LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices


Reply
  Search this Thread
Old 07-05-2013, 04:03 AM   #1
Expect
LQ Newbie
 
Registered: Jul 2013
Posts: 4

Rep: Reputation: Disabled
Samba share credentials encryption


Hello,

anyone knows how to encrypt a samba credentials file that will still be usable while mounting?
in /etc/fstab I have the following
//share/folder /mnt cifs defaults,soft,credentials=/path/to/cred 0 0

in the cred file I have:
username=user
password=password

can it be encrypted / hidden in someway but still be readable for the root user?
 
Old 07-05-2013, 09:13 PM   #2
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 2,458

Rep: Reputation: Disabled
You can set permissions to 600 and ownership to root:root. This restricts access to root only, which is the whole point of having a separate credentials file (/etc/fstab has to be world-readable).

It is not possible to encrypt the username or password. smbclient needs access to the plaintext password in order to mount the share.
 
Old 07-12-2013, 10:32 AM   #3
Expect
LQ Newbie
 
Registered: Jul 2013
Posts: 4

Original Poster
Rep: Reputation: Disabled
Thanks alot for the answer
 
Old 07-12-2013, 01:43 PM   #4
lleb
Senior Member
 
Registered: Dec 2005
Location: Florida
Distribution: CentOS/Fedora
Posts: 2,630

Rep: Reputation: 495Reputation: 495Reputation: 495Reputation: 495Reputation: 495
Quote:
Originally Posted by Ser Olmy View Post
It is not possible to encrypt the username or password. smbclient needs access to the plaintext password in order to mount the share.

this is not correct:

https://www.samba.org/samba/docs/man...bclient.1.html

Quote:
-e|--encrypt
This command line parameter requires the remote server support the UNIX extensions. Request that the connection be encrypted. This is new for Samba 3.2 and will only work with Samba 3.2 or above servers. Negotiates SMB encryption using GSSAPI. Uses the given credentials for the encryption negotiation (either kerberos or NTLMv1/v2 if given domain/username/password triple. Fails the connection if encryption cannot be negotiated.
also a fast google search will return loads of info on encrypted p/w with SAMBA:

https://www.google.com/search?q=smbc...hrome&ie=UTF-8
 
Old 07-12-2013, 02:22 PM   #5
michaelk
Moderator
 
Registered: Aug 2002
Posts: 16,015

Rep: Reputation: 1848Reputation: 1848Reputation: 1848Reputation: 1848Reputation: 1848Reputation: 1848Reputation: 1848Reputation: 1848Reputation: 1848Reputation: 1848Reputation: 1848
An encrypted credential file or encrypted password in the credential file is not the same thing as an encrypted connection.
Quote:
-U|--user=username[%password]

Sets the SMB username or username and password.

If %password is not specified, the user will be prompted. The client will first check the USER environment variable, then the LOGNAME variable and if either exists, the string is uppercased. If these environmental variables are not found, the username GUEST is used.

A third option is to use a credentials file which contains the plaintext of the username and password. This option is mainly provided for scripts where the admin does not wish to pass the credentials on the command line or via environment variables. If this method is used, make certain that the permissions on the file restrict access from unwanted users. See the -A for more details.

Be cautious about including passwords in scripts. Also, on many systems the command line of a running process may be seen via the ps command. To be safe always allow rpcclient to prompt for a password and type it in directly.
 
1 members found this post helpful.
Old 07-12-2013, 05:45 PM   #6
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 2,458

Rep: Reputation: Disabled
Quote:
Originally Posted by lleb View Post
this is not correct:
Actually, it is. You're quite right in that an SMB/CIFS session can (and usually is) negotiated without sending the unencrypted password across the network, but the client still needs access to the plaintext password in order to properly encrypt it during the authentication phase.
 
1 members found this post helpful.
Old 07-12-2013, 07:48 PM   #7
lleb
Senior Member
 
Registered: Dec 2005
Location: Florida
Distribution: CentOS/Fedora
Posts: 2,630

Rep: Reputation: 495Reputation: 495Reputation: 495Reputation: 495Reputation: 495
thank you for the correction. always good to learn.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Encryption on Samba share diamond_D Linux - Server 1 04-10-2012 06:39 PM
Mounting a smb-share on logon with likewise-open credentials obban Linux - Networking 2 04-23-2009 07:55 AM
Mount SMB Share with Users Login Credentials?? johnson8707 Linux - Software 1 02-25-2009 04:43 PM
Mount an SMB Share with a user's login credentials?? johnson8707 Linux - General 1 02-25-2009 12:59 PM
smbclient [share] -k works, but nautilus still asks for credentials. mikeyt_333 Linux - Networking 1 09-08-2005 05:48 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - General

All times are GMT -5. The time now is 11:56 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration