原创文章,欢迎转载,转载时请务必给出原文链接,谢谢!http://blog.csdn.net/sinchb/article/details/8433994#t10
一、 什么是CHAP?
Challenge-Handshake Authentication Protocol
iSCSI initiators and targets prove their identity to each other using the CHAP protocol, which includes a mechanism to prevent cleartext passwords from appearing on the wire.
二、 iSCSI支持两种级别的chap 认证:
Initiator authentication和Target authentication
2.1 Initiator 认证要求:
在initiator尝试连接到一个target的时候,initator需要提供一个用户名和密码给target供target进行认证。下面我们称这个用户名密码为incoming账号,即:incoming账号是initiator端提供给target端,供target端认证的账号。
2.2 target 认证要求:
在initiator尝试连接到一个target的时候,target需要提供一个用户名和密码给initiator供initiator进行认证。与之对应的是outcoming账号,即:outcoming账号是target端提供给initiator端,供initiator认证的账号。
Initiator认证可以在没有target 认证的时候应用,这种只要求target验证initiator的CHAP认证也称为Uni-directional Authentication,单向认证(target做验证)
target认证则要求initiator认证被同时应用才可以,也就是说,initiator和target需要相互认证,这种认证被称为Bi-directional Authentication,相互认证
iSCSI CHAP认证的密码长度必须介于12到16个字符(但是下面测试的时候字符长度都没有超过12字符,也没有问题,这个问题需要进一步求证),空格是合法的密码字符,所以”I Love iSCSI!!!!”是一个合法的密码!
三、 建立iscsi target lun
3.1在target端建立target
按照下面的步骤建立有两个lun的target
(1)创建一个target
tgtadm --lld iscsi --op new --mode target --tid 1 -T 1qn.2012-12:disk0
(2)给这个target分配两个设备sdb,sdc
tgtadm --lld iscsi --op new --mode logicalunit --tid 1 --lun 1 -b /dev/sdb
tgtadm --lld iscsi --op new --mode logicalunit --tid 1 --lun 2 -b /dev/sdc
(3)将ACL设置为ALL
ACL 是Access Control Lists 的缩写,访问控制列表,只有在这个列表中的ip才有权限访问本target。我们设置为ALL,默认所有ip都可以访问,当然,我们可以指定某些ip,只有这些ip才可以访问。
tgtadm --lld iscsi --op bind --mode target --tid 1 -I ALL (最后那个参数是大写字母I,不是数字1)
(4)看看我们创建的target
[root@iscsiB ~]# tgt-admin --show
Target 1: 1qn.2012-12:disk0
System information:
Driver: iscsi
State: ready
I_T nexus information:
LUN information:
LUN: 0
Type: controller
SCSI ID: IET 00010000
SCSI SN: beaf10
Size: 0 MB, Block size: 1
Online: Yes
Removable media: No
Prevent removal: No
Readonly: No
Backing store type: null
Backing store path: None
Backing store flags:
LUN: 1
Type: disk
SCSI ID: IET 00010001
SCSI SN: beaf11
Size: 10737 MB, Block size: 512
Online: Yes
Removable media: No
Prevent removal: No
Readonly: No
Backing store type: rdwr
Backing store path: /dev/sdb
Backing store flags:
LUN: 2
Type: disk
SCSI ID: IET 00010002
SCSI SN: beaf12
Size: 5369 MB, Block size: 512
Online: Yes
Removable media: No
Prevent removal: No
Readonly: No
Backing store type: rdwr
Backing store path: /dev/sdc
Backing store flags:
Account information:
ACL information:
ALL
我们可以看到有两个lun(lun0是控制器,不算)。而Account information则为空。
四、 配置initiator单向认证
设置initiator单向认证,要现在target端新建一个账号以及密码,并把这个账号绑定到特定的target上,然后再在initiator端的iscsi.conf文件中配置这个账号和密码。
4.1.在target端创建redhat账号,密码是redhat123
tgtadm --lld iscsi --mode account --op new --user redhat --password redhat123
4.2. 在target端将账号绑定到指定的target
tgtadm --lld iscsi --mode account --op bind --tid 1 --user redhat
tgtadm --lld iscsi --mode target --op show
root@iscsiB ~]# tgt-admin --show
Target 1: 1qn.2012-12:disk0
System information:
Driver: iscsi
State: ready
I_T nexus information:
LUN information:
LUN: 0
Type: controller
SCSI ID: IET 00010000
SCSI SN: beaf10
Size: 0 MB, Block size: 1
Online: Yes
Removable media: No
Prevent removal: No
Readonly: No
Backing store type: null
Backing store path: None
Backing store flags:
LUN: 1
Type: disk
SCSI ID: IET 00010001
SCSI SN: beaf11
Size: 10737 MB, Block size: 512
Online: Yes
Removable media: No
Prevent removal: No
Readonly: No
Backing store type: rdwr
Backing store path: /dev/sdb
Backing store flags:
LUN: 2
Type: disk
SCSI ID: IET 00010002
SCSI SN: beaf12
Size: 5369 MB, Block size: 512
Online: Yes
Removable media: No
Prevent removal: No
Readonly: No
Backing store type: rdwr
Backing store path: /dev/sdc
Backing store flags:
Account information:
redhat
可以看到,redhat这个账号已经绑定到我们刚刚建立的target上了。
4.3.配置initiator端
4.3.1.在initiator端配置iscsid.conf文件
打开这个文件,并找到CHAP Settings,先开启CHAP认证,然后填写账号密码。注意不要填错!!!
