sysadminmatmoz
fcbd6514cc
Introduce `backtunnel-authorize` for managing restricted SFTP-only keys, and update `backtunnel-share` to support temporary accessor key authorization via `--allow-key` and `--allow-known`. Extend bash completion with profile, accessor, and SSH host suggestions. Revamp README sections to include updated workflows, quick starts, and key management details.
BackTunnel – Secure Reverse SSH Folder Sharing Toolkit
BackTunnel is a lightweight toolkit to share and mount folders between Linux machines behind NAT or firewalls using reverse SSH tunnels.
No third-party relay, no cloud dependency – just peer-to-peer, temporary, SSH-based access.
⚡ Quick Start
1. Accessor: Prepare your key (one-time)
backtunnel-keys print
Send the printed public key to the sharer.
2. Sharer: Start sharing and authorize the accessor
backtunnel-share ~/Documents with alice@remotehost for 2h -i --allow-key ./alice.pub
This injects a temporary, restricted SFTP-only key and prints an invite.
3. Accessor: Mount the shared folder
backtunnel-access '/home/sharer/Documents' from alice@remotehost -p 2222 -m ~/remote-rssh
Unmount with:
fusermount -u ~/remote-rssh
✨ Features
- NAT/firewall friendly: works without port forwarding.
- Temporary by design: shares auto-expire after a set duration.
- Invite workflow: sharer sends a one-liner or QR code to accessor.
- Restricted keys: accessor keys are usable only for SFTP via the tunnel and are auto-removed when the share ends.
- Profiles: save defaults and common remotes in
profiles.ini. - Desktop integration: Dolphin (KDE) service menus for GUI sharing and access.
🔑 Commands
Sharing
backtunnel-share /path/to/folder with user@host for <duration> [options]
-p, --tunnel-portRemote bind port (default: 2222)-l, --local-ssh-portLocal sshd port to expose (default: 22)-i, --invitePrint invite line--qrShow QR code (requires qrencode)--allow-key FILEAuthorize a provided public key--allow-known NAMEAuthorize a stored key (~/.config/backtunnel/authorized/NAME.pub)
Accessing
backtunnel-access /path/to/folder from user@host [options]
-p, --portTunnel port (default: 2222)-m, --mount-pointLocal mount point (default: ~/remote-rssh)
📁 Profiles
~/.config/backtunnel/profiles.ini:
[default]
tunnel_port=2222
invite=true
invite_mount=$HOME/remote-rssh
[work]
user=alice
host=vps.example.com
tunnel_port=4422
Usage:
backtunnel-share ~/reports with @work for 6h -i --allow-known alice
🖥️ Dolphin Integration
- Share via BackTunnel… – GUI dialog for sharer options.
- Access via BackTunnel… – GUI dialog for accessor options.
Logs are written to:
~/.local/state/backtunnel/servicemenu.*.log
📦 Install
From source
sudo bash scripts/install.sh
make init # copy example profiles.ini
Arch Linux
makepkg -si
Uninstall:
sudo bash scripts/uninstall.sh
# or with purge of defaults
sudo PURGE=1 bash scripts/uninstall.sh
📖 Documentation
man backtunnel
🧾 License
GNU GPL v3.0
© 2025 LUXIM d.o.o., Slovenia – Matjaž Mozetič