iSCSI CHAP认证不完全攻略
2012-12-25 16:27
260 查看
原创文章,欢迎转载,转载时请务必给出原文链接,谢谢!http://blog.csdn.net/sinchb/article/details/8433994#t10
iSCSI initiators and targets prove their identity to each other using the CHAP protocol, which includes a mechanism to prevent cleartext passwords from appearing on the wire.
Initiator认证可以在没有target 认证的时候应用,这种只要求target验证initiator的CHAP认证也称为Uni-directional Authentication,单向认证(target做验证)
target认证则要求initiator认证被同时应用才可以,也就是说,initiator和target需要相互认证,这种认证被称为Bi-directional Authentication,相互认证
iSCSI CHAP认证的密码长度必须介于12到16个字符(但是下面测试的时候字符长度都没有超过12字符,也没有问题,这个问题需要进一步求证),空格是合法的密码字符,所以”I Love iSCSI!!!!”是一个合法的密码!
tgtadm --lld iscsi --op new --mode logicalunit --tid 1 --lun 2 -b /dev/sdc
tgtadm --lld iscsi --op bind --mode target --tid 1 -I ALL (最后那个参数是大写字母I,不是数字1)
Target 1: 1qn.2012-12:disk0
System information:
Driver: iscsi
State: ready
I_T nexus information:
LUN information:
LUN: 0
Type: controller
SCSI ID: IET 00010000
SCSI SN: beaf10
Size: 0 MB, Block size: 1
Online: Yes
Removable media: No
Prevent removal: No
Readonly: No
Backing store type: null
Backing store path: None
Backing store flags:
LUN: 1
Type: disk
SCSI ID: IET 00010001
SCSI SN: beaf11
Size: 10737 MB, Block size: 512
Online: Yes
Removable media: No
Prevent removal: No
Readonly: No
Backing store type: rdwr
Backing store path: /dev/sdb
Backing store flags:
LUN: 2
Type: disk
SCSI ID: IET 00010002
SCSI SN: beaf12
Size: 5369 MB, Block size: 512
Online: Yes
Removable media: No
Prevent removal: No
Readonly: No
Backing store type: rdwr
Backing store path: /dev/sdc
Backing store flags:
Account information:
ACL information:
ALL
我们可以看到有两个lun(lun0是控制器,不算)。而Account information则为空。
tgtadm --lld iscsi --mode target --op show
root@iscsiB ~]# tgt-admin --show
Target 1: 1qn.2012-12:disk0
System information:
Driver: iscsi
State: ready
I_T nexus information:
LUN information:
LUN: 0
Type: controller
SCSI ID: IET 00010000
SCSI SN: beaf10
Size: 0 MB, Block size: 1
Online: Yes
Removable media: No
Prevent removal: No
Readonly: No
Backing store type: null
Backing store path: None
Backing store flags:
LUN: 1
Type: disk
SCSI ID: IET 00010001
SCSI SN: beaf11
Size: 10737 MB, Block size: 512
Online: Yes
Removable media: No
Prevent removal: No
Readonly: No
Backing store type: rdwr
Backing store path: /dev/sdb
Backing store flags:
LUN: 2
Type: disk
SCSI ID: IET 00010002
SCSI SN: beaf12
Size: 5369 MB, Block size: 512
Online: Yes
Removable media: No
Prevent removal: No
Readonly: No
Backing store type: rdwr
Backing store path: /dev/sdc
Backing store flags:
Account information:
redhat
可以看到,redhat这个账号已经绑定到我们刚刚建立的target上了。
vim /etc/iscsi/iscsid.conf #将相关项前面的注释符#删除掉
node.session.auth.authmethod = CHAP //开启CHAP认证
node.session.auth.username = redhat //配置账号
node.session.auth.password = redhat123 //密码
iscsiadm -m node -T 1qn.2012-12:disk0 -p 192.168.10.185 -l
如果配置的用户名密码不正确,则登录的时候会显示如下认证错误
[root@Cherish ~]# iscsiadm -m node -T 1qn.2012-12:disk0 -p 192.168.10.185 --login
Logging in to [iface: default, target: 1qn.2012-12:disk0, portal: 192.168.10.185,3260] (multiple)
iscsiadm: Could not login to [iface: default, target: 1qn.2012-12:disk0, portal: 192.168.10.185,3260].
