ISCSI CHAP authentication

Reposted from -- http://blog.csdn.net/sinchb/article/details/8433994417t101. What is chap? Challenge-Handshake Authentication protocoliscsi initiators and targets prove their identity to each other using the Chap protocol, which has des a mechanic to prevent cleartext passwords from appearing on the wire.
CHAP authentication is safer than pap authentication because chap does not send plaintext passwords online, but sends random sequences processed by the Digest algorithm. It is also known as "challenge string". 1. At the same time, identity authentication can be performed at any time, including during normal communication between the two parties. Therefore, even if an invalid user intercepts and successfully cracks the password, the password will be invalid for a period of time.

2. iSCSI supports two levels of CHAP authentication: Initiator authentication and target authentication2.1 initiator authentication requirements: when initiator tries to connect to a target, initator must provide a user name and password to target for target authentication. The username and password are called the incoming account, that is, the incoming account is the account provided by the initiator to the target for the target to authenticate. 2.2 target authentication requirements: When the initiator tries to connect to a target, the target needs to provide a user name and password for the initiator to authenticate. The corresponding account is the outcoming account, that is, the outcoming account is the account provided by the target end to the initiator end for initiator authentication. Initiator authentication can be applied without target authentication. This kind of authentication requires only target to verify the CHAP authentication of initiator, also known as uni-directional authentication. One-way authentication (target verification) target authentication requires that initiator authentication be applied at the same time. That is to say, initiator and target must authenticate each other. This authentication is called bi-directional authentication, the password for mutual authentication of iSCSI chap must be between 12 and 16 characters (but the characters in the following test do not exceed 12 characters, and there is no problem. Further verification is required ), space is a valid Password character, so "I love iSCSI !!!!" Is a valid password! 3. Create an iSCSI target lun3.1 create a target on the target end. follow the steps below to create a target with two Luns (1) create a targettgtadm -- LLD iSCSI -- op new -- Mode target -- TID 1-T 1qn. 2012-12: disk0 (2) assigns two device SDB to this target, sdctgtadm -- LLD iSCSI -- op new -- Mode logicalunit -- TID 1 -- Lun 1-B/dev/sdbtgtadm -- LLD iSCSI -- op new -- Mode logicalunit -- TID 1 -- Lun 2-B/ dev/SDC (3) set the ACL to "all ACL", short for "Access Control Lists". In the access control list, only the IP addresses in this list have the permission to access the target. We set it to all. By default, all IP addresses can be accessed. Of course, some IP addresses can be specified. Only these IP addresses can be accessed. Tgtadm -- LLD iSCSI -- op bind -- Mode target -- TID 1-I all (the last parameter is the uppercase letter I, not the number 1) (4) look at the target [root @ iscsib ~] we created. # TGT-Admin -- showtarget 1: 1qn. 2012-12: disk0 system information: Driver: iSCSI state: Ready I _t nexus information: Lun: 0 type: controller SCSI ID: Iet 00010000 SCSI Sn: beaf10 size: 0 MB, block size: 1 online: Yes removable media: No prevent removal: No readonly: No backing store type: NULL backing store path: None backing store flags: Lun: 1 type: disk scsi id: Iet 00010001 SCSI SN: beaf11 size: 10737 MB, block size: 512 online: Yes removable media: No prevent removal: No readonly: No backing store type: rdwr backing store path: /dev/SDB backing store flags: Lun: 2 type: disk scsi id: Iet 00010002 SCSI Sn: beaf12 size: 5369 MB, block size: 512 online: Yes removable media: no prevent removal: No readonly: No backing store type: rdwr backing store path:/dev/SDC backing St Ore flags: account information: ACL information: All we can see that there are two Luns (lun0 is a controller, not counted ). Account information is empty. 4. Configure initiator one-way authentication to set initiator one-way authentication. Create an account and password on the target side, bind the account to a specific target, and then perform iSCSI on the initiator side. configure the account and password in the conf file. 4. 1. create a RedHat account on the target, the password is redhat123tgtadm -- LLD iSCSI -- Mode account -- op new -- User RedHat -- password redhat1234.2. bind the account to the specified targettgtadm -- LLD iSCSI -- Mode account -- op bind -- TID 1 on the target side. -- User redhattgtadm -- LLD iSCSI -- Mode target -- op show root @ iscsib ~] # TGT-Admin -- showtarget 1: 1qn. 2012-12: disk0 system information: Driver: iSCSI state: Ready I _t nexus information: Lun: 0 type: controller SCSI ID: Iet 00010000 SCSI Sn: beaf10 size: 0 MB, block size: 1 online: Yes removable media: No prevent removal: No readonly: No backing store type: NULL backing store path: None backing store flags: Lun: 1 type: disk scsi id: Iet 00010001 SCSI SN: beaf11 size: 10737 MB, block size: 512 online: Yes removable media: No prevent removal: No readonly: No backing store type: rdwr backing store path: /dev/SDB backing store flags: Lun: 2 type: disk scsi id: Iet 00010002 SCSI Sn: beaf12 size: 5369 MB, block size: 512 online: Yes removable media: no prevent removal: No readonly: No backing store type: rdwr backing store path:/dev/SDC backing St Ore flags: account information: RedHat, you can see that the RedHat account has been bound to the target we just created. 4. 3. Configure initiator 4.3.1. Configure the iscsid. conf file on initiator to open this file, find chap settings, enable CHAP authentication, and enter the account password. Be sure not to fill in the error !!! Vim/etc/iSCSI/iscsid. conf # annotate related items # delete node. session. auth. authmethod = chap // enable CHAP authentication node. session. auth. username = RedHat // configure the account node. session. auth. password = redhat123 // password 4.3.2. restart iscsid service/etc/init. d/iscsid restart (it does not seem necessary. If you cannot restart iscsid, check whether you have logged on to some targets. If yes, logout is enabled first) 4.3.3 log on to the target iscsiadm-M discovery-T sendtargets-P 192.168.10.185 (you must first discovery !!!) Iscsiadm-M node-T 1qn. 2012-12: disk0-P 192.168.10.185-l if the configured username and password are incorrect, the following authentication error will be displayed during logon [root @ cherish ~] # Iscsiadm-M node-T 1qn. 2012-12: disk0-P 192.168.10.185 -- loginlogging in to [iface: Default, target: 1qn. 2012-12: disk0, portal: 192.168.10.185, 3260] (multiple) iscsiadm: cocould not login to [iface: Default, target: 1qn. 2012-12: disk0, portal: 192.168.10.185, 3260]. iscsiadm: Initiator reported error (24-iSCSI login failed due to Authorization failure) iscsiadm: cocould not log into all portals Note: modify configuration After the user name and password of the file, you must re-discover the target IP address before using the new user name and password login to reach the target. Otherwise, the above authentication error will be prompted. 5. Two-way authentication (also known as mutul authentication, mutual authentication, and two-way authentication) 5. 1. create the outgoing account tgtadm -- LLD iSCSI -- op new -- Mode account -- User out_redhat -- password out_redhat1235.2 on the target end. bind the account to the target targettgtadm -- LLD iSCSI -- Mode account -- op bind -- TID 1 -- User out_redhat -- outgoingtgtadm -- LLD iSCSI -- Mode target -- op showroot @ iscsib ~] # TGT-Admin -- showtarget 1: 1qn. 2012-12: disk0 system information: Driver: iSCSI state: Ready I _t nexus information: Lun: 0 type: controller SCSI ID: Iet 00010000 SCSI Sn: beaf10 size: 0 MB, block size: 1 online: Yes removable media: No prevent removal: No readonly: No backing store type: NULL backing store path: None backing store flags: Lun: 1 type: disk scsi id: Iet 00010001 SCSI SN: beaf11 size: 10737 MB, block size: 512 online: Yes removable media: No prevent removal: No readonly: No backing store type: rdwr backing store path: /dev/SDB backing store flags: Lun: 2 type: disk scsi id: Iet 00010002 SCSI Sn: beaf12 size: 5369 MB, block size: 512 online: Yes removable media: no prevent removal: No readonly: No backing store type: rdwr backing store path:/dev/SDC backing St Ore flags: account information: RedHat out_redhat (outgoing) // note the identity ACL information: all5.3. configure iscsid on the initiator side. CONF file Vim/etc/iSCSI/iscsid. confnode. session. auth. username_in = out_redhatnode.session.auth.password_in = out_redhat1235.4. log on to targetiscsiadm-M node-T 1qn on the initiator side. 2012-12: disk0-P 192.168.10.185 -- logout/etc/init. d/iscsid reload (not necessary) iscsiadm-M discovery-T sendtargets-P 192.16 8.10.185 (you must resume the discovery !!!) Iscsiadm-M node-T 1qn. 2012-12: disk0-P 192.168.10.185-login Note: during the two-way authentication process, the incoming and outgoing account passwords must be correct !!! 6. bind multiple incoming accounts 6.1 create multiple incoming and outgoing accounts for one target (1) create two more accounts, tgtadm -- LLD iSCSI -- Mode account -- op new -- User CHENBIN -- password chenbin123tgtadm -- LLD iSCSI -- Mode account -- op new -- User out_chenbin -- password out_chenbin123. how many accounts are there? [Root @ iscsib ~] # Tgtadm -- LLD iSCSI -- Mode account -- op showaccount list: out_chenbin CHENBIN out_redhatredhat (2) bind the two accounts to the current target [root @ iscsib ~] # Tgtadm -- LLD iSCSI -- Mode account -- op bind -- TID 1 -- User CHENBIN [root @ iscsib ~] # TGT-Admin -- showtarget 1: 1qn. 2012-12: disk0 system information: Driver: iSCSI state: Ready I _t nexus information: Lun: 0 type: controller SCSI ID: Iet 00010000 SCSI Sn: beaf10 size: 0 MB, block size: 1 online: Yes removable media: No prevent removal: No readonly: No backing store type: NULL backing store path: None backing store flags: Lun: 1 type: disk scsi id: Iet 00010001 SCSI SN: beaf11 size: 10737 MB, block size: 512 online: Yes removable media: No prevent removal: No readonly: No backing store type: rdwr backing store path: /dev/SDB backing store flags: Lun: 2 type: disk scsi id: Iet 00010002 SCSI Sn: beaf12 size: 5369 MB, block size: 512 online: Yes removable media: no prevent removal: No readonly: No backing store type: rdwr backing store path:/dev/SDC backing St Ore flags: account information: RedHat CHENBIN out_redhat (outgoing) ACL information: All and then bind an incoming account. We can bind another outgoing account to try [root @ iscsib ~]. # Tgtadm -- LLD iSCSI -- Mode account -- op bind -- TID 1 -- User out_chenbin -- outgoingtgtadm: This target already has an outgoing account we will find that tgtadm will prompt, you already have an outgoing account. In conclusion, for a target, multiple incoming accounts can be bound, but only one outgoing account can be bound. In other words, we can set different incoming accounts for different initiator terminals; however, all outcoming accounts for initiator must be consistent. (The above conclusion only applies to a specific target). Unbind and delete the account (1) unbind the incoming account CHENBIN [root @ iscsib ~] # Tgtadm -- LLD iSCSI -- Mode account -- op unbind -- TID 1 -- User CHENBIN (2) unbind outgoing account out_redhat [root @ iscsib ~] # Tgtadm -- LLD iSCSI -- Mode account -- op unbind -- TID 1 -- User out_redhat -- outgoing [root @ iscsib ~] # TGT-admin-starget 1: 1qn. 2012-12: disk0 system information: Driver: iSCSI state: Ready I _t nexus information: Lun: 0 type: controller SCSI ID: Iet 00010000 SCSI Sn: beaf10 size: 0 MB, block size: 1 online: Yes removable media: No prevent removal: No readonly: No backing store type: NULL backing store path: None backing store flags: Lun: 1 type: disk scsi id: Iet 00010001 SCSI Sn: Beaf11 size: 10737 MB, block size: 512 online: Yes removable media: No prevent removal: No readonly: No backing store type: rdwr backing store path: /dev/SDB backing store flags: Lun: 2 type: disk scsi id: Iet 00010002 SCSI Sn: beaf12 size: 5369 MB, block size: 512 online: Yes removable media: no prevent removal: No readonly: No backing store type: rdwr backing store path:/dev/SDC backing store Flags: account information: RedHat ACL information: All we can see that there is only one account left (3) delete an account [root @ iscsib ~] # Tgtadm -- LLD iSCSI -- Mode account -- op Delete -- User CHENBIN [root @ iscsib ~] # Tgtadm -- LLD iSCSI -- Mode account -- op showaccount list: out_chenbin out_redhatredhat 7. Handling of several special cases if the target port is not bound to any account, the initiator end will enable chap verification whether or not it is enabled, no matter whether the user name and password are set, verification is not performed. If the target end is bound with an incoming account or an outgoing account, the initiator port must enable CHAP authentication and set the account and password, otherwise, login is not allowed. If the target port is bound with an incoming account, but the initiator port has enabled CHAP authentication, and the incoming and outgoing accounts are set, login fails (because it cannot pass initiator authentication .)