| Authentication provides the doorway for access to network resources. Without a strong authentication mechanism, sensitive network resources are essentially laid bare for anyone to access. The primary authentication method currently used with eDirectory is the username/password combination. Novell Modular Authentication Service (NMAS) makes it possible to integrate more advanced authentication and authorization techniques into your OES environment. Furthermore, NMAS offers Universal Passwords, which improve the traditional password-based authentication method. Novell Modular Authentication Service NMAS is designed to help you protect information on your network. NMAS offers a more robust framework for protecting your OES Linux environment. If you're not familiar with the different components of NMAS, you should get to know the following concepts. More information about each of these is provided in the OES Linux online documentation. PHASES OF OPERATION There are specific times when NMAS can be useful in helping to secure your network environment: User identification occurs prior to the actual authentication process. It provides a way to automatically gather a user's authentication information and use it to populate the Novell Login dialog in the Novell Client. Authentication is the opportunity for users to prove they are who they claim to be. NMAS supports multiple authentication methods. Device removal detection is the capability to lock down a workstation after authentication when it becomes clear that the user is no longer present.
Each of these phases of operation is completely independent. You can choose to use the same, or completely different, identification techniques for each phase. To provide this functionality, NMAS introduces a few additional concepts to eDirectory authentication: LOGIN FACTORS NMAS uses three approaches to logging in to the network, known as login factors. These login factors describe different items or qualities a user can use to authenticate to the network: Password authentication Also referred to as "something you know," password authentication is the traditional network authentication method. It is still responsible for the lion's share of network authentication that goes on, including LDAP authentication, browser-based authentication, and most other directories. Device authentication Also referred to as "something you have," device authentication uses third-party tokens or smart cards to deliver the secret with which you authenticate to the network. Biometric authentication Also referred to as "something you are," biometric authentication uses some sort of scanning device that converts some physical characteristic into a digital pattern that can be stored in eDirectory. When users attempt to authenticate, their biometric patterns are compared against the stored version to see if they match. Common biometric authentication methods include fingerprint readers, facial recognition, and retinal scans.
LOGIN METHODS AND SEQUENCES A login method is a specific implementation of a login factor. Novell has partnered with several third parties to create a variety of options for each of the login factors described earlier in this chapter. A post-login method is a security process that is executed after a user has authenticated to eDirectory. One such post-login method is the workstation access method, which requires the user to provide credentials in order to unlock the workstation after a period of inactivity. NOTE With OES Linux, NMAS provides only the Challenge Response and NDS login methods. Additional methods can be downloaded from http://support.novell.com. Search the Knowledge Base for "NMAS Methods" for a link to the downloadable methods.
When you have decided upon and installed a method, you need to assign it to a login sequence in order for it to be used. A login sequence is an ordered set of one or more methods. Users log in to the network using these defined login sequences. If the sequence contains more than one method, the methods are presented to the user in the order specified. Login methods are presented first, followed by post-login methods. GRADED AUTHENTICATION Another important feature in NMAS is graded authentication, which allows you to grade, or control, access to the network based on the login methods used to authenticate to the network. Graded authentication operates in conjunction with standard eDirectory and file-system rights to provide very robust control over data access in an OES Linux environment. There are three main elements to graded authentication: Categories NMAS categories represent different levels of sensitivity and trust. You use categories to define security labels. There are three secrecy categories and three integrity categories by defaultbiometric, token, and password. Security labels Security labels are combinations of categories that assign access requirements to NCP and NSS volumes and eDirectory objects and properties. NMAS provides the following eight security labels: NOTE The security labels visible in iManager are directly dependent on the login methods installed on the server. To see all possible labels, ensure that all login methods have been downloaded from http://support.novell.com and installed on the local server.
Clearances Clearances are assigned to users to represent the amount of trust you have in them. In the clearance, a read label specifies what a user can read and a write label specifies locations to which a user can write. Clearances are compared to security labels to determine whether a user has access. If a user's read clearance is equal to or greater than the security label assigned to the requested data, the user will be able to view the data.
