Secure CIFS Mounting: How to Store Authentication Credentials Outside of /etc/fstab


2 views

When mounting CIFS shares via /etc/fstab, we often face a security dilemma. While convenient, storing plaintext credentials in this system-wide configuration file poses risks:

//server/share /mnt/share cifs username=user,password=pass,uid=1000,gid=1000 0 0

The main issues are:

  • World-readable permissions (typically 644)
  • Credentials exposed to all users
  • No easy way to restrict access

The most secure approach is using a dedicated credentials file:

//server/share /mnt/share cifs credentials=/etc/cifs-credentials/share.cred,uid=1000,gid=1000 0 0

Create the credentials file with restricted permissions:

sudo touch /etc/cifs-credentials/share.cred
sudo chmod 600 /etc/cifs-credentials/share.cred

File contents should look like:

username=your_username
password=your_password
domain=your_domain (if applicable)

For more dynamic setups, consider environment variables in systemd mount units:

[Unit]
Description=Mount CIFS Share
Requires=network-online.target
After=network-online.target

[Mount]
What=//server/share
Where=/mnt/share
Type=cifs
Options=credentials=/etc/cifs-credentials/share.cred,uid=1000,gid=1000

[Install]
WantedBy=multi-user.target
  • Use separate credential files per share
  • Set strict ownership (root:root)
  • Consider using keytab files for Kerberos authentication
  • Regularly rotate credentials
  • Audit access to credential files

If mounts fail, check:

sudo mount -v -a
journalctl -xe

Common problems include:

  • Incorrect file permissions
  • Network connectivity issues
  • DNS resolution failures
  • Expired credentials

When mounting CIFS shares via /etc/fstab, embedding credentials directly in the file poses security risks. The fstab file typically requires world-readable permissions (644), meaning any user on the system could potentially view your sensitive credentials.

//server/share  /mnt/share  cifs  username=admin,password=secret123,uid=1000,gid=1000  0  0

The CIFS filesystem supports credential files that can store authentication details separately. These files can be locked down with strict permissions (600) while keeping fstab world-readable.

1. Create a credentials file:

sudo mkdir /etc/secure
sudo nano /etc/secure/smb.credentials

2. Add your credentials (example format):

username=fileshare_user
password=ComplexP@ssw0rd!
domain=WORKGROUP

3. Set proper permissions:

sudo chmod 600 /etc/secure/smb.credentials
sudo chown root:root /etc/secure/smb.credentials

Update your fstab entry to reference the credentials file:

//server/share  /mnt/share  cifs  credentials=/etc/secure/smb.credentials,uid=1000,gid=1000,file_mode=0664,dir_mode=0775  0  0

For more complex setups, you can use multiple credential files for different shares:

//server1/docs  /mnt/docs  cifs  credentials=/etc/secure/docs.credentials,noperm  0  0
//server2/media  /mnt/media  cifs  credentials=/etc/secure/media.credentials,vers=3.0  0  0

Before rebooting, test your mount:

sudo mount -a
mount | grep cifs

Common issues to check:

- Verify credential file permissions (must be 600)
- Ensure correct ownership (root:root recommended)
- Check for typos in the credentials file
- Verify network connectivity to the share

For systems with systemd, you can use automount units:

# /etc/systemd/system/mnt-share.automount
[Unit]
Description=Automount SMB Share

[Automount]
Where=/mnt/share
TimeoutIdleSec=30

[Install]
WantedBy=multi-user.target

Then create a corresponding mount unit:

# /etc/systemd/system/mnt-share.mount
[Unit]
Description=Mount SMB Share

[Mount]
What=//server/share
Where=/mnt/share
Type=cifs
Options=credentials=/etc/secure/smb.credentials,uid=1000