12

I would like to mount a CIFS network filesystem with samba on my Arch Linux system. I would like to mount this filesystem whenever I log in (either through ssh, a TTY, or through KDM).

I can get pretty close to what I want by adding the network share to /etc/fstab. The biggest "problem" is that this requires either hard coding my password into /etc/fstab or creating a credentials file with my username and password. It seems unsafe to me to keep my username and password in a plain text file even if I set the permissions to 600.

Is there a "proper" way to securely automount a network share? Can I do this with PAM (my username and password are the same on both machines) and if so how?

slm
  • 369,824
StrongBad
  • 5,261
  • Have you looked at pam_cifs? "pam_cifs is a Linux-PAM module to mount and unmount CIFS shares on login on a per-user basis" – user Jul 08 '13 at 11:43
  • Or pam_mount, I have no specific experience, but it looks designed to do this. – EightBitTony Jul 08 '13 at 11:43
  • @EightBitTony finding pam_mount lead me to ask the question, I am hoping someone might be able to tell me more definitively if it is the way to go and if so how. – StrongBad Jul 08 '13 at 12:06

3 Answers3

12

Method #1 - /etc/fstab

I realize you're looking for alternatives to this but here's specifically how to get your credentials out of the /etc/fstab file:

//WindowsHost/Sharename /LocalMountPoint cifs credentials=/etc/cifsauth 0 0

Then in the file /etc/cifsauth:

username=someuser
password=somepass

Make this file's permissions 600, i.e. chmod 600 /etc/cifsauth.

Method #2 - pam_mount

You can install pam_mount and then setup a generic mount for all users that login such as this:

# /etc/security/pam_mount.conf.xml
<debug enable="1" />
<volume server="server" path="music" mountpoint="~/MyMusicFolder" options="cred=/home/%(USER)/.Music.cred" />

This method still has the same problem as method #1, where the credentials are stored in a file, /home/%(USER)/.Music.cred. This is the same type of credential file as in the first method, so make sure the permissions are 600 as well.

Method #3 - use gvfs-mount

This U&L Q&A titled: Can I automate mounting a cifs share without storing my password in plaintext? contains an answer by @Gilles which describes using the GNOME Keyring to retain your CIFS credentials.

You can then access the CIFS shares using GVFS - GNOME Virtual File System - like this:

$ gvfs-mount smb://username\;workgroupname@hostname/sharename

This will map the share from hostname called sharename and mount it under $HOME/.vfs/sharename on hostname. You can't control this in any way. It's hardcoded to always be mounted here, I've looked!

You can however create links to these mounts which is what I do so that I can access shares that I have mounted. The use of .gvfs was unfortunate because some tools do not list the dot directories in the file browsing so often the link I've created is the only way to access these shares.

Community
  • 1
slm
  • 369,824
4

It turns out that pam_mount is the way to go. You add the network share to /etc/security/pam_mount.conf.xml

<volume user="yourUserName" fstype="auto" path="//path/to/the/network/share" mountpoint="/path/to/the/mount/point" options="username=yourUserName" />
<mkmountpoint enable="1" remove="true" />

It should be theoretically possible to use the %(USER), %(USERUID), and %(USERGID) variables to make it a general mount, but I couldn't get that part to work on Arch Linux. You also need to configure your system to use pam_mount. You need to modify both /etc/pam.d/system-auth and your corresponding login-manager. For KDM it is /etc/pam.d/kde. The modifications basically involve adding optional pam_mount.so to every section of both files, but the exact details are tricky since the ordering matters. I followed the Arch Wiki.

With this setup and the same username/password on the server and my machine I can auto mount without saving a credentials file anywhere.

StrongBad
  • 5,261
  • This is good... As a matter of principle I would prefer the fstab solution - I dislike pam and the rest, personally, and I have noticed they have a tendency to creep in ever further to system config - but this definitely answers the question. Can I ask though why you are so opposed to storing credentials? User permissions and/or file ownership/encryption should be more than enough there. On some systems you can even store such information in firmware vars that are only accessible after authentication. ssh stores credentials based on fs permissions, for example, doesn't it? – mikeserv Dec 28 '14 at 19:55
  • 1
    @mikeserv we use a single login system so a sys admin who has root access to the machine with my credentials file, may not have root access to all servers for which my password gains me access. – StrongBad Dec 28 '14 at 20:10
1

you can use pam_mount without having to keep credentials in plaintext. It does require the credentials on the file server to be the same as your username/password on the system you're logging into.

Good example here: https://wiki.ubuntu.com/MountWindowsSharesPermanently

basically:

  1. Install libpam-mount: sudo apt-get install libpam-mount
  2. Edit /etc/security/pam_mount.conf.xml to remove the commenting tags (<!-- and -->) surrounding the section called <luserconf name=".pam_mount.conf.xml" />. Save the file when done. This allows you to use user specific pam_mount.conf files
  3. Create their own ~/.pam_mount.conf.xml and add the following:
<?xml version="1.0" encoding="utf-8" ?>
<pam_mount>
    <volume options="uid=%(USER),gid=100,dmask=0700" user="*" mountpoint="/media/windowsshare" path="sharename" server="servername" fstype="cifs" />
</pam_mount>
Chris Davies
  • 116,213
  • 16
  • 160
  • 287
blackstone
  • 11