How to mount Windows shares on Linux and pass credentials
When you mount a folder to a Windows network share using cifs I have the following questions:
- You can pass the username and password in a credentials file - but how can (should) you encrypt this file ?
- What password is needed - the Windows password for the share or something else ?
- Is it correct that you record the mount in '/etc/fstab' for instructions independent of users ?
- Is '/etc/fstab' still valid for Ubuntu 16.04 LTS and forward or has this been replaced ?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You generally create the file under root, once it's there no-one will be able to see it.
I would keep the file name the same so you don't forget what the file is.
As soon as you create it as root it will auto own and group the file
I would keep the file name the same so you don't forget what the file is.
As soon as you create it as root it will auto own and group the file
I forgot to mention when you restart it should automount, if you need to be able to chmod files there is a tweak to the line though
The default in mainline kernel versions prior to v3.8 was sec=ntlm. In v3.8, the default was changed to sec=ntlmssp
Is testing this between Ubuntu 18.04 LTS and Windows 10, sec=ntlm failed for me. I ended up modifying it as so:
Is testing this between Ubuntu 18.04 LTS and Windows 10, sec=ntlm failed for me. I ended up modifying it as so:
//10.0.0.10/share /mount cifs cred=/home/gheward/.smbcreds,iocharset=utf8,sec=ntlmsspi,seal 0 0sec=arg
Security mode. Allowed values are:
· none - attempt to connection as a null user (no name)
· krb5 - Use Kerberos version 5 authentication
· krb5i - Use Kerberos authentication and forcibly enable
packet signing
· ntlm - Use NTLM password hashing
· ntlmi - Use NTLM password hashing and force packet signing
· ntlmv2 - Use NTLMv2 password hashing
· ntlmv2i - Use NTLMv2 password hashing and force packet
signing
· ntlmssp - Use NTLMv2 password hashing encapsulated in Raw
NTLMSSP message
· ntlmsspi - Use NTLMv2 password hashing encapsulated in Raw
NTLMSSP message, and force packet signing
The default in mainline kernel versions prior to v3.8 was
sec=ntlm. In v3.8, the default was changed to sec=ntlmssp.
ASKER
Thanks Kenzan - Giovanni.
So
a) do you encrypt the file (in which case how and what command do you use to indicate the encryption type) or just try on user file permissions ?
b) why is the file created under the 'home' folder as opposed to somewhere else (like '/etc/') ?
So
a) do you encrypt the file (in which case how and what command do you use to indicate the encryption type) or just try on user file permissions ?
b) why is the file created under the 'home' folder as opposed to somewhere else (like '/etc/') ?
file is created under home as its more secure and most session details are there.
i would't encrypt it as the way i demonstrated is secure
If you consider this question closed please mark the relevant answer as the solution.
i would't encrypt it as the way i demonstrated is secure
If you consider this question closed please mark the relevant answer as the solution.
There was another recent EE question about this.
Someone did some testing + determined this works.
So you can either change /etc/fstab permissions or use an external file, per above.
Someone did some testing + determined this works.
chmod 600 /etc/fstabSo you can either change /etc/fstab permissions or use an external file, per above.
ASKER
Thanks David, I understand about the file permissions for 'fstab' but I am asking about encryption for the external file.
Just concerned if someone hacked the admin account they could see the credentials for the Windows box too by reading the fstab whereas if the file is encrypted this will make it harder.
Just concerned if someone hacked the admin account they could see the credentials for the Windows box too by reading the fstab whereas if the file is encrypted this will make it harder.
Hi Al,
You can just create yourself a normal user account on the server and disable root login to just su root when you are logged in as the normal user.
Alternatively use private key authentication for ssh :)
You can just create yourself a normal user account on the server and disable root login to just su root when you are logged in as the normal user.
Alternatively use private key authentication for ssh :)
ASKER
Kenza: I am not sure I know what you mean, or were talking at cross purposes.
I don't see how creating a user and putting them in the sudo group is going to help protect the contents of the file.
My point is that if someone were able to gain access to the Linux box using either root or a 'normal' account that had sudo permissions they could just read the file and know how to login to the Windows box.
