How to run a public/private key-based group file server with MacFUSE-based clients

The ACLs are optional, but they guide default permissions for local and SSH (not SFTP) users.


  • Strong encryption
  • No passwords
  • Easy setup and administration
  • One port to open/forward for remote access
  • Integrates with Linux clients using FUSE, GNOME-VFS, or KIO Slaves
  • Works with Windows clients using standalone SFTP clients


  • No Windows Explorer integration
    • Workaround: Don't use Windows.
  • Encryption creates significant overhead
  • Doesn't report free space to client
    • Workaround: SSH to the server and run df

Configuring the server

  1. sudo apt-get install ssh acl

  2. cd /

  3. sudo mkdir export

  4. sudo chmod 755 export

Creating a user group

  1. sudo groupadd [Group Name]

Adding a user to a group

  1. sudo usermod -G [Group Name] -a [Username]

Configuring a share on the server

  1. Create/mount the directory to be shared. Ensure the mount supports ACLs.
  2. Have a group own the directory: sudo chown :[Group Name] [Directory]

  3. Give the group read/write access and force new items to be part of the directory's group: sudo -R chmod 2770 [Directory]

  4. Force all new files in the directory to be group writable: sudo setfacl -d -m 'g:[Group Name]:rwx' [Directory]

  5. cd /export

  6. sudo ln -s [Directory] [Share Name]

Configuring a client and the corresponding server user

Client steps

  1. Install MacFUSE, SSHFS, and MacFusion.

  2. Generate public/private keys: ssh-keygen -tdsa

  3. Copy the output: cat ~/.ssh/

  4. Option A (current user only): Install and use TinkerTool to enable group writable permissions (Octal 002) by default. Ignore the warning; it only applies to restricting permissions further.

  5. Option B (current user only): Run in terminal: defaults write -g NSUmask -int 2

  6. Option C (all users): Run in terminal: sudo defaults write /Library/Preferences/.GlobalPreferences NSUmask 2

  7. Log out and log back in.

Server steps

  1. Create a user: sudo useradd [Username on Server]

  2. Create /home/[Username on Server]/.ssh/authorized_keys and paste the earlier copied output

  3. Ensure .ssh and authorized_keys have ownership [Username on Server]:[Username on Server].

  4. Ensure .ssh has a chmod of 700 and authorized_keys has a chmod of 600.

Adding a share on a configured client

Add shares as "Favorites" with the following properties:

  • Name: [Anything]

  • Server: [Domain Name or IP Address for Server]

  • Port: 22

  • Server Path: /export/[Share Name]

  • Username: [Username on Server]

  • Authentication: Public Key
  • Extra Options (Advanced): -oallow_other -oumask=7002 -odefer_permissions


If mount succeeds but no share appears in the Finder

Ensure the user belongs to the group that may use the share. See "Adding a user to a group."


MacFUSE (last edited 2008-08-06 16:19:41 by localhost)