Skip to content

AutoFS & SSHFS Remote Architecture

This documentation covers the automated, on-demand secure shell file system (SSHFS) mounting configuration for remote nodes (e.g., linux-shell.se) using AutoFS inside a high-performance Gentoo Linux environment running OpenRC.

Security & Permissions Prerequisites

SSH Key Context & Directory Permissions

OpenSSH enforces strict ownership rules. Because the AutoFS daemon executes within a system context as root, all identity files and directory permissions must be explicitly restricted to UID 0 (root).

# Secure root SSH context
mkdir -p /root/.ssh
chmod 700 /root/.ssh
chown -R root:root /root/.ssh

# Ensure the active ED25519 keys are present and restricted
chmod 600 /root/.ssh/id_ed25519
chmod 600 /root/.ssh/config

Configuration Files

1. Master Map Configuration

/etc/autofs/auto.master

Append the following mount baseline configuration to your master map. This maps the /mnt/server prefix to the isolated SSHFS map file, enabling ghost placeholders and a 60-second structural prune timeout.

# Base directory for SSHFS remote structures managed by autofs
/mnt/server    /etc/autofs/auto.sshfs    --timeout=60 --ghost

2. Automount SSHFS Storage Map

Mount Paths

The configuration map utilizes raw FUSE interaction via the internal AutoFS parser. Spaces within the ssh_command sub-arguments are explicitly escaped (\) to avoid block column misinterpretations.

# /etc/autofs/auto.sshfs (Static configuration mapping)
linux-shell    -fstype=fuse,allow_other,reconnect,IdentityFile=/root/.ssh/id_ed25519,StrictHostKeyChecking=no,ssh_command=ssh\ -x\ -a    :sshfs#root@linux-shell.se:/

Service Administration

Initialization Sequence (OpenRC)

Set standard text file security contexts before forcing the AutoFS orchestration daemon to reload its configuration maps. 

# Reset execution bits and apply flat permissions
chmod 644 /etc/autofs/auto.master /etc/autofs/auto.sshfs

# Restart the automounter service via OpenRC
rc-service autofs restart

Validation & Verification

Passive Monitoring & Functional Testing

To verify that the configuration is working passively without spawning persistent background tasks, check the kernel routing map or live process state tree.

# Verify the underlying FUSE connection is completely vacant/empty before access
df -h | grep sshfs

# Confirm that only the baseline indirect AutoFS mount controller is listening
grep autofs /proc/mounts

# Query the mount target to force trigger the secure shell file system pipe
ls -la /mnt/server/linux-shell/

# Verify that the active fuse mount is now populated and registered by the kernel
df -h | grep sshfs