3

There is seemingly a trick for creating read-only sshfs logins with the read only attribute is enforced by the remote's ~/.ssh/authorized_keys file.

You first create a program ~/.ssh/ro-sftp-server that runs sftp-server -R, which whatever other options were passed. You next set up your restricted ssh key as usual in the remote's ~/.ssh/authorized_keys file except adding a command restriction :

no-X11-forwarding,no-agent-forwarding,no-pty,command= “~/.ssh/ro-sftp-server” ssh-rsa ...

Finally, you mount the directory by invoking sshfs.

sshfs -o ssh_command="ssh -i ~/.ssh/ro_key" \
      -o sftp_server="~/.ssh/ro-sftp-server" \
      -o idmap=mrmeow -o ro \
      mrmeow@example.com:. ~/www/

Great! Now how do I permit writes but only after asking for a password?

I could certainly make autofs mount a second read-write sshfs volume on demand using a password protected but unrestricted key.

I'd finally need unionfs, mhddfs, or similar to make this second directory appear over the first, except apparently I'd need them both honestly mounted. :(

Any ideas about how one should achieve this "password prompt on write"? functionality?

Jeff Burdges
  • 156

1 Answers1

0

Fuse won't be able to give you a password prompt on the terminal because it has no access to it. You might be able to get Fuse to guess your X display and block I/O while it pops up a GUI password prompt. Some desktop environments (Gnome/KDE) provide wallet facilities for unlocking keys; they might be a good thing to connect to.

But for simplicity, may I suggest an alternative. Perhaps somewhere in your workflow you can check the need for write capability, and bring up the prompt using a script.

For example, if you use Vim you could check before you write a file:

autocmd BufWritePre *.c                         \
    let targetfile = expand('%')              | \
    if !filewritable(targetfile)              | \
        exec "!~/bin/prompt_remount_foo_rw"   | \
    end

Or in a fantasy Coffeescript build process, you could act accordingly after write errors:

buildProcess.on "error", (e) ->
    if e.writeError
        prompt_remount_foo_rw().then(retryBuild)

To get a prompt in a single terminal without X would require support from whatever software you are using to make the write.

joeytwiddle
  • 564