iSCSI: Login fails if CHAP password for initiator and target are same
Description
The example below shows that the CHAP login fails (thus the connection) if
the CHAP password for the initiator and the target are the same.
Steps to Follow
Enabling the CHAP on the initiator.
# iscsiadm modify initiator-node -a CHAP -H root
# iscsiadm modify initiator-node -C
Enter secret:
Re-enter secret:
Adding the CHAP authentication for the target
# iscsiadm modify target-param -a CHAP -B enable -H root iqn.1992-08.com.netapp:sn.84186266
# iscsiadm modify target-param -C iqn.1992-08.com.netapp:sn.84186266
Enter secret:
Re-enter secret:
Enabling the CHAP authentication on the iSCSI storage (in my case its Netapp
iscsi storage).
Modify Initiator Security
Initiator(s): iqn.1986-03.com.sun:01:0003ba0aca95.45e3994d
Security Type: CHAP
User Name: root
Password:
Outbound User Name: root
Outbound Password:
Trying to enable the connection, the connection fails.
#iscsiadm modify discovery -t enable
# iscsiadm list target
Target: iqn.1992-08.com.netapp:sn.84186266
Alias: netapp
TPGT: 1001
ISID: 4000002a0000
Connections: 0
Target: iqn.1992-08.com.netapp:sn.84186266
Alias: netapp
TPGT: 1000
ISID: 4000002a0000
Connections: 0
The /var/adm/messages indicates authentication failed.
----------------
iscsi: [ID 632887 kern.warning] WARNING: iscsi connection(92) login failed - authentication failed with target
iscsi: [ID 632887 kern.warning] WARNING: iscsi connection(90) login failed - authentication failed with target
----------------
Now changing the CHAP login password for the iSCSI storage.
# iscsiadm modify target-param -a CHAP -B enable -H root iqn.1992-08.com.netapp:sn.84186266
# iscsiadm modify target-param -C iqn.1992-08.com.netapp:sn.84186266
Enter secret:
Re-enter secret:
Similarly on the Storage array.
Modify Initiator Security
Initiator(s): iqn.1986-03.com.sun:01:0003ba0aca95.45e3994d
Security Type: CHAP
User Name: root
Password:
Outbound User Name: root
Outbound Password:
After the connection has been reconfigured, the connection is successful.
# iscsiadm modify discovery -t disable
# iscsiadm modify discovery -t enable
#
# iscsiadm modify target-param -C iqn.1992-08.com.netapp:sn.84186266
#
# iscsiadm list target
Target: iqn.1992-08.com.netapp:sn.84186266
Alias: netapp
TPGT: 1001
ISID: 4000002a0000
Connections: 1
Target: iqn.1992-08.com.netapp:sn.84186266
Alias: netapp
TPGT: 1000
ISID: 4000002a0000
Connections: 1
#
Now LUNs are visible.
# iscsiadm list target -S
Target: iqn.1992-08.com.netapp:sn.84186266
Alias: netapp
TPGT: 1001
ISID: 4000002a0000
Connections: 1
LUN: 0
Vendor: NETAPP
Product: LUN
OS Device Name: /dev/rdsk/c8t10d0s2
LUN: 1
Vendor: NETAPP
Product: LUN
OS Device Name: /dev/rdsk/c8t9d0s2
Target: iqn.1992-08.com.netapp:sn.84186266
Alias: netapp
TPGT: 1000
ISID: 4000002a0000
Connections: 1
LUN: 0
Vendor: NETAPP
Product: LUN
OS Device Name: /dev/rdsk/c8t12d0s2
LUN: 1
Vendor: NETAPP
Product: LUN
OS Device Name: /dev/rdsk/c8t11d0s2
This is not a bug and is a security feature of the CHAP protocol.
