RE: iSCSI: Kerb auth issue 2 - name use in kerberos

To: ips@ece.cmu.edu
Subject: RE: iSCSI: Kerb auth issue 2 - name use in kerberos
From: Black_David@emc.com
Date: Fri, 20 Dec 2002 09:53:03 -0500
Content-Type: text/plain;charset="iso-8859-1"
Sender: owner-ips@ece.cmu.edu

> All the Kerberos folks I talked to said (after translating) that as the
> canonical name in iSCSI is the node name, the principal SHOULD be
> "iscsi/<node_name>". You should really only do something different if you
> have a good reason. And maybe even not then.

This is usually the right answer *in isolation* - CHAP is similar, in
that using the iSCSI node name as the CHAP identity is the simplest
and proverbial "right" thing to do in the absence of other considerations.
In practice, the reason for allowing the authentication identity to be
different from the node name was to make it easier to reuse/extend
existing authentication systems (e.g., Kerberos and RADIUS servers)
by providing a means to avoid inflicting iSCSI names on them.  FWIW,
Bill's suggestion to use the iSCSI node name as the authentication
principal when not otherwise explicitly specified makes
sense to me as a reasonable default.

And congratulations/thanks to Bill for getting this to work!!

Thanks,
--David
----------------------------------------------------
David L. Black, Senior Technologist
EMC Corporation, 176 South St., Hopkinton, MA  01748
+1 (508) 293-7953 **NEW**     FAX: +1 (508) 293-7786
black_david@emc.com        Mobile: +1 (978) 394-7754
----------------------------------------------------

Prev by Date: Re: iSCSI: Kerb auth issue 1 - checksum
Next by Date: Re: iSCSI: Kerb auth issue 1 - checksum
Prev by thread: Re: iSCSI: Kerb auth issue 2 - name use in kerberos
Next by thread: SCSI MIB: Open Issues
Index(es):
- Date
- Thread

Home

Last updated: Mon Dec 23 13:19:02 2002
12094 messages in chronological order