By configuring these elements of graded authentication, you can greatly increase the security of your network data, and apply different types of security to data of different levels of sensitivity. UNIVERSAL PASSWORD The final NMAS component that merits discussion is Universal Password. One of the many strong points of OES Linux is the ability to integrate user accounts for multiple services into one centralized eDirectory account. Although this sounds straightforward enough, there are several behind-the-scenes components used in making these services integrate well. Perhaps the best example of this is the situation surrounding user passwords. Most network services have some native method of storing user accounts and authenticating users before providing access. Often these services are created with specific password requirements and encryption methods in mind. With OES Linux, user accounts in eDirectory must be configured in such a way as to provide account authentication using whatever method the specific service requires. In the past this has meant a specific password for each type of password encryption method used by these services. Although this does work, the obvious problem is how to keep all passwords in sync, should one of the stored passwords be modified. OES Linux resolves this concern through Universal Password. Universal Password was created to address two general needs: Unified password for eDirectory access Universal Password provides for a single, centralized password store for each user. If additional access methods requiring older-style passwords are in use, Universal Password synchronizes those password stores to ensure that a single password is used for each user. Increased password security Universal Password brings advanced Password Policies to eDirectory. These policies provide password structure requirements to eDirectory. Possible requirements include such things as a minimum and maximum number of numeric and special characters, required password length, and blocking of specific words for passwords.
In addressing those needs, Universal Password has become the ideal method of providing authentication services to multiple network services. With OES Linux, Universal Password is required in order to ensure that users have a single password across all possible access methods. One example of where this requirement is particularly useful is with the Samba integration components. Universal Password is managed via iManager. Although it's fully functional with default installations of OES Linux, you may want to alter its configuration to suit your specific password requirements. The following steps describe the process used to create new password policies or modify the default Universal Password configuration, as shown in Figure 8.3. 1. | Launch iManager. In the Navigation frame, open the Passwords category and select Password Policies.
| 2. | At this point, you can select the existing Samba Default Password Policy, or you can choose to create a new password policy. For the purpose of these instructions, ensure that the existing Samba Default Password Policy is selected and click Edit.
| 3. | Select the Universal Password tab, then the Configuration Options subpage. This page displays the following options for Universal Password:
- Enable Universal Password This check box is used to enable or disable Universal Password. If Samba services are going to be offered on this OES Linux server, this setting should be enabled.
NOTE When Universal Passwords are enabled, it is recommended that users change their password through the iManager self-service console, or the latest version of the Novell Client. Other utilities can be used to change user passwords, but only these utilities actually display the advanced password requirements set with Universal Password. - Enable the Advanced Password Rules This option is used to enable advanced rules that govern the creation of passwords. This is generally a welcome addition with Universal Password and is normally enabled.
- Remove the NDS Password When Setting Universal Password This option is used to disable access from older Novell clients that do not recognize NMAS authentication methods. This is generally used to ensure that the advanced password rules of Universal Password are enforced.
- Synchronize NDS Password When Setting Universal Password This option is used to synchronize the user's NDS password with the Universal Password during password changes. This option is normally enabled.
- Synchronize Simple Password When setting Universal Password This option is used to synchronize the user's simple password during password changes. If Samba services are going to be offered on this OES Linux server, this setting should be enabled.
- Synchronize Distribution Password When Setting Universal Password This option is used to synchronize the distribution password used by the DirXML engine with the Universal Password during password changes.
- Allow User Agent to Retrieve Password This option is used when users access the Forgotten Password Self-Service feature of iManager. If this option is enabled, the user's password can be emailed to the user for retrieval.
- Verify Whether Existing Passwords Comply with the Password Policy This option is used to enforce new password requirements for existing users. Users authenticating via NMAS-aware utilities will be notified if their passwords do not meet the password criteria. Users must change their password at that point.
| 4. | After configuring the main Universal Password options, it is now time to configure the password requirements. Select the Advanced Password Rules subpage. This page displays the following categories and options for password requirements:
- Change Password This category has two check boxes used to determine whether users are allowed to change the password associated with their User object and whether unique passwords are required. If unique passwords are required, eDirectory tracks the specified number of recently used passwords with this account and prevents the user from reusing old passwords.