iscsiadm: initiator reported error (24 - iSCSI login failed due to authorization failure)
iscsiadm: Could not log into all portals
注意:修改配置文件的用户名密码后,必须重新discovery目标ip之后才能用新的用户名密码login到target,否则也会提示上述认证错误。
tgtadm --lld iscsi --mode target --op show
root@iscsiB ~]# tgt-admin --show
Target 1: 1qn.2012-12:disk0
System information:
Driver: iscsi
State: ready
I_T nexus information:
LUN information:
LUN: 0
Type: controller
SCSI ID: IET 00010000
SCSI SN: beaf10
Size: 0 MB, Block size: 1
Online: Yes
Removable media: No
Prevent removal: No
Readonly: No
Backing store type: null
Backing store path: None
Backing store flags:
LUN: 1
Type: disk
SCSI ID: IET 00010001
SCSI SN: beaf11
Size: 10737 MB, Block size: 512
Online: Yes
Removable media: No
Prevent removal: No
Readonly: No
Backing store type: rdwr
Backing store path: /dev/sdb
Backing store flags:
LUN: 2
Type: disk
SCSI ID: IET 00010002
SCSI SN: beaf12
Size: 5369 MB, Block size: 512
Online: Yes
Removable media: No
Prevent removal: No
Readonly: No
Backing store type: rdwr
Backing store path: /dev/sdc
Backing store flags:
Account information:
redhat
out_redhat (outgoing) //注意这个标识
ACL information:
ALL
node.session.auth.username_in = out_redhat
node.session.auth.password_in = out_redhat123
/etc/init.d/iscsid reload(不是必要的)
iscsiadm -m discovery -t sendtargets -p 192.168.10.185(必须要重新discovery!!!)
iscsiadm -m node -T 1qn.2012-12:disk0 -p 192.168.10.185 –login
注意:在双向认证过程中,必须保证incoming和outgoing的账号密码都正确!!!
tgtadm --lld iscsi --mode account --op new --user out_chenbin --password out_chenbin123
创建后我们看看有几个账号了?
[root@iscsiB ~]# tgtadm --lld iscsi --mode account --op show
Account list:
out_chenbin
chenbin
out_redhat
redhat
[root@iscsiB ~]# tgt-admin --show
Target 1: 1qn.2012-12:disk0
System information:
Driver: iscsi
State: ready
I_T nexus information:
LUN information:
LUN: 0
Type: controller
SCSI ID: IET 00010000
SCSI SN: beaf10
Size: 0 MB, Block size: 1
Online: Yes
Removable media: No
Prevent removal: No
Readonly: No
Backing store type: null
Backing store path: None
Backing store flags:
LUN: 1
Type: disk
SCSI ID: IET 00010001
SCSI SN: beaf11
Size: 10737 MB, Block size: 512
Online: Yes
Removable media: No
Prevent removal: No
Readonly: No
Backing store type: rdwr
Backing store path: /dev/sdb
Backing store flags:
LUN: 2
Type: disk
SCSI ID: IET 00010002
SCSI SN: beaf12
Size: 5369 MB, Block size: 512
Online: Yes
Removable media: No
Prevent removal: No
Readonly: No
Backing store type: rdwr
Backing store path: /dev/sdc
Backing store flags:
Account information:
redhat
chenbin
