tgt的chap双向认证认证逻辑

背景

iscsi的单向认证和双向认证的验证

验证

单向认证

开启单向认证

1
2
3
4
5
6
7
<target iqn.2008-09.com.example:server.target1>
backing-store /dev/rbd0
incominguser zp 123456
</target>

[root@lab102 ~]# iscsiadm -m discovery -t sendtargets -p 192.168.0.101
192.168.0.101:3260,1 iqn.2008-09.com.example:server.target1

可以发现

1
2
3
4
5
[root@lab102 ~]# iscsiadm -m node -T iqn.2008-09.com.example:server.target1 -l
Logging in to [iface: default, target: iqn.2008-09.com.example:server.target1, portal: 192.168.0.101,3260] (multiple)
iscsiadm: Could not login to [iface: default, target: iqn.2008-09.com.example:server.target1, portal: 192.168.0.101,3260].
iscsiadm: initiator reported error (24 - iSCSI login failed due to authorization failure)
iscsiadm: Could not log into all portals

但是会提示不允许连接 认证错误

1
2
3
4
5
6
[root@lab102 ~]# vim /etc/iscsi/iscsid.conf

# To set a CHAP username and password for initiator
# authentication by the target(s), uncomment the following lines:
node.session.auth.username = zp
node.session.auth.password = 123456

要删除之前的连接

1
2
3
4
5
6
7
[root@lab102 ~]# iscsiadm -m discovery -p 192.168.0.101 -o delete
[root@lab102 ~]# iscsiadm -m discovery -p 192.168.0.101 -o delete
iscsiadm: Discovery record [192.168.0.101,3260] not found!

[root@lab102 ~]# iscsiadm -m node -T iqn.2008-09.com.example:server.target1 -l
Logging in to [iface: default, target: iqn.2008-09.com.example:server.target1, portal: 192.168.0.101,3260] (multiple)
Login to [iface: default, target: iqn.2008-09.com.example:server.target1, portal: 192.168.0.101,3260] successful.

连接成功

单向认证的就跑通了

双向认证的

1
2
3
4
5
<target iqn.2008-09.com.example:server.target1>
backing-store /dev/rbd0
incominguser zp 123456
outgoinguser admin 12345678
</target>

客户端配置

1
2
3
4
5
6
7
8
9
10
/etc/iscsi/iscsid.conf
# To set a CHAP username and password for initiator
# authentication by the target(s), uncomment the following lines:
node.session.auth.username = zp
node.session.auth.password = 123456

# To set a CHAP username and password for target(s)
# authentication by the initiator, uncomment the following lines:
#node.session.auth.username_in = username_in
#node.session.auth.password_in = password_in

如果没配置的话,就不校验

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
int iscsi_setup_authentication(struct iscsi_session *session,
struct iscsi_auth_config *auth_cfg)
{
/* if we have any incoming credentials, we insist on authenticating
* the target or not logging in at all
*/
if (auth_cfg->username_in[0] || auth_cfg->password_in_length) {
/* sanity check the config */
if (auth_cfg->password_length == 0) {
log_warning("CHAP configuration has incoming "
"authentication credentials but has no "
"outgoing credentials configured.");
return EINVAL;
}
session->bidirectional_auth = 1;
} else {
/* no or 1-way authentication */
session->bidirectional_auth = 0;
}

iscsi-initiator-utils 也就是open-iscsi
上面的就是这段代码里面的

1
[open-iscsi-2.0.874]# vim usr/initiator_common.c 

代码里面写了,如果我们有配置这个incoming的密码相关的,我们就开启双向认证,否则就是单向认证,这个逻辑没问题

总结

认证里面注意下,如果客户端的对服务的认证未配置的话,就不做双向认证的