Posted on 09/09/2014

In almost all cases, when mounting a CIFS-share on a Linux host, you will need to supply some credentials. Either you could enter the credentials by hand every time you need the share or add the credentials to /etc/fstab to automatically mount the share. Entering the password manually is secure but not comfortable, leaving the password in /etc/fstab is comfortable but not secure since the file /etc/fstab is world readable.

Generally, it’s a good idea to password protect shares since you don’t want everyone to freely have access to a share. The “problem” you have with that, if you want to automatically mount the share on your Linux-system, is that the password needs to be saved somewhere or entered manually. For obvious reasons, entering the password every time you need the share isn’t very convenient. Especially not when you want the share to be automatically mounted on boot. This article is about how to avoid manually mounting a Windows share and still keep the credentials secure.

Installing CIFS support

A share created on a Windows-machine can be used on a Linux box by using the CIFS file system. CIFS (Common Internet File System) is a dialect of SMB (Server Message Block).

First thing to do before we are able to use a CIFS-share on our Linux machine is to make sure that it understands how to talk CIFS and thus has support for the CIFS file system.

To check which file systems are supported on your machine:

[jensd@cen ~]$ cat /proc/filesystems

nodev sysfs

nodev rootfs

nodev bdev

nodev proc

nodev cgroup

nodev cpuset

nodev tmpfs

nodev devtmpfs

nodev debugfs

nodev securityfs

nodev sockfs

nodev pipefs

nodev anon_inodefs

nodev configfs

nodev devpts

nodev ramfs

nodev hugetlbfs

nodev autofs

nodev pstore

nodev mqueue

nodev selinuxfs

xfs

nodev rpc_pipefs

nodev nfsd

nodev binfmt_misc

As you can see in the above list, CIFS is not there. This means that we’ll have to install the necessary packages to support CIFS. In case you were wondering (as I did), the nodev option means that such filesystem doesn’t require a block device but can be used as a virtual fs.

To install CIFS-support on RHEL/CentOS/SL and variants:

[jensd@cen ~]$ sudo yum install cifs-utils

...

Complete!

For Debian/Ubuntu/Mint and variants:

jensd@deb:~$ sudo apt-get install cifs-utils

When checking the entries in /proc/filesystems after installation, you should see CIFS:

[jensd@cen ~]$ cat /proc/filesystems |grep cifs

nodev cifs

On some Linux distro’s, filesystems do not appear in /proc/filesystems before the first use, even if it’s installed. In that case you can check which kernel modules are available for filesystems:

To look at the full list:

[jensd@cen ~]$ ls /lib/modules/$(uname -r)/kernel/fs/*/*ko

/lib/modules/3.10.0-123.el7.x86_64/kernel/fs/btrfs/btrfs.ko

/lib/modules/3.10.0-123.el7.x86_64/kernel/fs/cachefiles/cachefiles.ko

/lib/modules/3.10.0-123.el7.x86_64/kernel/fs/cifs/cifs.ko

/lib/modules/3.10.0-123.el7.x86_64/kernel/fs/cramfs/cramfs.ko

/lib/modules/3.10.0-123.el7.x86_64/kernel/fs/dlm/dlm.ko

/lib/modules/3.10.0-123.el7.x86_64/kernel/fs/exofs/libore.ko

/lib/modules/3.10.0-123.el7.x86_64/kernel/fs/ext4/ext4.ko

/lib/modules/3.10.0-123.el7.x86_64/kernel/fs/fat/fat.ko

/lib/modules/3.10.0-123.el7.x86_64/kernel/fs/fat/msdos.ko

/lib/modules/3.10.0-123.el7.x86_64/kernel/fs/fat/vfat.ko

...

To look for CIFS-support:

[jensd@cen ~]$ ls /lib/modules/$(uname -r)/kernel/fs/*/*ko|grep cifs

/lib/modules/3.10.0-123.el7.x86_64/kernel/fs/cifs/cifs.ko

Mount the CIFS share manually

After installing the packages and checking the filesystem support, our system should be able to mount a Windows/CIFS-share. The best way to be sure is simply to mount a CIFS-share:

[jensd@cen ~]$ sudo mount -t cifs //192.168.202.2/drive_e /mnt -o user=jensd

Password for jensd@//192.168.202.2/drive_e: **********

[jensd@cen ~]$ mount

...

