sshfs doesn’t forward X + conflict with “ControlMaster auto”

I use sshfs to mount remote directories on my laptop to access files as if they are stored locally. I love it. I also use the ControlMaster feature of OpenSSH to reuse an existing ssh connection when opening new ssh connections to the same host.

The problem is that X11 Forwarding doesn’t work with sshfs, at least not yet (don’t think it will be updated since the last release was in 2008). This means that when the servers are mounted via sshfs, any subsequent ssh connection that issues -Y or -X will not have X11 forwarding. I discovered this by seeing some of these errors when I connect to remote servers even though I declared -Y -C:

 <pre class="src src-sh">$ firefox

Error: no display specified $ xterm xterm Xt error: Can‘t open display: xterm: DISPLAY is not set -bash: -sb: command not found $ chromium-browser

(chromium-browser:14763): Gtk-WARNING **: cannot open display:

I posted this and this before figuring out it was an sshfs and ControlMaster problem.

Turning on X forwarding in ~/.ssh/config and /etc/ssh/ssh_config does not fix the problem.

My quick fix is to have additional URL’s forward to the same servers (dyndns is free). Then use one set of URL’s for sshfs, and the other for connecting to ssh with -Y -C. The computer thinks they are separate servers due to different names and so the connections are not shared.

sftp with restricted folder

I recently needed to set up an ftp server (or sftp server) that allows the user to transfer files. I had some restrictions:

  1. The account cannot have ssh access since I don’t want an unauthorized person to run jobs on the server.
  2. The account needs to be restricted to a single directory. I don’t want the account to have access to all files on the server.

I first followed this guide to get proftpd up with an account. However, I kept getting errors trying to log in using Nautilus or Filezilla. The error came from PASV mode, which I think stems from a firewall/NAT issue. I next tried this to use vsftpd. Still no go (same error).

I decided to use sftp since I know for sure ssh works and that it’s more secure. Now that I think about it, none of my server has an ftp server running since sftp is more secure and Nautilus and Filezilla supports the sftp protocol.

From this post, I re-discovered rssh and the native support from recent versions of openssh. The “match user” method for openssh and the rssh method did not work for me. I finally stumbled on this post that made things work.

sudo apt-get install openssh ## this is already installed for me
## modify /etc/ssh/sshd_config
# Use the following line to *replace* any existing 'Subsystem' line
Subsystem sftp internal-sftp

# These lines must appear at the *end* of sshd_config
Match Group sftponly
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no

## in shell
sudo groupadd sftponly
sudo useradd newuser
sudo passwd newuser ## set password
sudo usermod -g sftponly -s /bin/false -d /home/newuser newuser
sudo chown root:root /home/newuser
cd /home/newuser
sudo mkdir upload ## upload files in here
sudo chown newuser:newuser upload
sudo /etc/init.d/ssh restart

Now, ssh with the newuser should not work, and sftp (via command line, nautilus, or filezilla) should only access one location.

Note that /home/newuser is own by root, so newuser can’t do much in there. Create a directory upload, and make newuser the owner.

Control my computer’s desktop (graphically) via VNC

Since all my computers are Linux-based, I have OpenSSH installed on them so I can connect to them remotely. If I am not on the home network, I either have ports forwarded from the router or VPN to my home network in order to connect to my destination. In addition, I almost always use screen for all my terminal sessions. Thus, once I ssh to the computer remotely, I can resume my screen session.

What if I wanted to control the current desktop of my computer, i.e., control applications graphically? Answer: VNC. On Ubuntu 10.10, vino is installed by default and it could be configured from within GNOME by going to System > Preferences > Remote Desktop. For other VNC Servers, see this.

To keep things secured, I don’t port forward port 5900 from my home router to the main computer. If I wanted to VNC into the machine, I will VPN to the home network first. Or better yet, I can port-forward via SSH.

Encrypted Connection via SSH port-forwarding

As the data from VNC is not encrypted, it is not safe to use across the internet. To use an encrypted connection, one can use the port-forwarding feature of OpenSSH to create one.

On the local machine (VNC from), type the following in the shell:

ssh -L 5900:localhost:5900 ## VNC to; if on local network via VPN, use local ip or hostname

Now, from the local machine, I can connect to localhost from any VNC client. Vinagre is the default on Ubuntu, accessible via Internet > Remote Desktop Viewer.

This is quite cool.

ControlMaster in OpenSSH – speeding up editing files remotely with emacs + tramp

So I was googling around to find out how to change the shell in tramp for emacs, and I ran into this and this.

When editing remote files with emacs using tramp, opening and saving files can take a bit of time, due to re-logging in and authenticating. I discovered that you OpenSSH has a feature that allows one to re-use an existing connection to a remote host when opening new connections to that host. This is quite cool. Place the folling in ~/.ssh/config:

<pre class="src src-sh">Host *

ControlMaster auto ControlPath ~/.ssh/master-%r@%h:%p