>>> "Dr. Ed Morbius" <[email protected]> schrieb am 16.02.2011 um 19:53 in Nachricht <[email protected]>: > on 12:34 Tue 15 Feb, Mike Christie ([email protected]) wrote: > > On 02/15/2011 04:46 AM, Ulrich Windl wrote: > > >Hi! > > > > > >Among the most difficult parts of iSCSI configuration with authentication > is picking the correct username and passwords: I never know which is used > when. Any docs? > > > > > >When debugging discovery, I see: > > > > > >[...] > > >iscsiadm: finished reading login PDU, 48 hdr, 0 ah, 62 data, 2 pad > > >iscsiadm: login current stage 0, next stage 0, transit 0x0 > > >iscsiadm:> CHAP_A=5 > > >iscsiadm:> CHAP_I=209 > > >iscsiadm:> CHAP_C=0x2f5ce6f651bc80352a0219793881f1ed > > >iscsiadm: login response status 0000 > > >iscsiadm: sending login PDU with current stage 0, next stage 1, transit > 0x80, isid 0x00023d000000 exp_statsn 2 > > >iscsiadm:> CHAP_N= > > >iscsiadm:> CHAP_R=0x994506d0232ee6b3e227bdcf285236ec > > >iscsiadm: wrote 48 bytes of PDU header > > >iscsiadm: wrote 52 bytes of PDU data > > >iscsiadm: read 48 bytes of PDU header > > >iscsiadm: read 48 PDU header bytes, opcode 0x23, dlength 0, data 0x63fdd0, > max 32768 > > >iscsiadm: login response status 0201 > > >iscsiadm: Login failed to authenticate with target > > >[...] > > > > > >It's not obvious which of the many configurable usernames and passwords > > >are > used for computing the CHAP response. Can debugging be improved here? > > > > > > > You mean you want to know if the username/password vs > > username_in/password_in failed? I just updated iscsiadm so it now > > prints out that the chap failed vs some other login problem (old > > code always just said it was some sort of login error but did not > > say what kind). I can modify it so it further distinguishes which > > chap set failed. Let me know if you wanted something else. > > Note that login failures which distinguish between "bad password" and > "unknown user" are an information disclosure risk. > > My understanding is that best practices would be to distinguish "invalid > user or password" from other login failures (e.g.: unable to connect to > host, invalid protocol, other network/communications failure). > > You don't want to be handing out a list of valid/invalid usernames, > though, in general.
The bigger problem is that people won't use authentication at all if they don't manage to get it going. Also the user I'm talking about for tests has the ability to read the secrets right from the configuration files. So there is no information leak. Anyway if we talk about the client's abilities to allow for a password attack, the user can use any client to do that. Despite of that, having a password of about 60 bits of randomness is probably strong enough, whether an attacker may know the username or not. Regards, Ulrich -- You received this message because you are subscribed to the Google Groups "open-iscsi" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/open-iscsi?hl=en.