out_redhat (outgoing)
ACL information:
ALL
再绑定一个incoming账号没有问题,我们再绑定一个outgoing账号试试
[root@iscsiB ~]# tgtadm --lld iscsi --mode account --op bind --tid 1 --user out_chenbin --outgoing
tgtadm: this target already has an outgoing account
我们会发现,tgtadm会提示,已经有一个outgoing账号。综上所述,对于一个target,可以绑定多个incoming账号,但是outgoing账号只能绑定一个。也就是说,对于不同initiator端,我们可以设置不同的incoming账号;但是所有的initiator端的outcoming账号必须是一致的。(以上结论只针对某个特定的target)
[root@iscsiB ~]# tgt-admin -s
Target 1: 1qn.2012-12:disk0
System information:
Driver: iscsi
State: ready
I_T nexus information:
LUN information:
LUN: 0
Type: controller
SCSI ID: IET 00010000
SCSI SN: beaf10
Size: 0 MB, Block size: 1
Online: Yes
Removable media: No
Prevent removal: No
Readonly: No
Backing store type: null
Backing store path: None
Backing store flags:
LUN: 1
Type: disk
SCSI ID: IET 00010001
SCSI SN: beaf11
Size: 10737 MB, Block size: 512
Online: Yes
Removable media: No
Prevent removal: No
Readonly: No
Backing store type: rdwr
Backing store path: /dev/sdb
Backing store flags:
LUN: 2
Type: disk
SCSI ID: IET 00010002
SCSI SN: beaf12
Size: 5369 MB, Block size: 512
Online: Yes
Removable media: No
Prevent removal: No
Readonly: No
Backing store type: rdwr
Backing store path: /dev/sdc
Backing store flags:
Account information:
redhat
ACL information:
ALL
我们看到,只剩下一个账号了
[root@iscsiB ~]# tgtadm --lld iscsi --mode account --op show
Account list:
out_chenbin
out_redhat
redhat
如果target端绑定了incoming账号或者outgoing账号,则initiator端口必须开启CHAP验证,并设置好账号和密码,否则不能login
如果target端口绑定了incoming账号,没有绑定outgoing账号,但是initiator端口开启了CHAP认证,并设置了incoming和outgoing账号,则无法login(因为无法通过initiator认证。)
一、 什么是CHAP?
Challenge-Handshake Authentication ProtocoliSCSI initiators and targets prove their identity to each other using the CHAP protocol, which includes a mechanism to prevent cleartext passwords from appearing on the wire.
二、 iSCSI支持两种级别的chap 认证:
Initiator authentication和Target authentication2.1 Initiator 认证要求:
在initiator尝试连接到一个target的时候,initator需要提供一个用户名和密码给target供target进行认证。下面我们称这个用户名密码为incoming账号,即:incoming账号是initiator端提供给target端,供target端认证的账号。2.2 target 认证要求:
在initiator尝试连接到一个target的时候,target需要提供一个用户名和密码给initiator供initiator进行认证。与之对应的是outcoming账号,即:outcoming账号是target端提供给initiator端,供initiator认证的账号。Initiator认证可以在没有target 认证的时候应用,这种只要求target验证initiator的CHAP认证也称为Uni-directional Authentication,单向认证(target做验证)
target认证则要求initiator认证被同时应用才可以,也就是说,initiator和target需要相互认证,这种认证被称为Bi-directional Authentication,相互认证
iSCSI CHAP认证的密码长度必须介于12到16个字符(但是下面测试的时候字符长度都没有超过12字符,也没有问题,这个问题需要进一步求证),空格是合法的密码字符,所以”I Love iSCSI!!!!”是一个合法的密码!