- Password Lifetime This category has two options used to determine the number of days before users are allowed to change their password, and when a password's lifetime has been exceeded and must be changed. If passwords are set to expire, the number of grace logins allowed is also set here.
- Password Length This category contains two options used to specify the minimum and maximum number of characters within passwords.
- Repeating Characters This category contains three options used to determine the minimum number of unique characters, as well as the maximum number of times a character can be used or repeated.
- Case Sensitive This category is used to determine the minimum and maximum number of upper- and lowercase letters used in password creation.
- Numeric Characters This category is used to determine whether or not numeric characters are allowed in passwords. If numeric characters are allowed, they can be disabled as the first or last character in a password. The minimum and maximum number of numeric characters is also set here.
- Special Characters This category is used to determine whether or not special characters are allowed in passwords. Special characters are defined as characters that are not numeric or alphabetic. If special characters are allowed, they can be disabled as the first or last character in a password. The minimum and maximum number of special characters is also set here.
- Password Exclusions This category has one option used to list words that cannot be used for passwords. Commonly used passwords should be entered in this field. It is important to note that this is not intended to store a long list of words to prevent such things as dictionary attacks. A lengthy list of words would degrade server performance, and the same objective can be accomplished through requiring at least one numeric character.
| 5. | After you configure the Advanced Password Rules, the Password Policy must be assigned to users or containers within eDirectory. Select the Password Policy subpage to make the assignment. On this page, select individual users, or the container that holds users you want to assign the password policy to. By default, newly created Samba users are automatically assigned to the Samba Default Password Policy. Click OK to complete the operation.
|
Figure 8.3. Advanced Password Rules page in iManager. 
After you complete the configuration of Universal Password, new users in the container assigned to the password policy will automatically start using Universal Password. Existing users must have their Universal Password set in iManager, or they must change their password before being completely configured with a Universal Password. NOTE More information on Universal Password is available through the online documentation for NMAS.
Installing NMAS NMAS requires both server- and client-side software in order to perform its authentication services. Installation of the NMAS client happens during the installation of the Novell Client, and is described in Chapter 4, "OES Linux Clients." On the server, NMAS is one of the default services and will be installed automatically with Novell eDirectory. In order to use NMAS, several configuration options must be set, depending on your specific environment and needs. Server-side configuration is available through iManager. When the NMAS server options are configured, you can then configure the NMAS client to leverage NMAS capabilities. Generally, the process involves the following: Create a login sequence This process identifies the specific login methods that will be used for login and post-login operations, and the order in which they will be applied if multiple login methods are specified. Assign a login sequence to a user After a login sequence has been created, it is available for use by a user. A default login sequence can be defined, and users can be forced to use a specific login sequence, if desired. Graded authentication With the login environment configured, you can now define those network resources that are available with each login method. Graded authentication lets you label network resources and require certain levels of authentication in order to access those resources. Customize the user login The Novell Client supports several customization options based on the type of authentication that is being used. For more information on the Novell Client, see Chapter 4.
For more detailed information on each of these NMAS configuration steps, see the Novell online documentation. eDirectory Login Controls In addition to the actual login process, eDirectory provides a variety of login controls designed to help secure the network. Those controls are found in the properties of each User object. The various types of restrictions offered by eDirectory include Password restrictions Login restrictions Time restrictions Address restrictions Intruder lockout
NOTE You will also see an Account Balance tab. This is a leftover from a NetWare server accounting feature that is not supported in OES Linux.
You can manage the various login controls from iManager or ConsoleOne. Login controls can be set on individual User objects, or they can be defined at the container level, where they will be automatically applied to all users in that container. To get to the login restrictions pages available through eDirectory, complete the following steps: 1. | Launch iManager and select the View Objects icon. Locate the object for which you want to set login controls.
| 2. | Click the object and select Modify Object.
| 3. | Select the Restrictions tab and you will see a subpage for each of the controls listed previously. Select the appropriate page.
| 4. | Make your desired changes and click OK to save your changes.
|
Each of the login control pages is described in more detail in the following sections. PASSWORD RESTRICTIONS The Password Restrictions page allows you to set password characteristics for eDirectory users. As mentioned previously, OES Linux uses Universal Password for password management. Universal Password configuration options include password settings available on this screen and additional features more advanced than the traditional eDirectory options available here. Because of this, the Password Restrictions screen should not be used to enforce password requirements with OES Linux. NOTE More information on configuring Universal Password is available in the "Novell Modular Authentication Service" section of this chapter.
