusermount -u /mnt/remote-rssh # or: umount /mnt/remote-rssh
```
---
## 🔐 Requirements
- `ssh`, `sshfs`, `timeout`, `konsole`, `kdialog`
- Optional:
- `bash-completion`
- `qrencode` (for QR-code invites)
---
## 📦 Install
```bash
sudo bash scripts/install.sh
```
Uninstall:
```bash
sudo bash scripts/uninstall.sh
```
---
## 📦 Release checklist (BackTunnel v1.2.x)
1. **Version bump** (if needed) in docs/man where referenced (man page already shows `1.2`).
2. **Tag the repo**:
```bash
git tag -a v1.2.0 -m "BackTunnel 1.2.0"
git push --tags
```
## 📖 Man Page
```bash
man backtunnel
```
---
## 🧾 License
Licensed under **GNU GPL v3.0**. See `LICENSE`.
Reference in New Issue View Git Blame Copy Permalink