cifscreds

cifscreds add <host> <user> [-p <password>] [-d <domain>]
cifscreds update <host> <user> [-p <password>] [-d <domain>]
cifscreds clear <host> <user>
cifscreds list
cifscreds delete <host> <user>

add
    Adds a new CIFS credential to the kernel keyring.

update
    Updates an existing CIFS credential for the specified host and user.

clear
    Clears the password associated with a specific host and user in the keyring. The entry remains but without a password.

list
    Lists all CIFS credentials currently stored in the keyring, including host, user, and password (if available).

delete
    Deletes a specific CIFS credential entry entirely from the keyring.

<host>
    The target CIFS server hostname or IP address.

<user>
    The username for authentication on the CIFS server.

-p <password>
    Specifies the password for the given user. If omitted, the command will prompt securely for the password.

-d <domain>
    Specifies the domain name for the user's account.

cifscreds is a utility designed to manage CIFS/SMB authentication credentials within the Linux kernel's keyring service. It allows users to store, retrieve, update, and clear usernames, passwords, and domains associated with specific CIFS hosts.

By leveraging the kernel keyring, cifscreds offers a more secure method for handling sensitive login information compared to traditional plain-text credential files or passing passwords directly on the command line. This stored information can then be securely accessed by CIFS client utilities like mount.cifs(8) through specific options, such as creds=<key_id> or credentials=<key_id>. This prevents sensitive data from being exposed in process listings or command history, enhancing system security for network file system mounts. It specifically manages keys of type "cifs" in the user's or session keyring.

While cifscreds enhances security by using the kernel keyring, listing credentials with cifscreds list will display passwords in plain text on the terminal. Users should be aware of terminal logging and shoulder-surfing risks. Credentials stored are typically tied to the user's session or specific user keyring, meaning they might not persist across reboots unless managed by a system-wide keyring service.

To utilize credentials stored by cifscreds with mount.cifs, you can specify the creds or credentials mount option with the key ID of the stored credential. For example, mount -t cifs //server/share /mnt/point -o credentials=<key_id>. The key ID can be obtained from the cifscreds list output.

If the -p or --password option is not provided when adding or updating credentials, cifscreds will securely prompt the user for the password, preventing it from appearing in command history or process lists.

The cifscreds utility is part of the cifs-utils package, which provides various tools for interacting with CIFS/SMB network shares on Linux. It was introduced to address the need for a more secure and convenient way to manage authentication credentials for mount.cifs operations, moving away from less secure methods like storing passwords directly in fstab or on the command line. Its development reflects the ongoing effort to improve security and usability of network file system clients in Linux.

mount.cifs(8), keyctl(1), smbclient(1)