automount sshfs with passphrase enabled key

There are many articles to mount sshfs using autofs, but most of them use "empty" passphrase. I come up with a way to enable passphrase. Here is a memo for myself in the future.

Setup keychain

Keychain here means an OSS, not mac stuff. It seems to be able to manage GPG too, but I just use it for ssh passphrase. You may find articles of how to setup keychain like this.
After finishing keychain setup, you will find ~/.keychain/${HOSTNAME}-sh .
In the file, some environment variables such as SSH_AUTH_SOCK, which points the ssh-agent, are declared.

Now you are ready to use ssh-agent.

Add a shell script

Create a shell script below as /usr/local/bin/ssh_as_you.sh.

#!/bin/bash
readonly expected_user=your_name
if [ ${USER} != ${expected_user} ]; then
    exec sudo -u ${expected_user} $0 "$@"
fi
source ${HOME}/.keychain/${HOSTNAME}-sh
exec ssh "$@"

autofs setting

Add the following entry to /etc/autofs/atuo.master

/mnt/sshfs_mount      /etc/autofs/auto.sshfs

/etc/autofs/auto.sshfs should have the following line.

host_a    -fstype=fuse,allow_other,ssh_command=/usr/local/bin/ssh_as_you.sh :sshfs\#your_name@host_a\:/some_dir

The key point is that sshfs invokes ssh via ssh_as_you.sh. In the shell script, SSH_AUTH_SOCK is defined so that ssh can use ssh-agent.  Now sshfs can connect to ssh-agent.

Limitation

User must login to start ssh-agent via keychain before mount sshfs.

Customize

Because sshfs now runs ssh as your user account, ~/.ssh/config is referred. You can add entries in the file for ssh via bastion host.