|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: iSCSI: Kerb auth issue 2 - name use in kerberosBill, I don't understand why Kerberos is different then the other methods from this aspect. No mapping between iSCSI names and user names used in the authentication methods is specified. This is left to local users/principals administration. An administrator may decide that iSCSI target principals in his domain are always iscsi/<target_name>, and this should be known to initiators in that domain. But someone may want / already has different scheme. Regards, Ofer Ofer Biran Storage and Systems Technology IBM Research Lab in Haifa biran@il.ibm.com 972-4-8296253 Bill Studenmund <wrstuden@wasabis To: <ips@ece.cmu.edu> ystems.com> cc: Sent by: Subject: iSCSI: Kerb auth issue 2 - name use in kerberos owner-ips@ece.cmu .edu 19/12/2002 03:27 Sorry this took so long. The issues took some hashing out to come up with this EMail. One of the things that came up in doing the Kerberos implementation is that name handling in Kerberos is different than say in CHAP. i.e. CHAPN vs principal name behavior. For CHAP, the initiator has its own CHAP name and secret, and in the auth mib it has listed the CHAP name and secrets the target should provide if we're doing mutual. The target has its own CHAP name & secret that it offers if the initiator requests mutual, and a list of initiator CHAP names & secrets it will accept for the initiator to authenticate itself. Another way to get at the difference I'm talking about is the name in the first part of a CHAP authentication (CHAPN) is a name that has everything to do with the initiator and nothing to do with the target. For Kerberos, things are a bit different. The initiator's credentials are in its credential cache. For a single-sign-on situation, the credentials are those of the user sitting at the console. In a server-type situation, the credentials are initialized from a keytab file. The name the initiator needs to authenticate is the name of the principal it should get a ticket for. i.e. the name involved has everything to do with the target, not the initiator. We have two options. We can either require the credential be something determinable, like "iscsi/<target_name>" ("iscsi/iqn.xxxx-yy.com.foobar"), or we can use the name in the auth mib entry refered to by iscsiIntrAuthorization. I would suggest a hybrid of the two. If iscsiIntrAuthorization has a null name, when we authenticate with kerberos to that target, we use "iscsi/taget_name". If there is a non-null name, we use it. Do folks think they understand the question? And if so, does that make sense? For the target, the semantics of what the principal names in the iscsiTgtAuthroization mib entries are fine, though I might suggest that a blank principal name there would likewise mean we authorize "iscsi/<initiator_name>". Thoughts? Take care, Bill
Home Last updated: Thu Dec 19 14:18:58 2002 12091 messages in chronological order |