3

For my normal login with ssh I have in my ~/.ssh/config the following lines:

GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes

... so that if I call kinit and get a Kerberos ticket then I can connect with ssh without typing in the password.

How do I make sshfs use the same ticket to mount a remote directory without asking for the password?

(right now I'm getting an error saying remote host has disconnected)

And what would an entry for /etc/fstab look like for that? Right now I have this:

sshfs#username@remoteHost: mountpoint fuse comment=sshfs,noauto,users,exec,uid=1000,gid=1000,allow_other,reconnect,transform_symlinks,BatchMode=yes 0 0

BTW: I need to make it use the Kerberos ticket and not my RSA or DSA keys, because that is forbidden on the remote host side.

nc4pk
  • 9,037
  • 14
  • 59
  • 71
Asen Christov
  • 133
  • 5

1 Answers1

3

If you run sshfs ... in a terminal, in your own user account, then it will use exactly the same SSH settings – and Kerberos tickets – as plain ssh and sftp commands (since it just launches ssh -s sftp).

If it does not, try the -o debug and/or -o sshfs_debug options. Also make sure you're giving the same server hostname to sshfs.

I cannot give a good answer for fstab until you get plain sshfs working, but you will likely need to kinit as root too (but with your own Kerberos principal), or use k5start to automatically do it on boot.

u1686_grawity
  • 426,297
  • 64
  • 894
  • 966
  • using the debug options and running `sshfs` in terminal as you suggested showed that my settings, namely: `GSSAPIAuthentication yes GSSAPIDelegateCredentials yes` were not used. This was because they were defined for specific host. The trick was to use the host alias I define in my `~/.ssh/config` in `/etc/fstab`. – Asen Christov Mar 11 '13 at 16:54
  • OK, I have setup my `kerberos` credentials, and `k5start` works fine from the terminal. How do I get it to mount at boot? I cannot think of a way to create a valid line in `fstab`. I think a `systemd` `service` or `mount` file might be the only way to go. Any other ideas? – Kartik Sep 02 '18 at 22:11
  • @Kartik: Create a service which runs `k5start -K` on boot as a daemon, and make your fstab mount depend on that service. As long as UIDs match sshfs should find the ticket cache. Alternatively, if your OS uses a recent MIT krb5 (Heimdal doesn't have this), putting the keytab at /var/lib/krb5/user/UID/client.keytab would work without k5start. – u1686_grawity Sep 02 '18 at 22:17
  • @grawity, thanks. I understood some of it, but I have no idea how to make `fstab` depend on that service. Perhaps, I'll post a question and you can answer? My uni uses the MIT krb5, so we can possibly just discuss the second option. – Kartik Sep 02 '18 at 22:24
  • @grawity, Here is the question: https://superuser.com/q/1354668/520328. Thanks in advance! – Kartik Sep 02 '18 at 22:34