PDA

View Full Version : [all variants] Using AutoFS to mount CIFS share without leaving unencrypted passwords



r.darwish
July 30th, 2011, 08:54 PM
I followed this howto (http://www.howtoforge.com/accessing_windows_or_samba_shares_using_autofs) in order to mount CIFS shares on demand. This works great, however, this guide suggests leaving my network passwords unencrypted on the disk. This is a very bad security practice, as the passwords can be easly retrieved by booting the computer using a different OS.

I was looking for a way to secure things up, so I came up with this solution: Instead of storing the passwords plain text on the disk, I store them in a tar file encrypted using GPG. When I boot my system, I open this file to a directory in /dev/shm, and order AutoFS to retrieve the passwords from there.

This does the trick, but I presume this solution is not that secure, since /dev/shm content can be written to the swap partition. Is there any other solution which is a better security practice? Maybe using some sort of keyring service?

bodhi.zazen
July 30th, 2011, 09:47 PM
I followed this howto (http://www.howtoforge.com/accessing_windows_or_samba_shares_using_autofs) in order to mount CIFS shares on demand. This works great, however, this guide suggests leaving my network passwords unencrypted on the disk. This is a very bad security practice, as the passwords can be easly retrieved by booting the computer using a different OS.

I was looking for a way to secure things up, so I came up with this solution: Instead of storing the passwords plain text on the disk, I store them in a tar file encrypted using GPG. When I boot my system, I open this file to a directory in /dev/shm, and order AutoFS to retrieve the passwords from there.

This does the trick, but I presume this solution is not that secure, since /dev/shm content can be written to the swap partition. Is there any other solution which is a better security practice? Maybe using some sort of keyring service?

If you are going to be that paranoid, encrypt the entire installation.

r.darwish
July 31st, 2011, 06:03 AM
Is it possible to do so after the system has already been installed? Can I only encrypt root's home folder which actually contains the passwords?

bodhi.zazen
July 31st, 2011, 02:51 PM
Is it possible to do so after the system has already been installed? Can I only encrypt root's home folder which actually contains the passwords?

No you would need to re-install