三、 建立iscsi target lun
3.1在target端建立target
按照下面的步骤建立有两个lun的target(1)创建一个target
tgtadm --lld iscsi --op new --mode target --tid 1 -T 1qn.2012-12:disk0(2)给这个target分配两个设备sdb,sdc
tgtadm --lld iscsi --op new --mode logicalunit --tid 1 --lun 1 -b /dev/sdbtgtadm --lld iscsi --op new --mode logicalunit --tid 1 --lun 2 -b /dev/sdc
(3)将ACL设置为ALL
ACL 是Access Control Lists 的缩写,访问控制列表,只有在这个列表中的ip才有权限访问本target。我们设置为ALL,默认所有ip都可以访问,当然,我们可以指定某些ip,只有这些ip才可以访问。tgtadm --lld iscsi --op bind --mode target --tid 1 -I ALL (最后那个参数是大写字母I,不是数字1)
(4)看看我们创建的target
[root@iscsiB ~]# tgt-admin --showTarget 1: 1qn.2012-12:disk0
System information:
Driver: iscsi
State: ready
I_T nexus information:
LUN information:
LUN: 0
Type: controller
SCSI ID: IET 00010000
SCSI SN: beaf10
Size: 0 MB, Block size: 1
Online: Yes
Removable media: No
Prevent removal: No
Readonly: No
Backing store type: null
Backing store path: None
Backing store flags:
LUN: 1
Type: disk
SCSI ID: IET 00010001
SCSI SN: beaf11
Size: 10737 MB, Block size: 512
Online: Yes
Removable media: No
Prevent removal: No
Readonly: No
Backing store type: rdwr
Backing store path: /dev/sdb
Backing store flags:
LUN: 2
Type: disk
SCSI ID: IET 00010002
SCSI SN: beaf12
Size: 5369 MB, Block size: 512
Online: Yes
Removable media: No
Prevent removal: No
Readonly: No
Backing store type: rdwr
Backing store path: /dev/sdc
Backing store flags:
Account information:
ACL information:
ALL
我们可以看到有两个lun(lun0是控制器,不算)。而Account information则为空。
四、 配置initiator单向认证
设置initiator单向认证,要现在target端新建一个账号以及密码,并把这个账号绑定到特定的target上,然后再在initiator端的iscsi.conf文件中配置这个账号和密码。4.1.在target端创建redhat账号,密码是redhat123
tgtadm --lld iscsi --mode account --op new --user redhat --password redhat1234.2. 在target端将账号绑定到指定的target
tgtadm --lld iscsi --mode account --op bind --tid 1 --user redhattgtadm --lld iscsi --mode target --op show
root@iscsiB ~]# tgt-admin --show
Target 1: 1qn.2012-12:disk0
System information:
Driver: iscsi
State: ready
I_T nexus information:
LUN information:
LUN: 0
Type: controller
SCSI ID: IET 00010000
SCSI SN: beaf10
Size: 0 MB, Block size: 1
Online: Yes
Removable media: No
Prevent removal: No
Readonly: No
Backing store type: null
Backing store path: None
Backing store flags:
LUN: 1
Type: disk
SCSI ID: IET 00010001
SCSI SN: beaf11
Size: 10737 MB, Block size: 512
Online: Yes
Removable media: No
Prevent removal: No
Readonly: No
Backing store type: rdwr
Backing store path: /dev/sdb
Backing store flags:
LUN: 2
Type: disk
SCSI ID: IET 00010002
SCSI SN: beaf12
Size: 5369 MB, Block size: 512
Online: Yes
Removable media: No
Prevent removal: No
Readonly: No
Backing store type: rdwr
Backing store path: /dev/sdc
Backing store flags:
Account information:
redhat
可以看到,redhat这个账号已经绑定到我们刚刚建立的target上了。
4.3.配置initiator端
4.3.1.在initiator端配置iscsid.conf文件
打开这个文件,并找到CHAP Settings,先开启CHAP认证,然后填写账号密码。注意不要填错!!!vim /etc/iscsi/iscsid.conf #将相关项前面的注释符#删除掉
node.session.auth.authmethod = CHAP //开启CHAP认证
node.session.auth.username = redhat //配置账号
node.session.auth.password = redhat123 //密码
4.3.2.重启iscsid服务
/etc/init.d/iscsid restart (似乎不是必要的,如果你不能重启iscsid,请查看是否已经登录到某些target了,如果是,就先logout)4.3.3登录到target目标
iscsiadm -m discovery -t sendtargets -p 192.168.10.185(必须先discovery!!!)iscsiadm -m node -T 1qn.2012-12:disk0 -p 192.168.10.185 -l
如果配置的用户名密码不正确,则登录的时候会显示如下认证错误
[root@Cherish ~]# iscsiadm -m node -T 1qn.2012-12:disk0 -p 192.168.10.185 --login
Logging in to [iface: default, target: 1qn.2012-12:disk0, portal: 192.168.10.185,3260] (multiple)
iscsiadm: Could not login to [iface: default, target: 1qn.2012-12:disk0, portal: 192.168.10.185,3260].
