• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2076
  • Last Modified:

smbclient add smb auto and have the password stored encrypted

hi, I'm just looking at a way to mount shares at startuptime in a secure way.
this here is a good solution:
http://www.experts-exchange.com/Operating_Systems/Linux/Q_21423927.html?query=mount+smb+at+startup&clearTAFilter=true
but the credentials file is stored in clear text like this:
username=mywindowsusername
password=mywindowspassword
I have also been looking at
http://linuxformat.co.uk/modules.php?op=modload&name=PNphpBB2&file=viewtopic&p=22724
where smbutil crypt is described. But this encryption is just a scramble of the password and gives no protection.
(and I can't find a way to get the smbutil anyway.seems nobody have made a package for it to debian/ubuntu)
Anyone with some good comments on this?
0
thor918
Asked:
thor918
2 Solutions
 
pjedmondCommented:
Novell and Suse have another approach using ncpfs:

http://www.novell.com/coolsolutions/trench/16445.html

but otherwise, you need to use the more mainstream credentials approach:

http://www.fedoraforum.org/forum/archive/index.php/t-2696.html

The credentials file can obviously be protected by changing the file permissions.

However, you've already looked at this:)

I next have to ask why you want something to be automatically mountable without user intervention. Assuming that it is a convenience issue, then the credentials file owned by the user concerned is sufficient, because in order to obtain the password, then having got access to that particular user, means that even if they couldn't read the password, they could read all the information that it protects. (Obvious issue is that the user might have all their passwords identical and the user:pass combination provide access to other restricted areas). Therefore, what alternative are you after? If the credentials file issue is not considered secure enough, then you are assuming that the Linux system itself is not secure, in which case, why are you allowing an assumed insecure operating system to automatically mount a protected share! If this is the case, then the auto mount of the share should be removed from fstab, and replaced with perhaps an alias (for convenience) which allows the user to mount the partition, but requires the user to provide a password.

The only other acceptable approach (perhaps useful if the person needs multiple password protected partitions mounted) is to run a script that mounts a small encrypted partition. This *must* require a password from the user. Once the password is entered, then a script with the passwords in clear can be run from within this encrypted drive. This does however have it's disadvantages such as memory images/caches of parts of teh encrypted drive. Windows suffers from exactly the same sort of problem.

How does windows get around this process? Well it can provide a centralised login into a domain, and once authenticated, the user can login to other resources in the same domain without providing the user:pass combination. So...guess what?....you can do a similar thing with Samba! - Samba has the capability to provide a similar service as a PDC or SDC:

http://daniel.fiser.cz/?go=samba

If you're absolutely paranoid, create an encrypted VPN make the share only available on the VPN. Use signed keys and ensure that they are password protected. For convenience you could use ssh agents to hold the appropriate authentication keys for you. Nice introduction to this type of thing is:

http://www.cvrti.utah.edu/~dustman/no-more-pw-ssh/

However, *remember*, although a sysadmin is responsible for security, they also have to ensure that the user can use it! Ultimately you have to strike a balance and make a risk assessment as to how secure you want the system to be, and decide what type of security checks you wish to make. Want to guarantee security? Disconnect the PC, don't switch it on, and then lock it in the thickest bank vault that you can get access to. Hmmm....but then no one could use it.....

0
 
canaliCommented:
I'm interested in this question (automounting window shares)

Automount
The problem with using automount is that Samba requires a username and password to mount a share.  The username is not a problem but the password can be problematic.  The solution I devised is a small daemon which collects passwords on login.  A new PAM module takes the supplied password which has been verified by another PAM module and tells the smbpw daemon.

When an attempt is made to mount a home directory, automount first executes a small program called smbautomount which looks up the user details and builds an automount map string.  Based on this string, automount then invokes mount which in turn invokes mount.smb.  It connects to the smbpw daemon and asks for the users password.  In this way, the automount  can occur without any user interference.....

extract from:
http://uranus.it.swin.edu.au/~jn/linux/smbfs/

Gas
0
 
thor918Author Commented:
thanks for comments.
by the way, I tested the smbutil crypt. it's useless on windows shares. I guess it sends the whole crypted string to the share pc.
I was thinking it decrypted it and then sent it.
anyway. the algorime is too weak, as it says it only scrambles (doing som adding,subtracts and xor on each char is all that is done)

hmm that automount is interesting.
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now