Aside from the various ways of securing the file, is there a way to encrypt the file so it is not readable ?
I don't see how creating a user and putting them in the sudo group is going to help protect the contents of the file.
My point is that if someone were able to gain access to the Linux box using either root or a 'normal' account that had sudo permissions they could just read the file and know how to login to the Windows box.
Aside from the various ways of securing the file, is there a way to encrypt the file so it is not readable ?
There is not I'm afraid, I'd just use a private key through ssh to connect rather than passwords.
ASKER
Thanks for the confirmation.
Sorry I thought you meant use SSH to connect to the machine but do you mean SSH to connect the share ? I didn't know that was possible.
Otherwise I don't see how SSH helps since you will still need a user account to log in with and we are back to the same situation.
Sorry I thought you meant use SSH to connect to the machine but do you mean SSH to connect the share ? I didn't know that was possible.
Otherwise I don't see how SSH helps since you will still need a user account to log in with and we are back to the same situation.
No I mean using a private key to allow access to the Linux server that way it security proofs your server :)
@AL_XResearch - What version of Windows are you running? Depending on the version, you may be able to enable SSH server natively if you prefer.
Also, since it wasn't mentioned yet... (if this scenario will work for you), you can remove the password line altogether in your ~/.smbcreds file and it will prompt you for the password manually each time you mount.
ASKER
Kenza: that is what I mean, even when you use SSH you still need to login to the target server so there seems no benefit.
Giovanni; I know both of those
Giovanni; I know both of those
yes but with the private key you will always need the key and the passphrase rather than a username to login to the linux box, other than that there is nothing else you can do
As long as the .smbcreds file is under /root/ no other users can read it and that is the safest you can get
ASKER
Yes but what I am trying to point out is that root can see the file in plain text so if someone manages to login (via password of SSH key file) they can find the password whereas if it was encrypted that adds more protection
If encrypting the file is not possible then this tangent is pointless (although interesting).
If encrypting the file is not possible then this tangent is pointless (although interesting).
I have given you the best option to mount it so the initial question is resolved.
The security around it is a different matter but either change the ssh port to a non-standard one or add a private key or do both and that should provide sufficient protection.
In the mean time if you are happy the solution is fixed please mark a solution.
The security around it is a different matter but either change the ssh port to a non-standard one or add a private key or do both and that should provide sufficient protection.
In the mean time if you are happy the solution is fixed please mark a solution.
ASKER
I am taking about point 1 of my opening question, but I am getting the impression that encryption is not possible and that only restricting access to the box is possible, correct ?
That is correct :)
With windows to Linux this is the only way to do it, with linux to linux there are easier ways like IP Whitelisting
ASKER
Kenza. That is excellent, thanks.
Although I am only interested in Windows for this question can you send me a link in 'IP whitelisting' and Linux to Linux. I can't see how this would have any impact assist apart from restricting access in a different way. Cheers
Although I am only interested in Windows for this question can you send me a link in 'IP whitelisting' and Linux to Linux. I can't see how this would have any impact assist apart from restricting access in a different way. Cheers
If you look at the software OpenMediaVault which is a control panel for NAS's etc. you will see all of the benefits of linux to linux etc.
No Worries at all, Feel free to mark this question as resolved and should you have any more queries please feel free to ask another question :)
No Worries at all, Feel free to mark this question as resolved and should you have any more queries please feel free to ask another question :)
ASKER
Yes, I have a VM of OpenMediaVault which I was looking at when I was trying to setup my own NAS using a Raspberry Pi. Waiting until they come out with a 1Gb LAN port and USB 3.0. Never looked behind the scenes on how it mounted drives
ASKER
Thanks to all for your help.
ASKER
I see when you are editing / creating the credentials file you use the ' ~/.smbcredentials' path so:
a) that is a hidden file under a user's home folder, shouldn't it be system wide ? i.e. not specific to a user ?
b) can you call the file anything you want or is it a fixed filename ?
c) does this file need to bring to the root user and root group ? File permissions wise.