Solved

smbclient add smb auto and have the password stored encrypted

Posted on 2006-06-18
3
1,796 Views
Last Modified: 2013-12-16
hi, I'm just looking at a way to mount shares at startuptime in a secure way.
this here is a good solution:
http://www.experts-exchange.com/Operating_Systems/Linux/Q_21423927.html?query=mount+smb+at+startup&clearTAFilter=true
but the credentials file is stored in clear text like this:
username=mywindowsusername
password=mywindowspassword
I have also been looking at
http://linuxformat.co.uk/modules.php?op=modload&name=PNphpBB2&file=viewtopic&p=22724
where smbutil crypt is described. But this encryption is just a scramble of the password and gives no protection.
(and I can't find a way to get the smbutil anyway.seems nobody have made a package for it to debian/ubuntu)
Anyone with some good comments on this?
0
Comment
Question by:thor918
3 Comments
 
LVL 22

Accepted Solution

by:
pjedmond earned 150 total points
Comment Utility
Novell and Suse have another approach using ncpfs:

http://www.novell.com/coolsolutions/trench/16445.html

but otherwise, you need to use the more mainstream credentials approach:

http://www.fedoraforum.org/forum/archive/index.php/t-2696.html

The credentials file can obviously be protected by changing the file permissions.

However, you've already looked at this:)

I next have to ask why you want something to be automatically mountable without user intervention. Assuming that it is a convenience issue, then the credentials file owned by the user concerned is sufficient, because in order to obtain the password, then having got access to that particular user, means that even if they couldn't read the password, they could read all the information that it protects. (Obvious issue is that the user might have all their passwords identical and the user:pass combination provide access to other restricted areas). Therefore, what alternative are you after? If the credentials file issue is not considered secure enough, then you are assuming that the Linux system itself is not secure, in which case, why are you allowing an assumed insecure operating system to automatically mount a protected share! If this is the case, then the auto mount of the share should be removed from fstab, and replaced with perhaps an alias (for convenience) which allows the user to mount the partition, but requires the user to provide a password.

The only other acceptable approach (perhaps useful if the person needs multiple password protected partitions mounted) is to run a script that mounts a small encrypted partition. This *must* require a password from the user. Once the password is entered, then a script with the passwords in clear can be run from within this encrypted drive. This does however have it's disadvantages such as memory images/caches of parts of teh encrypted drive. Windows suffers from exactly the same sort of problem.

How does windows get around this process? Well it can provide a centralised login into a domain, and once authenticated, the user can login to other resources in the same domain without providing the user:pass combination. So...guess what?....you can do a similar thing with Samba! - Samba has the capability to provide a similar service as a PDC or SDC:

http://daniel.fiser.cz/?go=samba

If you're absolutely paranoid, create an encrypted VPN make the share only available on the VPN. Use signed keys and ensure that they are password protected. For convenience you could use ssh agents to hold the appropriate authentication keys for you. Nice introduction to this type of thing is:

http://www.cvrti.utah.edu/~dustman/no-more-pw-ssh/

However, *remember*, although a sysadmin is responsible for security, they also have to ensure that the user can use it! Ultimately you have to strike a balance and make a risk assessment as to how secure you want the system to be, and decide what type of security checks you wish to make. Want to guarantee security? Disconnect the PC, don't switch it on, and then lock it in the thickest bank vault that you can get access to. Hmmm....but then no one could use it.....

0
 
LVL 14

Assisted Solution

by:canali
canali earned 100 total points
Comment Utility
I'm interested in this question (automounting window shares)

Automount
The problem with using automount is that Samba requires a username and password to mount a share.  The username is not a problem but the password can be problematic.  The solution I devised is a small daemon which collects passwords on login.  A new PAM module takes the supplied password which has been verified by another PAM module and tells the smbpw daemon.

When an attempt is made to mount a home directory, automount first executes a small program called smbautomount which looks up the user details and builds an automount map string.  Based on this string, automount then invokes mount which in turn invokes mount.smb.  It connects to the smbpw daemon and asks for the users password.  In this way, the automount  can occur without any user interference.....

extract from:
http://uranus.it.swin.edu.au/~jn/linux/smbfs/

Gas
0
 
LVL 2

Author Comment

by:thor918
Comment Utility
thanks for comments.
by the way, I tested the smbutil crypt. it's useless on windows shares. I guess it sends the whole crypted string to the share pc.
I was thinking it decrypted it and then sent it.
anyway. the algorime is too weak, as it says it only scrambles (doing som adding,subtracts and xor on each char is all that is done)

hmm that automount is interesting.
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Join & Write a Comment

I am a long time windows user and for me it is normal to have spaces in directory and file names. Changing to Linux I found myself frustrated when I moved my windows data over to my new Linux computer. The problem occurs when at the command line.…
I. Introduction There's an interesting discussion going on now in an Experts Exchange Group — Attachments with no extension (http://www.experts-exchange.com/discussions/210281/Attachments-with-no-extension.html). This reminded me of questions tha…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now