Kindly note that in case of wrong password you would see additional Warning
message as shown below
--------------------------------
iscsi: [ID 732394 kern.warning] WARNING: iscsi session(105) failed authentication, received incorrect CHAP response from target
iscsi: [ID 632887 kern.warning] WARNING: iscsi connection(106) login failed - authentication failed with target
iscsi: [ID 732394 kern.warning] WARNING: iscsi session(103) failed authentication, received incorrect CHAP response from target
iscsi: [ID 632887 kern.warning] WARNING: iscsi connection(104) login failed - authentication failed with target
--------------------------------
Product
Solaris 11 (Nevada)
Solaris 10 Operating System for x86 Platforms
Solaris 10 Operating System
iSCSI:如果CHAP密码启动器和目标是相同的话则登陆失败
描述
下面的例子表明,该CHAP登录失败(连接),如果CHAP密码的启动器和目标相同。
步骤
启用CHAP启动器。
# iscsiadm modify initiator-node -a CHAP -H root
# iscsiadm modify initiator-node -C
输入密码:
重新输入密码:
为目标添加一个CHAP认证
# iscsiadm modify target-param -a CHAP -B enable -H root iqn.1992-08.com.netapp:sn.84186266
# iscsiadm modify target-param -C iqn.1992-08.com.netapp:sn.84186266
输入密码:
重新输入密码:
在iSCSI存储上启动CHAP认证(我的实例是Netapp iscsi存储)
修改启动器安全
Initiator(s): iqn.1986-03.com.sun:01:0003ba0aca95.45e3994d
Security Type: CHAP
User Name: root
Password:
Outbound User Name: root
Outbound Password:
尝试启用连接,连接失败。
#iscsiadm modify discovery -t enable
# iscsiadm list target
Target: iqn.1992-08.com.netapp:sn.84186266
Alias: netapp
TPGT: 1001
ISID: 4000002a0000
Connections: 0
Target: iqn.1992-08.com.netapp:sn.84186266
Alias: netapp
TPGT: 1000
ISID: 4000002a0000
Connections: 0
这/var/adm/messages下表明认证失败。
----------------
iscsi: [ID 632887 kern.warning] WARNING: iscsi connection(92) login failed - authentication failed with target
iscsi: [ID 632887 kern.warning] WARNING: iscsi connection(90) login failed - authentication failed with target
----------------
现在改变了iSCSI存储的CHAP登陆密码。
# iscsiadm modify target-param -a CHAP -B enable -H root iqn.1992-08.com.netapp:sn.84186266
# iscsiadm modify target-param -C iqn.1992-08.com.netapp:sn.84186266
Enter secret:
Re-enter secret:
同样,在存储阵列上。
修改启动器安全。
Initiator(s): iqn.1986-03.com.sun:01:0003ba0aca95.45e3994d
Security Type: CHAP
User Name: root
Password:
Outbound User Name: root
Outbound Password:
重新配置连接后,连接成功。
# iscsiadm modify discovery -t disable
# iscsiadm modify discovery -t enable
#
# iscsiadm modify target-param -C iqn.1992-08.com.netapp:sn.84186266
#
# iscsiadm list target
Target: iqn.1992-08.com.netapp:sn.84186266
Alias: netapp
TPGT: 1001
ISID: 4000002a0000
Connections: 1
Target: iqn.1992-08.com.netapp:sn.84186266
Alias: netapp
TPGT: 1000
ISID: 4000002a0000
Connections: 1
#
新的luns是可见的。
# iscsiadm list target -S
Target: iqn.1992-08.com.netapp:sn.84186266
Alias: netapp
TPGT: 1001
ISID: 4000002a0000
Connections: 1
LUN: 0
Vendor: NETAPP
Product: LUN
OS Device Name: /dev/rdsk/c8t10d0s2
LUN: 1
Vendor: NETAPP
Product: LUN
OS Device Name: /dev/rdsk/c8t9d0s2
Target: iqn.1992-08.com.netapp:sn.84186266
Alias: netapp
TPGT: 1000
ISID: 4000002a0000
Connections: 1
LUN: 0
Vendor: NETAPP
Product: LUN
OS Device Name: /dev/rdsk/c8t12d0s2
LUN: 1
Vendor: NETAPP
Product: LUN
OS Device Name: /dev/rdsk/c8t11d0s2
这不是BUG,只是一个CHAP协议的安全功能。请注意,密码错误的情况下,你会看到如下所示的额外警告信息.
--------------------------------
iscsi: [ID 732394 kern.warning] WARNING: iscsi session(105) failed authentication, received incorrect CHAP response from target
iscsi: [ID 632887 kern.warning] WARNING: iscsi connection(106) login failed - authentication failed with target
iscsi: [ID 732394 kern.warning] WARNING: iscsi session(103) failed authentication, received incorrect CHAP response from target
iscsi: [ID 632887 kern.warning] WARNING: iscsi connection(104) login failed - authentication failed with target
--------------------------------
产品
Solaris 11 (Nevada)
Solaris 10 Operating System for x86 Platforms
Solaris 10 Operating System
当前位置:
论坛首页 »
自由讨论区 »
Hadoop,ERP及大数据讨论区
»
发起投票
技术讨论
加好友
发消息
2012-1-4 18:19:37 |
赞(
操作
