| View previous topic :: View next topic |
| Author |
Message |
humbletech99
Veteran
Joined: 26 May 2005
Posts: 1229
Location: London
|
 Posted: Thu Mar 23, 2006 9:48 am Post subject: Hiding smb mount password in fstab? Hashing? |
 |
|
Hi,
I'm looking for a way to hide my credentials in fstab for lines like
| Code: | | //hostname/share smbfs /mnt/sharename defaults,username=user%password 0 0 |
The problem with the above line is that it appears in the process list and that the password is in cleartext. Using credentials=file is a better start but this is still in plaintext. Can't I hash the password with md5 or something?
_________________
The Human Equation:
value(geeks) > value(mundanes) |
|
| Back to top |
|
 |
unclecharlie
Apprentice
Joined: 19 Dec 2005
Posts: 186
Location: Colorado, USA
|
| Posted: Thu Mar 23, 2006 2:43 pm Post subject: i know... |
|
|
humbletech99,
Yeah it sucks. I've been pondering other solutions to that one myself. MD5 won't work. It's not reversible. The simple option is to keep the credentials file on a keychain USB drive and use it like a key. Other options include making an encrypted loopback filesystem and keeping the credentials file there. But that presents it's own problems.
I'd love to hear anyone's ideas on a solution for this.
Charlie |
|
| Back to top |
|
|
humbletech99
Veteran
Joined: 26 May 2005
Posts: 1229
Location: London
|
| Posted: Thu Mar 23, 2006 3:16 pm Post subject: |
|
|
The keychain won't work as this is for servers, but the loopback encryption is interesting, couple of drawbacks though:
1. You'd have to set up the loop after boot so again no good for fstab.
2. once you mount the loop to access the credentials file it's plain text readable again
Argg, this is such an obvious problem, why isn't there an obvious solution? If the password was stored as an ntlm hash, that would be better... you could sent it straight but no human could know what it is or use it without using a custom written program to sent it straight...
_________________
The Human Equation:
value(geeks) > value(mundanes) |
|
| Back to top |
|
|
toralf
Developer
Joined: 01 Feb 2004
Posts: 3942
Location: Hamburg
|
| Posted: Thu Mar 23, 2006 3:26 pm Post subject: |
|
|
| What about setting perms to 0600 to the credential file where you store the sense information ? |
|
| Back to top |
|
|
humbletech99
Veteran
Joined: 26 May 2005
Posts: 1229
Location: London
|
| Posted: Thu Mar 23, 2006 4:10 pm Post subject: |
|
|
yeah, but this is quite easy to work around and just read the info off disk, but it really what I will have to resort to otherwise...
_________________
The Human Equation:
value(geeks) > value(mundanes) |
|
| Back to top |
|
|
Vulpes_Vulpes
Apprentice
Joined: 10 Dec 2003
Posts: 264
Location: Amsterdam
|
| Posted: Thu Mar 23, 2006 5:06 pm Post subject: |
|
|
| humbletech99 wrote: | | yeah, but this is quite easy to work around and just read the info off disk, but it really what I will have to resort to otherwise... |
But don't you have to be root to read the 0600 chmodded credential file? I'm really interested in the workaround you mentioned. |
|
| Back to top |
|
|
unclecharlie
Apprentice
Joined: 19 Dec 2005
Posts: 186
Location: Colorado, USA
|
| Posted: Thu Mar 23, 2006 5:10 pm Post subject: not the drawbacks I was thinking of... |
|
|
humbletech99,
What I was pondering was this-
Even setting up an encrypted file system, the key for that filesystem is still going to be in a credentials file in plain text somewhere on the system, either in /etc/fstab or a credentials file.
A password management daemon could be useful for that. But making it secure without an interactive (challenge/response) might be difficult.
Charlie |
|
| Back to top |
|
|
PMcCauley
Apprentice
Joined: 14 Mar 2006
Posts: 283
Location: Alberta, Canada
|
| Posted: Thu Mar 23, 2006 5:29 pm Post subject: |
|
|
One way to do it is to have your samba only accessible by localhost and forward samba through ssh then you could use a key file. There is no getting around all the security problems. You will either have to enter the password to mount the drive of take the chance that it someone gets your key they would have access. Hashed or not a non-password protected key file could be used the same as the actual password. You could also use sshfs to mount ssh directly. | Code: | emerge sshfs-fuse
sshfs remote-system-name:/remote-folder /media/mount-name
|
The only way someone should be able to gain access to a chmod 600 file is in a offline attack(boot live cd or whatever) or possibly a vunerablity in a root-enabled program. Setting up shared keys between the systems would probably be easiest.
Patrick |
|
| Back to top |
|
|
humbletech99
Veteran
Joined: 26 May 2005
Posts: 1229
Location: London
|
| Posted: Thu Mar 23, 2006 5:32 pm Post subject: |
|
|
| Vulpes_Vulpes wrote: | | humbletech99 wrote: | | yeah, but this is quite easy to work around and just read the info off disk, but it really what I will have to resort to otherwise... |
But don't you have to be root to read the 0600 chmodded credential file? I'm really interested in the workaround you mentioned. |
reboot the machine into knoppix. steal a machine, pull out the hard disk, load another os etc. etc.
_________________
The Human Equation:
value(geeks) > value(mundanes) |
|
| Back to top |
|
|
humbletech99
Veteran
Joined: 26 May 2005
Posts: 1229
Location: London
|
| Posted: Thu Mar 23, 2006 5:34 pm Post subject: |
|
|
I need to stick to SMB since I'm in a heterogenous environment...
_________________
The Human Equation:
value(geeks) > value(mundanes) |
|
| Back to top |
|
|
|
Networking & Security