iscsiadm: initiator reported error (24 - iSCSI login failed due to authorization failure)
iscsiadm: Could not log into all portals
注意:修改配置文件的用户名密码后,必须重新discovery目标ip之后才能用新的用户名密码login到target,否则也会提示上述认证错误。
五、 双向认证(也称为mutul认证、相互认证、双向认证)
5.1.在target端创建outgoing账号
tgtadm --lld iscsi --op new --mode account --user out_redhat --password out_redhat1235.2. 在target端将账号绑定到相应的target
tgtadm --lld iscsi --mode account --op bind --tid 1 --user out_redhat --outgoingtgtadm --lld iscsi --mode target --op show
root@iscsiB ~]# tgt-admin --show
Target 1: 1qn.2012-12:disk0
System information:
Driver: iscsi
State: ready
I_T nexus information:
LUN information:
LUN: 0
Type: controller
SCSI ID: IET 00010000
SCSI SN: beaf10
Size: 0 MB, Block size: 1
Online: Yes
Removable media: No
Prevent removal: No
Readonly: No
Backing store type: null
Backing store path: None
Backing store flags:
LUN: 1
Type: disk
SCSI ID: IET 00010001
SCSI SN: beaf11
Size: 10737 MB, Block size: 512
Online: Yes
Removable media: No
Prevent removal: No
Readonly: No
Backing store type: rdwr
Backing store path: /dev/sdb
Backing store flags:
LUN: 2
Type: disk
SCSI ID: IET 00010002
SCSI SN: beaf12
Size: 5369 MB, Block size: 512
Online: Yes
Removable media: No
Prevent removal: No
Readonly: No
Backing store type: rdwr
Backing store path: /dev/sdc
Backing store flags:
Account information:
redhat
out_redhat (outgoing) //注意这个标识
ACL information:
ALL
5.3.在initiator端配置iscsid.conf文件
vim /etc/iscsi/iscsid.confnode.session.auth.username_in = out_redhat
node.session.auth.password_in = out_redhat123
5.4.在initiator端登录到target
iscsiadm -m node -T 1qn.2012-12:disk0 -p 192.168.10.185 --logout/etc/init.d/iscsid reload(不是必要的)
iscsiadm -m discovery -t sendtargets -p 192.168.10.185(必须要重新discovery!!!)
iscsiadm -m node -T 1qn.2012-12:disk0 -p 192.168.10.185 –login
注意:在双向认证过程中,必须保证incoming和outgoing的账号密码都正确!!!
六、 绑定多个incoming账号
6.1为一个target创建多个incoming和outgoing账号
(1)再创建两个账号
tgtadm --lld iscsi --mode account --op new --user chenbin --password chenbin123tgtadm --lld iscsi --mode account --op new --user out_chenbin --password out_chenbin123
创建后我们看看有几个账号了?
[root@iscsiB ~]# tgtadm --lld iscsi --mode account --op show
Account list:
out_chenbin
chenbin
out_redhat
redhat
(2)将这两个账号分别绑定到目前这个target
[root@iscsiB ~]# tgtadm --lld iscsi --mode account --op bind --tid 1 --user chenbin[root@iscsiB ~]# tgt-admin --show
Target 1: 1qn.2012-12:disk0
System information:
Driver: iscsi
State: ready
I_T nexus information:
LUN information:
LUN: 0
Type: controller
SCSI ID: IET 00010000
SCSI SN: beaf10
Size: 0 MB, Block size: 1
Online: Yes
Removable media: No
Prevent removal: No
Readonly: No
Backing store type: null
Backing store path: None
Backing store flags:
LUN: 1
Type: disk
SCSI ID: IET 00010001
SCSI SN: beaf11
Size: 10737 MB, Block size: 512
Online: Yes
Removable media: No
Prevent removal: No
Readonly: No
