PDA

View Full Version : /etc/fstab cifs/smbfs passwords in cleartext



ndv
28th May 2004, 03:26 PM
I'd like to write a line in fstab that mount a share on a windows 2000 (so SMBFS) and/or 2003DC (so CIFS), but my problem is that I have to write a cleartext password... is it necessary are there some md5/shadow solution?
here a sample of the option I am evaluating: //server/share /mnt/servershare/ noauto,username=xxx,password=yyy,uid=500,gid=500 1 2


thanks in advance
nicola

ghenry
20th June 2004, 01:37 PM
create /home/username/.smbcredentials containing (in this format):


username=USERNAME
password=P@$$WORD


chmod 600 /home/username/.smbcredentials

So
//server/share /mnt/servershare/ noauto,username=xxx,password=yyy,uid=500,gid=500 1 2

Becomes:


//server/share /mnt/servershare/ noauto,credentials=/home/username/.smbcredentials,uid=500,gid=500 1 2

micha
20th June 2004, 02:49 PM
The problem is that the password is still stored in plain text in a file. I guess CIFS is not yet ready for everyone...

ghenry
20th June 2004, 11:04 PM
Doesn't matter is it is encrypted as it is still sent across the wire in clear text.

wshawn
11th January 2005, 03:36 PM
Until Windows is devolped to handle the encrypted text there is no reason to build it any other way than clear. You can lock it down on your system, but once it hits the network its free game. This is actually a very old problem dating back to win95 and I have heard of no plans to change this.

A possible solution would be to make a "dummy" user on the system in question, using the Administration Settings and not the add user wizard.

Make him limited. Go into his docs and make a directory named LINUXSHARE and then add the REAL user access to that directory you want to share files with. This way you can keep sniffers from grabbing access to a legitimate account. You can also have this dummy user not in the login screen (which shouldn't be used outside of the control-alt-del screen anyway-- in other words no usernames listed) so as to keep it hidden a little better.

Turn on logging to see if anyone actually tries to logon as that user locally.

Another thought would be to add your linux box as a member of the Domain Controller

Just some thoughts....