today, I wanted to make a completely autonomous Pi that would auto-mount a folder located on a remote server, through SFTP. I installed sshfs and autofs, as required, and modified the /etc/fstab, when a doubt struck me: in the process of creating a passwordless ssh connection for this specific connection (i.e., key), I understood that it would need to wait for a user to be logged in on the Pi in order to send the proper key.
Mounting remote folder locally
However, as an autonomous device, normally there wouldn't be anyone connected either locally or remotely. I want the Pi to be able to automount the remote file system, and that system services running on the Pi to be able to use the automatically mounted folder.
Location of the key
Where should the key be located, then? As I interpreted it, the Pi should have its private key in /root/.ssh/identity/ folder, the server its public key in /root/.ssh/autorized_keys/ (Source)
Another concern of mine was that, to allow for automounting without user interaction, the key file needs to be passphrase-less, which I think is not secure.
Proper permissions for mountpoint
I made a first try with direct connection with sshfs, but apparently I couldn't get the permissions nor ownership correct, as I got:
Code: Select all
d????????? ? ? ? ? ? oneCode: Select all
sudo sshfs root@remote_server:/DataVolume/vid /home/pi/one/ -p 22 -o sshfs_sync -o reconnect -o nonempty
The authenticity of host '[remote_server]:22 ([198.xxx.yyy.zzz]:22)' can't be established.
RSA key fingerprint is xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx.
Are you sure you want to continue connecting (yes/no)? yes
root@remote_server's password:How would it auto-accept the fingerprint even if the IP changes?
Allowing both key-based mounting for system services, and password SSH logging for local users
I also read the same page recommended to disallow password authentication on the server: is that necessary, or overkill?
Talking about machine configurations, I haven't experienced the Pi (or rather, its software) as a rock-stable machine. What would happen when the SD card gets corrupted beyond repair and keys lost? I also had to restrict the root password on the remote_server to digits and letters only, as I get to use various keyboards whose layout sometimes can't be changed because of administrative restrictions.
I suspect my security knowledge looks like a Swiss cheese, and would definitely read suggestions to secure the server. However, I already know that at least one, port-knocking, isn't too reliable in adverse network conditions; I got myself locked out of (an unstable) server years ago after repeated attempts to log in from a crowded coffee shop.