In testing mutual CHAP interoperation with the WSB
1500i iSCSI target from Wasabi Systems, I found that
the credential model used by the initiator does not
support all of the features of the 1500i.
The biggest issue is that the 1500i maintains
credentials on a per-node basis. So each node can have
a different passwords required to log in, and each node
can have different passwords for mutual CHAP.
The linux-iscsi initiator keeps these passwords
per-portal, which will not necessarily work. Thus users
will be able to configure security settings on the
target that this initiator will not be able to access.
The UNH and Microsoft initiators have no problem
connecting to targets with these configurations.
I do agree that the common case will be that the
authentication settings from the discovery portal will
be the prefered ones to connect to a node. As such, I
propose the attached patch. With it,
PER_TARGETNAME_AUTH is always enabled. However settings
from the targetname info (the "TargetName=" stanza in
the config file) only override the settings from the
discovery portal iff they are present. Also, outbound
credentials only overwrite if present, and inbound only
overwrite if present.
Thus with this patch, the following configuration works:
works. The initiator logs into 10.4.0.6 and discovers
ten nodes. For the eight nodes not listed in the config
file, the initiator uses the login settings from the
portal (wasabi/ ZZZZZZZZZZ).
For the test-3 node, the initiator uses the wasabi/
ZZZZZZZZZZ info for outbound CHAP, but then it expects
WildOne/ YYYYYYYYYY for Mutual CHAP.
For the :sn1 target, the initiator uses the
wasabiOther/ ########## settings to authenticate
itself, and it uses Momo/ XXXXXXXXXXfor mutual CHAP.
So I believe this change will permit the linux-iscsi
initiator to work well with the WSB 1500i target while
retaining support for the current user-friendly
Log in to post a comment.