iSCSICHAP认证不完全攻略
原创⽂章,欢迎转载,转载时请务必给出原⽂链接,谢谢!blog.csdn/sinchb/article/details/8433994#t10
⼀、什么是CHAP?
Challenge-Handshake Authentication Protocol
iSCSI initiators and targets prove their identity to each other using the CHAP protocol, which includes a mechanism to prevent cleartext passwords from appearing on the wire.
⼆、iSCSI⽀持两种级别的chap 认证:
Initiator authentication和Target authentication
2.1Initiator 认证要求:
在initiator尝试连接到⼀个target的时候,initator需要提供⼀个⽤户名和密码给target供target进⾏认证。下⾯我们称这个⽤户名密码为incoming账号,即:incoming账号是initiator端提供给target端,供target端认证的账号。
2.2target 认证要求:
在initiator尝试连接到⼀个target的时候,target需要提供⼀个⽤户名和密码给initiator供initiator进⾏认证。与之对应的是outcoming 账号,即:outcoming账号是target端提供给initiator端,供initiator认证的账号。
Initiator认证可以在没有target 认证的时候应⽤,这种只要求target验证initiator的CHAP认证也称为Uni-directional
Authentication,单向认证(target做验证)
target认证则要求initiator认证被同时应⽤才可以,也就是说,initiator和target需要相互认证,这种认证被称为Bi-directional Authentication,相互认证
iSCSI CHAP认证的密码长度必须介于12到16个字符(但是下⾯测试的时候字符长度都没有超过12字符,也没有问题,这个问题需要进⼀步求证),空格是合法的密码字符,所以”I Love iSCSI”是⼀个合法的密码!
三、建⽴iscsi target lun
3.1在target端建⽴target
按照下⾯的步骤建⽴有两个lun的target
(1)创建⼀个target
tgtadm --lld iscsi --op new --mode target --tid 1 -T 1qn.2012-12:disk0
(2)给这个target分配两个设备sdb,sdc
tgtadm --lld iscsi --op new --mode logicalunit --tid 1 --lun 1 -b /dev/sdb
tgtadm --lld iscsi --op new --mode logicalunit --tid 1 --lun 2 -b /dev/sdc
(3)将ACL设置为ALL
ACL 是Access Control Lists 的缩写,访问控制列表,只有在这个列表中的ip才有权限访问本target。我们设置为ALL,默认所有ip都可以访问,当然,我们可以指定某些ip,只有这些ip才可以访问。
tgtadm --lld iscsi --op bind --mode target --tid 1 -I ALL (最后那个参数是⼤写字母I,不是数字1)
(4)看看我们创建的target
[root@iscsiB ~]# tgt-admin --show
Target 1: 1qn.2012-12:disk0
System information:
Driver: iscsi
State: ready
I_T nexus information:
LUN information:
LUN: 0
Type: controller
SCSI ID: IET 00010000
SCSI SN: beaf10
Size: 0 MB, Block size: 1
Online: Yes
Removable media: No
Prevent removal: No
Readonly: No
Backing store type: null
Backing store path: None
Backing store flags:
LUN: 1
Type: disk
SCSI ID: IET 00010001
SCSI SN: beaf11
Size: 10737 MB, Block size: 512
Online: Yes
Removable media: No
Prevent removal: No
Readonly: No
Backing store type: rdwr
Backing store path: /dev/sdb
Backing store flags:
LUN: 2
Type: disk
SCSI ID: IET 00010002
SCSI SN: beaf12
Size: 5369 MB, Block size: 512
Online: Yes
Removable media: No
Prevent removal: No
Readonly: No
Backing store type: rdwr
Backing store path: /dev/sdc
我有一位好妈妈Backing store flags:
Account information:
ACL information:
ALL
我们可以看到有两个lun(lun0是控制器,不算)。⽽Account information则为空。
四、配置initiator单向认证
设置initiator单向认证,要现在target端新建⼀个账号以及密码,并把这个账号绑定到特定的target上,然后再在initiator端的f⽂件中配置这个账号和密码。
4.1.在target端创建redhat账号,密码是redhat123
tgtadm --lld iscsi --mode account --op new --ur redhat --password redhat123
4.2.在target端将账号绑定到指定的target
tgtadm --lld iscsi --mode account --op bind --tid 1 --ur redhat
tgtadm --lld iscsi --mode target --op show
root@iscsiB ~]# tgt-admin --show
Target 1: 1qn.2012-12:disk0
System information:
Driver: iscsi
State: ready
I_T nexus information:
LUN information:
LUN: 0
Type: controller
SCSI ID: IET 00010000
SCSI SN: beaf10
Size: 0 MB, Block size: 1
Online: Yes
Removable media: No
Prevent removal: No
Readonly: No
Backing store type: null
Backing store path: None
Backing store flags:
LUN: 1
Type: disk
SCSI ID: IET 00010001
SCSI SN: beaf11
Size: 10737 MB, Block size: 512
Online: Yes
Removable media: No
Prevent removal: No
Readonly: No贝母的功效与作用
Backing store type: rdwr
Backing store path: /dev/sdb
Backing store flags:
LUN: 2
Type: disk
SCSI ID: IET 00010002
SCSI SN: beaf12
Size: 5369 MB, Block size: 512
Online: Yes
Removable media: No
Prevent removal: No
Readonly: No
Backing store type: rdwr
Backing store path: /dev/sdc
Backing store flags:
Account information:
redhat
可以看到,redhat这个账号已经绑定到我们刚刚建⽴的target上了。
4.3.配置initiator端
4.3.1.在initiator端配置f⽂件
打开这个⽂件,并找到CHAP Settings,先开启CHAP认证,然后填写账号密码。注意不要填错
vim /etc/f #将相关项前⾯的注释符#删除掉
node.ssion.auth.authmethod = CHAP //开启CHAP认证
node.ssion.auth.urname = redhat //配置账号
node.ssion.auth.password = redhat123 //密码
4.3.2.重启iscsid服务
/etc/init.d/iscsid restart (似乎不是必要的,如果你不能重启iscsid,请查看是否已经登录到某些target了,如果是,就先logout) 4.3.3登录到target⽬标
iscsiadm -m discovery -t ndtargets -p 192.168.10.185(必须先discovery)
iscsiadm -m node -T 1qn.2012-12:disk0 -p 192.168.10.185 -l
如果配置的⽤户名密码不正确,则登录的时候会显⽰如下认证错误
[root@Cherish ~]# iscsiadm -m node -T 1qn.2012-12:disk0 -p 192.168.10.185 --login
Logging in to [iface: default, target: 1qn.2012-12:disk0, portal: 192.168.10.185,3260] (multiple)
iscsiadm: Could not login to [iface: default, target: 1qn.2012-12:disk0, portal: 192.168.10.185,3260].
iscsiadm: initiator reported error (24 - iSCSI login failed due to authorization failure)
iscsiadm: Could not log into all portals
注意:修改配置⽂件的⽤户名密码后,必须重新discovery⽬标ip之后才能⽤新的⽤户名密码login到target,否则也会提⽰上述认证错误。
阴霾天气五、双向认证(也称为mutul认证、相互认证、双向认证)
5.1.在target端创建outgoing账号
tgtadm --lld iscsi --op new --mode account --ur out_redhat --password out_redhat123
5.2. 在target端将账号绑定到相应的target
tgtadm --lld iscsi --mode account --op bind --tid 1 --ur out_redhat --outgoing
tgtadm --lld iscsi --mode target --op show
root@iscsiB ~]# tgt-admin --show
Target 1: 1qn.2012-12:disk0
System information:
Driver: iscsi
State: ready
I_T nexus information:
LUN information:
LUN: 0
美丽的近反义词
Type: controller
SCSI ID: IET 00010000
SCSI SN: beaf10劳动力资源
Size: 0 MB, Block size: 1
Online: Yes
Removable media: No
Prevent removal: No
Readonly: No
Backing store type: null
Backing store path: None
Backing store flags:
LUN: 1
Type: disk
SCSI ID: IET 00010001
SCSI SN: beaf11
Size: 10737 MB, Block size: 512
Online: Yes
Removable media: No
Prevent removal: No
Readonly: No
Backing store type: rdwr
Backing store path: /dev/sdb
Backing store flags:
LUN: 2
Type: disk
SCSI ID: IET 00010002
SCSI SN: beaf12
Size: 5369 MB, Block size: 512
Online: Yes
Removable media: No
Prevent removal: No
Readonly: No
Backing store type: rdwr
Backing store path: /dev/sdc
个人简介模板范文酸性的食物有哪些
Backing store flags:
Account information:
redhat
out_redhat (outgoing) //注意这个标识
ACL information:
ALL
5.3.在initiator端配置f⽂件
vim /etc/f
node.ssion.auth.urname_in = out_redhat
node.ssion.auth.password_in = out_redhat123
5.4.在initiator端登录到target
iscsiadm -m node -T 1qn.2012-12:disk0 -p 192.168.10.185 --logout
/etc/init.d/iscsid reload(不是必要的)
iscsiadm -m discovery -t ndtargets -p 192.168.10.185(必须要重新discovery) iscsiadm -m node -T 1qn.2012-12:disk0 -p 192.168.10.185 –login
注意:在双向认证过程中,必须保证incoming和outgoing的账号密码都正确
六、绑定多个incoming账号
6.1为⼀个target创建多个incoming和outgoing账号
(1)再创建两个账号
tgtadm --lld iscsi --mode account --op new --ur chenbin --password chenbin123
tgtadm --lld iscsi --mode account --op new --ur out_chenbin --password out_chenbin123 创建后我们看看有⼏个账号了?
[root@iscsiB ~]# tgtadm --lld iscsi --mode account --op show
Account list:
out_chenbin
chenbin
out_redhat
redhat
(2)将这两个账号分别绑定到⽬前这个target
[root@iscsiB ~]# tgtadm --lld iscsi --mode account --op bind --tid 1 --ur chenbin
[root@iscsiB ~]# tgt-admin --show
Target 1: 1qn.2012-12:disk0
System information:
Driver: iscsi
State: ready
I_T nexus information:
LUN information:
LUN: 0
Type: controller
SCSI ID: IET 00010000
SCSI SN: beaf10
Size: 0 MB, Block size: 1
Online: Yes
Removable media: No
Prevent removal: No
Readonly: No
Backing store type: null
Backing store path: None
Backing store flags:
LUN: 1
Type: disk
SCSI ID: IET 00010001
SCSI SN: beaf11潇湘华天大酒店
Size: 10737 MB, Block size: 512
Online: Yes
