18

I am currently using cifs to mount some network shares (that require authentication) in /etc/fstab. It works excellently, but I would like to move the authentication details (username/pass) outside of fstab and be able to chmod it 600 (as fstab can have issues if I were to change its permissions). I was wondering if it is possible to do this (many-user system, don't want these permissions to be viewable by all users).

from:

//server/foo/bar /mnt/bar cifs username=user,password=pass,r 0 0

to:

//server/foo/bar /mnt/bar cifs <link to permissions>,r 0 0

(or something analogous to this). Thanks.

TJ L
  • 424
  • 3
  • 7
  • 18

4 Answers4

15

From the mount.cifs manpage:

credentials=filename
    specifies a file that contains a username and/or password. The format of the file is:

                         username=value
                         password=value
   This is preferred over having passwords in plaintext in a shared file, such as /etc/fstab. Be sure to protect any credentials file properly.

janneb
  • 3,761
  • 18
  • 22
  • 4
    Note that the vague "Be sure to protect any credentials file properly." usually means you should save the file (as root) to `/root/`, and `chmod 700` it – Nate Parsons Apr 27 '12 at 16:46
  • 1
    my connection also needs `domain=value` part – vladkras Nov 18 '16 at 08:52
  • 4
    I had hoped the situation would be different *seven years later*, but sadly, it seems this is still the 'best' answer. And it's not remotely secure. Every single person with `sudo` access to the server can read `.smbcredentials`. In my case, the file would contain—unless I conned somebody else into giving up theirs—_my_ Windows login creds. Like, the same single-sign-on credentials I use to access _all_ of the systems at Evil Corp, including payroll, benefits, etc? Seems fraught with peril. Something like this may be a bit safer: https://askubuntu.com/a/1081421. – evadeflow Jan 03 '19 at 18:48
  • 4
    The syntax of that file is delicate. Do not put empty lines or even `# comments` in there. – David Tonhofer Feb 01 '19 at 11:28
9

Use the credentials option such as:

http://www.justlinux.com/nhf/Filesystems/Mounting_smbfs_Shares_Permanently.html

Example from the website:

cd
echo username=mywindowsusername > .smbpasswd
echo password=mywindowspassword >> .smbpasswd
chmod 600 .smbpasswd

Substitute your Windows username and password in the commands. No one else except root would be able to read the contents of this file.

Once that is created, you would modify the line in the /etc/fstab file to look like this:

//servername/sharename /mountdirectory smbfs credentials=/home/myhomedirectory/.smbpasswd 0 0

example from /etc/fstab:

//server/share/   /mnt/localmountpoint   cifs   credentials=/root/.creda

janneb's post and the link to man page show what needs to be present in the credentials file.

damorg
  • 1,198
  • 6
  • 10
  • 2
    Thanks, both answers were helpful (I should have read the manpages). If I could mark 2 answers as the correct answer I would. – TJ L Jan 13 '11 at 16:36
  • no worries...once I saw janneb's answer, it was clear the answer was covered :) – damorg Jan 13 '11 at 17:16
6

So I'm accumulating both answers

  1. Create file, e.g. /root/.cifs

    username=value
    password=value
    domain=value (optional)
    
  2. set permission 600 (rw- permission) to protect your credentials

    # chmod 600 /root/.cifs
    
  3. pass credentials=/root/.cifs to your command instead of username= and password=

vladkras
  • 171
  • 1
  • 7
  • 2
    Extra-minor comment: The `chmod` is not needed, as the home directory of root `/root` is hopefully `rwx------` already. – David Tonhofer Feb 01 '19 at 11:29
  • I had problems using only username and password, when I tried to mount a Windows shared folder, on Red Hat Linux. I succeeded only after adding the domain to the credentials file. It seemed to me that, in this case, the domain information is very advisable. – aldemarcalazans Mar 12 '20 at 16:54
2

Could try cifscloak

pip3 install cifscloak

https://github.com/sudoofus/cifscloak

  • As it’s currently written, your answer is unclear. Please [edit] to add additional details that will help others understand how this addresses the question asked. You can find more information on how to write good answers [in the help center](/help/how-to-ask). – Community Sep 14 '21 at 05:05
  • Thank you, Darren. It is useful for me. – K-att- Sep 22 '22 at 07:51