//192.168.202.2/drive_e on /mnt type cifs (rw,relatime,vers=1.0,cache=strict,username=jensd,domain=TEST,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.202.2,file_mode=0755,dir_mode=0755,nounix,rsize=61440,wsize=65536,actimeo=1)

As you can see in the above output, we had to enter the password manually when mounting. To avoid entering the password, it is possible, next to the username, to supply the password directly on the command but this means it’s readable by everyone looking at your screen or previously entered commands.

Automatically mount the CIFS share

What we really want is to automatically mount the share on boot. For that, we basically have two options:

  • The first option is to create a small script with the above mount-command, including the password, and let it run on boot. The positive thing with this option would be that the script can be protected from being read by other users by changing the permissions. The negative part is that a simple mount or re-mount won’t work anymore since our mountpoint isn’t in /etc/fstab and that this isn’t really considered as a best practice solution.
  • The second, and best, option, is to add the mountpoint to /etc/fstab. The only problem we have there is that we will have to find a way to supply the credentials. The file /etc/fstab is readable by everyone, so to put the password directly in /etc/fstab isn’t really a good idea.

To continue with the second option, we’ll provide the credentials required in an external file. The file only contains the required username and password and we can restrict the file to be only readable by root. The fstab-entry contains only the path to the file.

The file providing the credentials which is made only readable by root:

[jensd@cen ~]$ sudo vi /root/.smbcred

[jensd@cen ~]$ sudo cat /root/.smbcred

username=jensd

password=secret

[jensd@cen ~]$ sudo chmod 400 /root/.smbcred

[jensd@cen ~]$ sudo ls -al /root/.smbcred

-r--------. 1 root root 36 Sep 9 15:43 /root/.smbcred

The line to automatically mount the share on boot in /etc/fstab:

[jensd@cen ~]$ cat /etc/fstab|grep /mnt

//192.168.202.2/drive_e /mnt  cifs  credentials=/root/.smbcred  0 0

The line in /etc/fstab consists out of 6 parts:

  • the remote location (//192.168.202.2/drive_e)
  • the local mountpoint (/mnt)
  • the type of filesystem (cifs)
  • the options (credentials=/root/.smbcred)
  • dump-option (0)
  • check/pass-option (0)

After adding the above line, we can simply mount our share without providing credentials. On top of that, the share should be mounted at boot time automatically

[jensd@cen ~]$ sudo mount /mnt/

The above seems to be a simple solution, and it is, but I still see too often that password are simply entered in /etc/fstab or that a “work-around-boot-script” is used in order to prevent other from knowing precious Windows-share passwords.

This entry was posted in CentOS, Debian, Linux, Red Hat, RHEL, Security, Windows by jensd. Bookmark the permalink.

Mount Windows (CIFS) shares on Linux with credentials in a secure way的更多相关文章

  1. Linux开发环境搭建三 使用mount -t cifs 挂载windows共享目录方法与问题解决

    转载链接:https://blog.csdn.net/fuyuande/article/details/82915800 嵌入式开发通常是在linux环境下编译,windows下开发,这就需要在lin ...

  2. Linux mount Windows目录

    [问题描述] Windows 机器192.168.1.103共享了 /share/yasi 目录,并且赋予了写的权限,在Windows机器下可以用 yasi/pass 登录.在一台CentOS 6.3 ...

  3. 创建cifs系统案例之“实现将Windows磁盘共享至Linux”

    原创作品,出自 "深蓝的blog" 博客,欢迎转载,转载时请务必注明出处,否则追究版权法律责任. 深蓝的blog:http://blog.csdn.net/huangyanlong ...