Backing store type: rdwr
Backing store path: /dev/sdb
Backing store flags:
LUN: 2
Type: disk
SCSI ID: IET 00010002
SCSI SN: beaf12
Size: 5369 MB, Block size: 512
Online: Yes
Removable media: No
Prevent removal: No
Readonly: No
Backing store type: rdwr
Backing store path: /dev/sdc
Backing store flags:
Account information:
redhat
chenbin
out_redhat (outgoing)
ACL information:
ALL
再绑定一个incoming账号没有问题,我们再绑定一个outgoing账号试试
[root@iscsiB ~]# tgtadm --lld iscsi --mode account --op bind --tid 1 --user out_chenbin --outgoing
tgtadm: this target already has an outgoing account
我们会发现,tgtadm会提示,已经有一个outgoing账号。综上所述,对于一个target,可以绑定多个incoming账号,但是outgoing账号只能绑定一个。也就是说,对于不同initiator端,我们可以设置不同的incoming账号;但是所有的initiator端的outcoming账号必须是一致的。(以上结论只针对某个特定的target)
6.2.解绑定和删除账号
(1)解绑定incoming账号chenbin
[root@iscsiB ~]# tgtadm --lld iscsi --mode account --op unbind --tid 1 --user chenbin(2)解绑定outgoing账号out_redhat
[root@iscsiB ~]# tgtadm --lld iscsi --mode account --op unbind --tid 1 --user out_redhat --outgoing[root@iscsiB ~]# tgt-admin -s
Target 1: 1qn.2012-12:disk0
System information:
Driver: iscsi
State: ready
I_T nexus information:
LUN information:
LUN: 0
Type: controller
SCSI ID: IET 00010000
SCSI SN: beaf10
Size: 0 MB, Block size: 1
Online: Yes
Removable media: No
Prevent removal: No
Readonly: No
Backing store type: null
Backing store path: None
Backing store flags:
LUN: 1
Type: disk
SCSI ID: IET 00010001
SCSI SN: beaf11
Size: 10737 MB, Block size: 512
Online: Yes
Removable media: No
Prevent removal: No
Readonly: No
Backing store type: rdwr
Backing store path: /dev/sdb
Backing store flags:
LUN: 2
Type: disk
SCSI ID: IET 00010002
SCSI SN: beaf12
Size: 5369 MB, Block size: 512
Online: Yes
Removable media: No
Prevent removal: No
Readonly: No
Backing store type: rdwr
Backing store path: /dev/sdc
Backing store flags:
Account information:
redhat
ACL information:
ALL
我们看到,只剩下一个账号了
(3)删除一个账号
[root@iscsiB ~]# tgtadm --lld iscsi --mode account --op delete --user chenbin[root@iscsiB ~]# tgtadm --lld iscsi --mode account --op show
Account list:
out_chenbin
out_redhat
redhat
七、 几种特殊情况的处理
如果target端口未绑定任何账号,则initiator端无论是否开启CHAP验证,无论是否设置里用户名密码 都不会进行验证如果target端绑定了incoming账号或者outgoing账号,则initiator端口必须开启CHAP验证,并设置好账号和密码,否则不能login
如果target端口绑定了incoming账号,没有绑定outgoing账号,但是initiator端口开启了CHAP认证,并设置了incoming和outgoing账号,则无法login(因为无法通过initiator认证。)
相关文章推荐
- 处理Sever 2008 连接 Openfiler的iSCSI存储chap认证失败的问题
- ppp的chap认证完全配置
- ppp的chap认证完全配置
- 处理Sever 2008 连接 Openfiler的iSCSI存储chap认证失败的问题
- redhat 7实现基于chap认证的iscsi,包括发现认证,和正常认证。
- PAP和CHAP认证理论概述
- Vue2.0 新手完全填坑攻略—从环境搭建到发布——Jinkey 原创
- 白色运动鞋保养完全攻略
- IAP( 应用程序內购买): 完全攻略
- Nagios监控平台完全攻略 (三)
- CISCO路由器CHAP认证配置
- 2018网站Https升级完全攻略
- CISCO实验模拟器完全攻略
- iSCSI存储技术全攻略
- 电信天翼3G手机ePhone(易丰)E63V不完全攻略
- php后台对接ios,安卓,API接口设计和实践完全攻略,涨薪必备技能
- Java从控制台中读取数据完全攻略
- 104种清除木马完全攻略
- 在CISCO路由器上实现CHAP认证
- CMD下修改注册表 完全攻略(FreeXploiT搜集 整理 热荐)