|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: iSCSI: Kerb auth issue 2 - name use in kerberos
Bill,
I don't understand why Kerberos is different then the other methods
from this aspect. No mapping between iSCSI names and user names
used in the authentication methods is specified. This is left to
local users/principals administration. An administrator may decide
that iSCSI target principals in his domain are always
iscsi/<target_name>, and this should be known to initiators in that
domain. But someone may want / already has different scheme.
Regards,
Ofer
Ofer Biran
Storage and Systems Technology
IBM Research Lab in Haifa
biran@il.ibm.com 972-4-8296253
Bill Studenmund
<wrstuden@wasabis To: <ips@ece.cmu.edu>
ystems.com> cc:
Sent by: Subject: iSCSI: Kerb auth issue 2 - name use in kerberos
owner-ips@ece.cmu
.edu
19/12/2002 03:27
Sorry this took so long. The issues took some hashing out to come up with
this EMail.
One of the things that came up in doing the Kerberos implementation is
that name handling in Kerberos is different than say in CHAP. i.e. CHAPN
vs principal name behavior.
For CHAP, the initiator has its own CHAP name and secret, and in the auth
mib it has listed the CHAP name and secrets the target should provide if
we're doing mutual. The target has its own CHAP name & secret that it
offers if the initiator requests mutual, and a list of initiator CHAP
names & secrets it will accept for the initiator to authenticate itself.
Another way to get at the difference I'm talking about is the name in the
first part of a CHAP authentication (CHAPN) is a name that has everything
to do with the initiator and nothing to do with the target.
For Kerberos, things are a bit different. The initiator's credentials are
in its credential cache. For a single-sign-on situation, the credentials
are those of the user sitting at the console. In a server-type situation,
the credentials are initialized from a keytab file. The name the initiator
needs to authenticate is the name of the principal it should get a ticket
for.
i.e. the name involved has everything to do with the target, not the
initiator.
We have two options. We can either require the credential be something
determinable, like "iscsi/<target_name>" ("iscsi/iqn.xxxx-yy.com.foobar"),
or we can use the name in the auth mib entry refered to by
iscsiIntrAuthorization.
I would suggest a hybrid of the two. If iscsiIntrAuthorization has a null
name, when we authenticate with kerberos to that target, we use
"iscsi/taget_name". If there is a non-null name, we use it.
Do folks think they understand the question? And if so, does that make
sense?
For the target, the semantics of what the principal names in the
iscsiTgtAuthroization mib entries are fine, though I might suggest that a
blank principal name there would likewise mean we authorize
"iscsi/<initiator_name>".
Thoughts?
Take care,
Bill
Home Last updated: Thu Dec 19 14:18:58 2002 12091 messages in chronological order |