LOGIN RESTRICTIONS The Login Restrictions page allows you to control the capability of a user to log in to the network, as shown in Figure 8.4. Account Disabled Checking this box disables the user account and prevents future login attempts. However, this will not affect a user who is currently logged in. Account Has Expiration Date Checking this box allows you to set a date when the user account will be automatically disabled. This option might be used for contract employees or consultants who will be working for a predefined period of time. Limit Concurrent Connections Check this box to define how many times the same account can be used to log in from different workstations simultaneously. If this option is enabled, the default is 1, but any value between 1 and 32,000 can be selected.
Figure 8.4. Login Restrictions page in iManager. 
TIME RESTRICTIONS The Time Restrictions page enables you to limit the time(s) of day when a user can access the network, as shown in Figure 8.5. By default, there are no restrictions. Figure 8.5. The Time Restrictions page in iManager. 
To set a time restriction, click the box for which you want the restriction to occur, and then click Apply to reflect the change. To select a range of time, hold down the Shift key while moving the mouse over the time range. Each block is 30 minutes. When finished, make sure to select OK to save the new restrictions out to eDirectory. If a user is logged in when her lockout period is reached, she will be issued a five-minute warning, after which she will be automatically logged out. NOTE One important caveat to time restrictions is that they are governed by the user's home time and not his current time. For example, if a user in New York takes a trip to Los Angeles, and is going to dial in to his home network, the time in New York rather than the time in Los Angeles will determine the time restriction. A time restriction of 6:00 p.m. EST would shut the user down at 3:00 p.m. PST. Although that might give your employee time to get in a round of golf, it might not be what you intended when configuring the time restriction in the first place.
ADDRESS RESTRICTIONS The Address Restrictions page can be used to tie a user account to a specific workstation, thereby forcing users to log in from that hardware location, or network address only. Selecting to add a network address restriction invokes the dialog box shown in Figure 8.6. From this dialog box, specific address types (IP, TCP, UDP, and so on) can be selected, and then address information must be entered to configure the restriction. Figure 8.6. Address Restrictions page in iManager. 
In today's world of dynamic addressing and roaming users, this option is not as useful as it once might have been, but in very security-conscious environments, it can still be necessary. However, TCP/IP functionality is severely limited by the fact that the utility assumes a Class B subnet mask (255.255.0.0) for all IP addressingnot very practical in today's overloaded IP world. INTRUDER LOCKOUT The Intruder Lockout page is useful only after a user account has been disabled. Intruder lockout refers to the disabling of a user account after a certain number of unsuccessful login attempts have been made. To re-enable a locked-out account, the administrator unchecks the Account Locked box on this page. The other three entries simply provide information about the status of the locked account. The actual intruder detection system is configured at the container level rather than at the user level. In order to configure your intruder detection environment, complete the following steps: 1. | Launch iManager and select the View Objects icon. Locate the container for which you want to set intruder detection.
| 2. | Click the object and select Modify Object.
| 3. | Select the Intruder Detection link, as shown in Figure 8.7.
Figure 8.7. Enabling intruder detection features in iManager. 
| 4. | Make your desired changes and click OK.
- Detect Intruders Check this box to enable the intruder detection system for this container. Associated with this check box are fields that allow you to set the number of incorrect login attempts before intruder lockout is activatedthe default is 7and the interval within which the unsuccessful attempts must occurthe default is 30 minutes.
- Lock Account After Detection Check this box to enable the account lockout feature. Associated with this check box are fields that allow you to specify the time period for which the account will remain lockedthe default is 15 minutes. At the end of this period, the account will be reactivated automatically.
|
After the intrusion detection features have been configured, intruder lockout makes it much more difficult for would-be hackers to perform dictionary or other brute force attacks against one of your network accounts. |
