[CentOS] CIFS Share with encrypted credentials

[Billy Crook]

On Tue, Oct 1, 2013 at 9:06 AM, Dolev Farhi <dolev at sys-blog.net> wrote:
> I have a CIFS share that I mount on a CentOS6.4.
>
> Currently I am keeping the password in a regular hidden file, for
> example /test/.cred with the username and password.
> the /etc/fstab directive points to that file.
> for example:
>
> //10.0.0.1/share     /mnt        cifs
> defaults,credentials=/test/.cred
>
> Since this file is readable by the root user, I figured if there might
> be a way to encrypt this file, and with decrypt this file with a script
> so the mount will succeed, and then encrypt it again. or maybe there is
> another way of doing this? any ideas?

What kind of root would be able to read your .cred file, and not be
able to read your script?

The best way to keep the credentials out of root's hands would be to
do the mount yourself, manually, each time.  It wouldn't surprise me
though if that left the PW in memory somewhere.

Or perhaps use a command-locked ssh key to run the mount command from
a remote computer.  On that remote computer, use 'expect' to feed the
cifs credentials through ssh to the remotely running mount command.
Of course it would be trivial for the remote admin to swap your ssh
key locked command for a malicious script that captures and posts your
credentials to facebook, but at least this prevents STORING them on
the remote system.  They could also swap out openssh for a trojaned
version that logs everything.

If you don't trust root, that is the bigger problem, solve you must first.

There are also pam modules you could run on the cifs server that do
non-traditional authentication, for instance using single-use tokens
instead of (reusable) passwords.  (Or you could change the password
after each mount).  Perhaps things like kerberos tokens would help as
well.


-- 
Billy Crook • Network and Security Administrator • RiskAnalytics, LLC