In the past, administrators have had to manage multiple passwords (simple password, NDS® password, enhanced password) because of password limitations. Administrators have also had to deal with keeping the passwords synchronized.
The limitations of the simple password are that no password policy (minimum length, expiration, etc.) is enforced. Also, by default, users do not have rights to change their own simple passwords.
To ensure that the password is secure, NMAS uses either a DES key or a triple DES (key depending upon the strength of the Secure Domain Key) to encrypt the data in the NMAS Secret and Configuration Store.
Universal Password was created to address these password problems. It provides:
Universal Password is managed by the Secure Password Manager (SPM), a component of the NMAS module (nmas.nlm on NetWare). SPM simplifies the management of password-based authentication schemes across a wide variety of Novell products as well as our partner's products. The managment tools only expose one password and do not expose all of the behind-the-scenes processing for backwards compatibility.
Secure Password Manager and the other components that manage or make use of Universal Password are installed as part of the NetWare 6.5 or later and eDirectory 8.7.1 install; however, Universal Password is disabled by default. Because all APIs for authentication and setting passwords are moving to support Universal Password, all the existing management tools, when run on clients with these new libraries, automatically work with the Universal Password.
NOTE: The Password Management plug-in is available for download at the Novell Free Download Site. Select Nsure Identity Manager as the product and click Submit Search. The Password Management plug-in is listed on this page. It requires eDirectory 8.7.3 and iManager 2.02.
The Novell Client supports the Universal Password. It will also continue to support the NDS password for older systems in the network. The Novell Client has the capability of automatically upgrading to the new Password from the NDS password.
Reversible encryption of Universal Password is required for convenient interoperation with other password systems. So administrators have to evaluate the costs and benefits of the system. Using a single copy of the Univeral Password stored in eDirectory may be more secure and/or convenient than attempting to manage several different passwords. Novell provides several levels of security to make sure Universal Password is protected while stored in eDirectory.
A Universal Password is protected by three levels of security; tripleDES encryption of the password itself, eDirectory rights and file system rights.
The Universal Password is encrypted by a triple DES, user-specific key. Both the Universal Password and the user key are flagged with a hidden attribute that only eDirectory can read. The user key (3DES) is stored encrypted with the tree key and the tree key is protected by a unique NICI key on each machine. (Note that neither the tree key nor the NICI key is stored within eDirectory. They are not stored with the data they protect.) The tree key is present on each machine within a tree, but each tree has a different tree key. So, data encrypted with the tree key can only be recovered on a machine within the same tree. Thus, while stored, the Universal Password is protected by three layers of encryption.
Each key is also secured via eDirectory rights. Only the administrators with supervisor rights or the user themselves have the rights to change Universal Passwords.
File system rights ensure that only a user with the proper rights can access these files.
If Universal Password is deployed in an environment requiring high security, you can take the following precautions:
Consult the documentation for your system for specific details of the location of NICI and eDirectory files.