3.3 Password Protection

You should take measures to protect the passwords of both the Orchestrator Server and Orchestrator Agents by ensuring that only the user account of the Orchestrator Server (currently root or Administrator, by default) has access to the /store and /tls directories on the server, so that general users are prevented from obtaining the password.

Currently, ZENworks Orchestrator restricts file access on the server, but we recommend that you further restrict shell accounts on server machines for general users as a precaution.

For users, none of the Novell-provided client utilities stores the user-entered password to disk in either plain text or hashed form. However, temporary once-per-session credentials are stored to the disk in the users $HOME/.novell/zos/client directory. Theft of this session credential could allow someone else to take over that user session, but not to steal the user’s password. Users can protect their logged-in session by making sure the permissions either on their home directory or on the ~/.novell/zos/client directory are set to forbid both read and write access by other users.

Orchestrator Agents use the same authentication protocol and password hashing as users (agent passwords are stored to disk in hashed form, not plain text) with the exception that agent passwords are not salted, allowing agents to be renamed by the server. Because agent passwords are not salted, we recommend that you generate and use random non-mnemonic strings for agent passwords.