Hiding smb mount password in fstab? Hashing?

[humbletech99]

Hi,
I'm looking for a way to hide my credentials in fstab for lines like

Code: Select all

//hostname/share   smbfs   /mnt/sharename     defaults,username=user%password       0      0

The problem with the above line is that it appears in the process list and that the password is in cleartext. Using credentials=file is a better start but this is still in plaintext. Can't I hash the password with md5 or something?

[unclecharlie]

humbletech99,

Yeah it sucks. I've been pondering other solutions to that one myself. MD5 won't work. It's not reversible. The simple option is to keep the credentials file on a keychain USB drive and use it like a key. Other options include making an encrypted loopback filesystem and keeping the credentials file there. But that presents it's own problems.

I'd love to hear anyone's ideas on a solution for this.

Charlie

[humbletech99]

The keychain won't work as this is for servers, but the loopback encryption is interesting, couple of drawbacks though:

1. You'd have to set up the loop after boot so again no good for fstab.
2. once you mount the loop to access the credentials file it's plain text readable again

Argg, this is such an obvious problem, why isn't there an obvious solution? If the password was stored as an ntlm hash, that would be better... you could sent it straight but no human could know what it is or use it without using a custom written program to sent it straight...

[toralf]

What about setting perms to 0600 to the credential file where you store the sense information ?

[humbletech99]

yeah, but this is quite easy to work around and just read the info off disk, but it really what I will have to resort to otherwise...

[Vulpes_Vulpes]

yeah, but this is quite easy to work around and just read the info off disk, but it really what I will have to resort to otherwise...

But don't you have to be root to read the 0600 chmodded credential file? I'm really interested in the workaround you mentioned.

[unclecharlie]

humbletech99,

What I was pondering was this-
Even setting up an encrypted file system, the key for that filesystem is still going to be in a credentials file in plain text somewhere on the system, either in /etc/fstab or a credentials file.

A password management daemon could be useful for that. But making it secure without an interactive (challenge/response) might be difficult.

Charlie

[PMcCauley]

One way to do it is to have your samba only accessible by localhost and forward samba through ssh then you could use a key file. There is no getting around all the security problems. You will either have to enter the password to mount the drive of take the chance that it someone gets your key they would have access. Hashed or not a non-password protected key file could be used the same as the actual password. You could also use sshfs to mount ssh directly.

Code: Select all

emerge sshfs-fuse
sshfs remote-system-name:/remote-folder /media/mount-name

The only way someone should be able to gain access to a chmod 600 file is in a offline attack(boot live cd or whatever) or possibly a vunerablity in a root-enabled program. Setting up shared keys between the systems would probably be easiest.


Patrick

[humbletech99]

yeah, but this is quite easy to work around and just read the info off disk, but it really what I will have to resort to otherwise...

But don't you have to be root to read the 0600 chmodded credential file? I'm really interested in the workaround you mentioned.

reboot the machine into knoppix. steal a machine, pull out the hard disk, load another os etc. etc.

[humbletech99]

I need to stick to SMB since I'm in a heterogenous environment...