There is seemingly a trick for creating read-only sshfs logins with the read only attribute is enforced by the remote's ~/.ssh/authorized_keys file.
You first create a program ~/.ssh/ro-sftp-server that runs sftp-server -R, which whatever other options were passed. You next set up your restricted ssh key as usual in the remote's ~/.ssh/authorized_keys file except adding a command restriction :
no-X11-forwarding,no-agent-forwarding,no-pty,command= “~/.ssh/ro-sftp-server” ssh-rsa ...
Finally, you mount the directory by invoking sshfs.
sshfs -o ssh_command="ssh -i ~/.ssh/ro_key" \
-o sftp_server="~/.ssh/ro-sftp-server" \
-o idmap=mrmeow -o ro \
[email protected]:. ~/www/
Great! Now how do I permit writes but only after asking for a password?
I could certainly make autofs mount a second read-write sshfs volume on demand using a password protected but unrestricted key.
I'd finally need unionfs, mhddfs, or similar to make this second directory appear over the first, except apparently I'd need them both honestly mounted. :(
Any ideas about how one should achieve this "password prompt on write"? functionality?
Fuse won't be able to give you a password prompt on the terminal because it has no access to it. You might be able to get Fuse to guess your X display and block I/O while it pops up a GUI password prompt. Some desktop environments (Gnome/KDE) provide wallet facilities for unlocking keys; they might be a good thing to connect to.
But for simplicity, may I suggest an alternative. Perhaps somewhere in your workflow you can check the need for write capability, and bring up the prompt using a script.
For example, if you use Vim you could check before you write a file:
Or in a fantasy Coffeescript build process, you could act accordingly after write errors:
To get a prompt in a single terminal without X would require support from whatever software you are using to make the write.