Reversible encryption of Universal Password is required for convenient interoperation with other password systems. Administrators must evaluate the costs and benefits of the system. Using a Universal Password stored in eDirectory might be more secure or convenient than attempting to manage several passwords.
A Universal Password in eDirectory is protected by three levels of security: triple DES encryption of the password itself, eDirectory rights, and file system rights.
The Universal Password is encrypted by a triple DES, user-specific key. Both the Universal Password and the user key are stored in system attributes that only eDirectory can read. The user key (3DES) is stored encrypted with the tree key, and the tree key is protected by a unique NICI key on each machine. Note that neither the tree key nor the NICI key is stored within eDirectory. They are not stored with the data they protect. The tree key is present on each machine within a tree, but each tree has a different tree key, so data encrypted with the tree key can be recovered only on a machine within the same tree. Thus, while stored, the Universal Password is protected by three layers of encryption.
Each key is also secured via eDirectory rights. Only administrators with the Supervisor right or the users themselves have the rights to change Universal Passwords.
NOTE:The password policy can be configured to allow Universal Password to be read by administrators and for users to read their own passwords through using NMAS/nds-cluster-config extensions. This is not enabled by default.
File system rights ensure that only a user with the proper rights can access keys.
If Universal Password is deployed in an environment requiring high security, you can take the following additional precautions:
Make sure that the following directories and files are secure:
Windows |
\system32\novell\nici \system32\ where the NICI DLL is installed |
Linux/Unix |
/var/novell/nici etc/nici.cfg /usr/locall/lib/libccs2.so and the NICI shared libraries in the same directory On LSB-compliant systems, make sure the following directories are also secure: /var/opt/novell/nici etc/opt/novell /opt/novell/lib |
Consult the documentation for your system for specific details of the location of NICI and eDirectory files.
As with any security system, restricting physical access to the server where the keys reside is very important.
For security consideration relating to password management, see the Novell Modular Authentication Services 3.3 Administration Guide.