  4. smbclient和mount -t cifs共享win的共享文件夹? autocad小记

    插入U盘没有反应? 首先,打开设备管理器, 发现usb大容量设备为黄色感叹号 其次, 将这个usb大容量设备先卸载, 然后点击"自动扫描硬件变化",就可以重新自动安装usb的驱动. ...

  5. [转帖]windows CIFS sabma协议识

    windows CIFS sabma协议识别 https://www.cnblogs.com/tcicy/p/9992871.html 公司的一个共享服务器就是 win2003的 mount 的时候 ...

  6. How to mount Windows network disk in WSL

    Backgroud Mount samba directly in wsl like linux is difficult Password for root@//filesystem.domain/ ...

  7. VMware10中的CentOS6.5命令行安装VMwaretools工具启用windows与虚拟机中Linux系统的共享目录

    VMware10中的CentOS6.5命令行安装VMwaretools工具启用windows与虚拟机中Linux系统的共享目录 一.描述 系统描述:win7旗舰版64位系统+VMware Workst ...

  8. windows下能读写linux分区的软件 转

    1. ext2ifs 这个工具与explore2fs都是John Newbigin使用Delphi写的,explore2fs Copyright (C) 2000,Ext2IFS v0.3 Copyr ...

  9. windows nfs server for linux

    摘要 在开发嵌入式系统的过程中,为了方便调试与文件共享,需要使用到nfs,即网络文件系统,这位板子的调试测试带来了很大的方便.之前在linux系统下开发,与ARM11核心板 linux系统对接共享也比 ...

随机推荐

  1. zabbix通过SDK和API获取阿里云RDS的监控数据

    阿里云的RDS自带的监控系统获取数据不怎么直观,想要通过API获取数据通过zabbix显示,因为网上资料缺乏和其他一些原因,获取API签名很困难,但使用阿里云的SDK可以完美避开获取签名的步骤. 阿里 ...

  2. R语言与概率统计(一) 描述性统计分析

      #查看已安装的包,查看已载入的包,查看包的介绍 ########例题3.1 #向量的输入方法 w<-c(75.0, 64.0, 47.4, 66.9, 62.2, 62.2, 58.7, 6 ...

  3. 使用python装饰器计算函数运行时间的实例

    使用python装饰器计算函数运行时间的实例 装饰器在python里面有很重要的作用, 如果能够熟练使用,将会大大的提高工作效率 今天就来见识一下 python 装饰器,到底是怎么工作的. 本文主要是 ...

  4. Qt 字符映射表 显示图标

    一.利用字符映射表segmdl2.ttf,窗体显示字符图片. 在win10里面搜“字符映射表”,选择字体segmdl2.ttf,查看图标对应得16进制值.把此字体拷贝到程序的目录下. 二.使用 #if ...

  5. 字符串写入到json文件

    背景: PHP产生公告 ,发送到CGI ,在CGI把该公告的json 字符串写入到文件内(转义后的字符串) 通过 jsoncpp 操作 int write_notice_to_json(string ...

  6. IDEA 2019中一些有偏好设置

    1.取消启动时自动进入上一次工程: 路径:Setting ——> Appearance & Behavior ——> System Setting 取消勾选Reopen last ...

  7. webbench接口并发测试

    webbench接口并发测试 安装     安装工程中可能会出现确实Ctags的情况,可以进行命令安装: Ubuntu:apt install ctags Centos:yum install cta ...

  8. python基础知识(继承)

    继承的基本语法 class  Class(继承那个基类如果有多个基类用逗号隔开,如果没有就继承object): """ 类的帮助信息""" ...

  9. python-linux-集群nginx

    一命令基本格式 ----cd ~ 家 ----cd / 根 ---cd ..  上级 ----pwd  当前路径 ----ls -l   -a  -h ----权限rwxrwxrwx  755 二文件 ...

  10. 【C/C++开发】【VS开发】win32位与x64位下各类型长度对比

    64 位的优点:64 位的应用程序可以直接访问 4EB 的内存和文件大小最大达到4 EB(2 的 63 次幂):可以访问大型数据库.本文介绍的是64位下C语言开发程序注意事项. 1. 32 位和 64 ...