vim /etc/iscsi/iscsid.conf #将相关项前面的注释符#删除掉
node.session.auth.authmethod = CHAP //开启CHAP认证
node.session.auth.username = redhat //配置账号
node.session.auth.password = redhat123 //密码
4.3.2.重启iscsid服务
/etc/init.d/iscsid restart (似乎不是必要的,如果你不能重启iscsid,请查看是否已经登录到某些target了,如果是,就先logout)
4.3.3登录到target目标
iscsiadm -m discovery -t sendtargets -p 192.168.10.185(必须先discovery!!!)
iscsiadm -m node -T 1qn.2012-12:disk0 -p 192.168.10.185 -l
如果配置的用户名密码不正确,则登录的时候会显示如下认证错误
[root@Cherish ~]# iscsiadm -m node -T 1qn.2012-12:disk0 -p 192.168.10.185 --login
Logging in to [iface: default, target: 1qn.2012-12:disk0, portal: 192.168.10.185,3260] (multiple)
iscsiadm: Could not login to [iface: default, target: 1qn.2012-12:disk0, portal: 192.168.10.185,3260].
iscsiadm: initiator reported error (24 - iSCSI login failed due to authorization failure)
iscsiadm: Could not log into all portals
注意:修改配置文件的用户名密码后,必须重新discovery目标ip之后才能用新的用户名密码login到target,否则也会提示上述认证错误。
五、 双向认证(也称为mutul认证、相互认证、双向认证)
5.1.在target端创建outgoing账号
tgtadm --lld iscsi --op new --mode account --user out_redhat --password out_redhat123
5.2. 在target端将账号绑定到相应的target
tgtadm --lld iscsi --mode account --op bind --tid 1 --user out_redhat --outgoing
tgtadm --lld iscsi --mode target --op show
root@iscsiB ~]# tgt-admin --show
Target 1: 1qn.2012-12:disk0
System information:
Driver: iscsi
State: ready
I_T nexus information:
LUN information:
LUN: 0
Type: controller
SCSI ID: IET 00010000
SCSI SN: beaf10
Size: 0 MB, Block size: 1
Online: Yes
Removable media: No
Prevent removal: No
Readonly: No
Backing store type: null
Backing store path: None
Backing store flags:
LUN: 1
Type: disk
SCSI ID: IET 00010001
SCSI SN: beaf11
Size: 10737 MB, Block size: 512
Online: Yes
Removable media: No
Prevent removal: No
Readonly: No
Backing store type: rdwr
Backing store path: /dev/sdb
Backing store flags:
LUN: 2
Type: disk
SCSI ID: IET 00010002
SCSI SN: beaf12
Size: 5369 MB, Block size: 512
Online: Yes
Removable media: No
Prevent removal: No
Readonly: No
Backing store type: rdwr
Backing store path: /dev/sdc
Backing store flags:
Account information:
redhat
out_redhat (outgoing) //注意这个标识
ACL information:
ALL
5.3.在initiator端配置iscsid.conf文件
vim /etc/iscsi/iscsid.conf
node.session.auth.username_in = out_redhat
node.session.auth.password_in = out_redhat123
5.4.在initiator端登录到target
iscsiadm -m node -T 1qn.2012-12:disk0 -p 192.168.10.185 --logout
/etc/init.d/iscsid reload(不是必要的)
iscsiadm -m discovery -t sendtargets -p 192.168.10.185(必须要重新discovery!!!)
iscsiadm -m node -T 1qn.2012-12:disk0 -p 192.168.10.185 –login
注意:在双向认证过程中,必须保证incoming和outgoing的账号密码都正确!!!
六、 绑定多个incoming账号
6.1为一个target创建多个incoming和outgoing账号
(1)再创建两个账号
tgtadm --lld iscsi --mode account --op new --user chenbin --password chenbin123
tgtadm --lld iscsi --mode account --op new --user out_chenbin --password out_chenbin123
创建后我们看看有几个账号了?
[root@iscsiB ~]# tgtadm --lld iscsi --mode account --op show
Account list:
out_chenbin
chenbin
out_redhat
redhat
(2)将这两个账号分别绑定到目前这个target
[root@iscsiB ~]# tgtadm --lld iscsi --mode account --op bind --tid 1 --user chenbin
[root@iscsiB ~]# tgt-admin --show
Target 1: 1qn.2012-12:disk0
System information:
Driver: iscsi
State: ready
I_T nexus information:
LUN information:
LUN: 0
Type: controller
SCSI ID: IET 00010000
SCSI SN: beaf10
Size: 0 MB, Block size: 1
Online: Yes
Removable media: No
Prevent removal: No
Readonly: No
Backing store type: null
Backing store path: None
Backing store flags:
LUN: 1
Type: disk
SCSI ID: IET 00010001
SCSI SN: beaf11
Size: 10737 MB, Block size: 512
Online: Yes
Removable media: No
Prevent removal: No
Readonly: No
Backing store type: rdwr
Backing store path: /dev/sdb
Backing store flags:
LUN: 2
Type: disk
SCSI ID: IET 00010002
SCSI SN: beaf12
Size: 5369 MB, Block size: 512
Online: Yes
Removable media: No
Prevent removal: No
Readonly: No
Backing store type: rdwr
Backing store path: /dev/sdc
Backing store flags:
Account information:
redhat
chenbin
out_redhat (outgoing)
ACL information:
ALL
再绑定一个incoming账号没有问题,我们再绑定一个outgoing账号试试
[root@iscsiB ~]# tgtadm --lld iscsi --mode account --op bind --tid 1 --user out_chenbin --outgoing
tgtadm: this target already has an outgoing account
我们会发现,tgtadm会提示,已经有一个outgoing账号。综上所述,对于一个target,可以绑定多个incoming账号,但是outgoing账号只能绑定一个。也就是说,对于不同initiator端,我们可以设置不同的incoming账号;但是所有的initiator端的outcoming账号必须是一致的。(以上结论只针对某个特定的target)
6.2.解绑定和删除账号
(1)解绑定incoming账号chenbin
[root@iscsiB ~]# tgtadm --lld iscsi --mode account --op unbind --tid 1 --user chenbin
(2)解绑定outgoing账号out_redhat
[root@iscsiB ~]# tgtadm --lld iscsi --mode account --op unbind --tid 1 --user out_redhat --outgoing
[root@iscsiB ~]# tgt-admin -s
Target 1: 1qn.2012-12:disk0
System information:
Driver: iscsi
State: ready
I_T nexus information:
LUN information:
LUN: 0
Type: controller
SCSI ID: IET 00010000
SCSI SN: beaf10
Size: 0 MB, Block size: 1
Online: Yes
Removable media: No
Prevent removal: No
Readonly: No
Backing store type: null
Backing store path: None
Backing store flags:
LUN: 1
Type: disk
SCSI ID: IET 00010001
SCSI SN: beaf11
Size: 10737 MB, Block size: 512
Online: Yes
Removable media: No
Prevent removal: No
Readonly: No
Backing store type: rdwr
Backing store path: /dev/sdb
Backing store flags:
LUN: 2
Type: disk
SCSI ID: IET 00010002
SCSI SN: beaf12
Size: 5369 MB, Block size: 512
Online: Yes
Removable media: No
Prevent removal: No
Readonly: No
Backing store type: rdwr
Backing store path: /dev/sdc
Backing store flags:
Account information:
redhat
ACL information:
ALL
我们看到,只剩下一个账号了
(3)删除一个账号
[root@iscsiB ~]# tgtadm --lld iscsi --mode account --op delete --user chenbin
[root@iscsiB ~]# tgtadm --lld iscsi --mode account --op show
Account list:
out_chenbin
out_redhat
redhat
七、 几种特殊情况的处理
如果target端口未绑定任何账号,则initiator端无论是否开启CHAP验证,无论是否设置里用户名密码 都不会进行验证
如果target端绑定了incoming账号或者outgoing账号,则initiator端口必须开启CHAP验证,并设置好账号和密码,否则不能login
如果target端口绑定了incoming账号,没有绑定outgoing账号,但是initiator端口开启了CHAP认证,并设置了incoming和outgoing账号,则无法login(因为无法通过initiator认证。)