on 12:34 Tue 15 Feb, Mike Christie ([email protected]) wrote: > On 02/15/2011 04:46 AM, Ulrich Windl wrote: > >Hi! > > > >Among the most difficult parts of iSCSI configuration with authentication is > >picking the correct username and passwords: I never know which is used when. > >Any docs? > > > >When debugging discovery, I see: > > > >[...] > >iscsiadm: finished reading login PDU, 48 hdr, 0 ah, 62 data, 2 pad > >iscsiadm: login current stage 0, next stage 0, transit 0x0 > >iscsiadm:> CHAP_A=5 > >iscsiadm:> CHAP_I=209 > >iscsiadm:> CHAP_C=0x2f5ce6f651bc80352a0219793881f1ed > >iscsiadm: login response status 0000 > >iscsiadm: sending login PDU with current stage 0, next stage 1, transit > >0x80, isid 0x00023d000000 exp_statsn 2 > >iscsiadm:> CHAP_N= > >iscsiadm:> CHAP_R=0x994506d0232ee6b3e227bdcf285236ec > >iscsiadm: wrote 48 bytes of PDU header > >iscsiadm: wrote 52 bytes of PDU data > >iscsiadm: read 48 bytes of PDU header > >iscsiadm: read 48 PDU header bytes, opcode 0x23, dlength 0, data 0x63fdd0, > >max 32768 > >iscsiadm: login response status 0201 > >iscsiadm: Login failed to authenticate with target > >[...] > > > >It's not obvious which of the many configurable usernames and passwords are > >used for computing the CHAP response. Can debugging be improved here? > > > > You mean you want to know if the username/password vs > username_in/password_in failed? I just updated iscsiadm so it now > prints out that the chap failed vs some other login problem (old > code always just said it was some sort of login error but did not > say what kind). I can modify it so it further distinguishes which > chap set failed. Let me know if you wanted something else.
Note that login failures which distinguish between "bad password" and "unknown user" are an information disclosure risk. My understanding is that best practices would be to distinguish "invalid user or password" from other login failures (e.g.: unable to connect to host, invalid protocol, other network/communications failure). You don't want to be handing out a list of valid/invalid usernames, though, in general. -- Dr. Ed Morbius, Chief Scientist / | Robot Wrangler / Staff Psychologist | When you seek unlimited power Krell Power Systems Unlimited | Go to Krell! -- You received this message because you are subscribed to the Google Groups "open-iscsi" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/open-iscsi?hl=en.
