Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Hiding smb mount password in fstab? Hashing?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
humbletech99
Veteran
Veteran


Joined: 26 May 2005
Posts: 1229
Location: London

PostPosted: Thu Mar 23, 2006 9:48 am    Post subject: Hiding smb mount password in fstab? Hashing? Reply with quote

Hi,
I'm looking for a way to hide my credentials in fstab for lines like
Code:
//hostname/share   smbfs   /mnt/sharename     defaults,username=user%password       0      0

The problem with the above line is that it appears in the process list and that the password is in cleartext. Using credentials=file is a better start but this is still in plaintext. Can't I hash the password with md5 or something?
_________________
The Human Equation:

value(geeks) > value(mundanes)
Back to top
View user's profile Send private message
unclecharlie
Apprentice
Apprentice


Joined: 19 Dec 2005
Posts: 186
Location: Colorado, USA

PostPosted: Thu Mar 23, 2006 2:43 pm    Post subject: i know... Reply with quote

humbletech99,

Yeah it sucks. I've been pondering other solutions to that one myself. MD5 won't work. It's not reversible. The simple option is to keep the credentials file on a keychain USB drive and use it like a key. Other options include making an encrypted loopback filesystem and keeping the credentials file there. But that presents it's own problems.

I'd love to hear anyone's ideas on a solution for this.

Charlie
Back to top
View user's profile Send private message
humbletech99
Veteran
Veteran


Joined: 26 May 2005
Posts: 1229
Location: London

PostPosted: Thu Mar 23, 2006 3:16 pm    Post subject: Reply with quote

The keychain won't work as this is for servers, but the loopback encryption is interesting, couple of drawbacks though:

1. You'd have to set up the loop after boot so again no good for fstab.
2. once you mount the loop to access the credentials file it's plain text readable again

Argg, this is such an obvious problem, why isn't there an obvious solution? If the password was stored as an ntlm hash, that would be better... you could sent it straight but no human could know what it is or use it without using a custom written program to sent it straight...
_________________
The Human Equation:

value(geeks) > value(mundanes)
Back to top
View user's profile Send private message
toralf
Developer
Developer


Joined: 01 Feb 2004
Posts: 3477
Location: Hamburg

PostPosted: Thu Mar 23, 2006 3:26 pm    Post subject: Reply with quote

What about setting perms to 0600 to the credential file where you store the sense information ?
Back to top
View user's profile Send private message
humbletech99
Veteran
Veteran


Joined: 26 May 2005
Posts: 1229
Location: London

PostPosted: Thu Mar 23, 2006 4:10 pm    Post subject: Reply with quote

yeah, but this is quite easy to work around and just read the info off disk, but it really what I will have to resort to otherwise...
_________________
The Human Equation:

value(geeks) > value(mundanes)
Back to top
View user's profile Send private message
Vulpes_Vulpes
Apprentice
Apprentice


Joined: 10 Dec 2003
Posts: 264
Location: Amsterdam

PostPosted: Thu Mar 23, 2006 5:06 pm    Post subject: Reply with quote

humbletech99 wrote:
yeah, but this is quite easy to work around and just read the info off disk, but it really what I will have to resort to otherwise...


But don't you have to be root to read the 0600 chmodded credential file? I'm really interested in the workaround you mentioned.
Back to top
View user's profile Send private message
unclecharlie
Apprentice
Apprentice


Joined: 19 Dec 2005
Posts: 186
Location: Colorado, USA

PostPosted: Thu Mar 23, 2006 5:10 pm    Post subject: not the drawbacks I was thinking of... Reply with quote

humbletech99,

What I was pondering was this-
Even setting up an encrypted file system, the key for that filesystem is still going to be in a credentials file in plain text somewhere on the system, either in /etc/fstab or a credentials file.

A password management daemon could be useful for that. But making it secure without an interactive (challenge/response) might be difficult.

Charlie
Back to top
View user's profile Send private message
PMcCauley
Apprentice
Apprentice


Joined: 14 Mar 2006
Posts: 283
Location: Alberta, Canada

PostPosted: Thu Mar 23, 2006 5:29 pm    Post subject: Reply with quote

One way to do it is to have your samba only accessible by localhost and forward samba through ssh then you could use a key file. There is no getting around all the security problems. You will either have to enter the password to mount the drive of take the chance that it someone gets your key they would have access. Hashed or not a non-password protected key file could be used the same as the actual password. You could also use sshfs to mount ssh directly.
Code:
emerge sshfs-fuse
sshfs remote-system-name:/remote-folder /media/mount-name
The only way someone should be able to gain access to a chmod 600 file is in a offline attack(boot live cd or whatever) or possibly a vunerablity in a root-enabled program. Setting up shared keys between the systems would probably be easiest.


Patrick
Back to top
View user's profile Send private message
humbletech99
Veteran
Veteran


Joined: 26 May 2005
Posts: 1229
Location: London

PostPosted: Thu Mar 23, 2006 5:32 pm    Post subject: Reply with quote

Vulpes_Vulpes wrote:
humbletech99 wrote:
yeah, but this is quite easy to work around and just read the info off disk, but it really what I will have to resort to otherwise...


But don't you have to be root to read the 0600 chmodded credential file? I'm really interested in the workaround you mentioned.
reboot the machine into knoppix. steal a machine, pull out the hard disk, load another os etc. etc.
_________________
The Human Equation:

value(geeks) > value(mundanes)
Back to top
View user's profile Send private message
humbletech99
Veteran
Veteran


Joined: 26 May 2005
Posts: 1229
Location: London

PostPosted: Thu Mar 23, 2006 5:34 pm    Post subject: Reply with quote

I need to stick to SMB since I'm in a heterogenous environment...
_________________
The Human Equation:

value(geeks) > value(mundanes)
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum