[Semibug] sshfs

Dr. Robert Meier list1c30fe42 at bellsouth.net
Mon Oct 23 02:31:33 EDT 2017


Mark,

I've not yet used sshfs, but have many times configured 'secure shares'.
So far, I've always used a VPN, and then nfs, samba, rsync, ... within
the VPN.  So far, I've never had a situation where securing all
communications with the share server was not acceptable.
In most cases, there was even potential advantage to the additional
flexibility, and the additional overhead to access other resources on
the server was never a problem.
You can use vpn from a (appropriately equipped) jail.
You can (carefully) configure your firewall to access some hosts
via vpn while other hosts remain connected without the vpn.

is there a reason you can't or don't want to use a VPN?

Is there a feature of your problem, that I am missing?



My understanding is that sshfs is a fuse network file system
tunneled through ssh.  It add user-space traffic encryption.
The only advantage I see to user-space encryption as opposed to
vpn system-space encryption is if the threat is from other users
on the same host, AND those same local users are not a threat to
the clear data once received or before being sent.
So far, on any system where I didn't trust the other users,
I also didn't trust the system, and so didn't trust any continuous
access mechanism.


On 10/19/2017 01:41 PM, Mark Moellering wrote:
> trying to have something like a 'remote share' but will run in a FreeBSD
> jail and be secure.  NFS won't run in a jail, so  I may try samba over ssh.
> 
> 
> 
> On Thu, Oct 19, 2017 at 1:08 PM, Thomas Levine <_ at thomaslevine.com> wrote:
> 
>> My opinion is that I have never come up with a situation where I prefer
>> it over either accessing the filesystem locally and synchronizing it or
>> logging in to the remote computer and running everything there.
>> And I speculate that if I ever did want a networked file system, I would
>> use some other protocol.
>>
>> But what are you trying to do?

Hopefully helpful,
--
Bob



More information about the Semibug mailing list