[Openstack-security] [Bug 1329214] Re: tgtadm iscsi chap does not work

Jeremy Stanley fungi at yuggoth.org
Tue Jun 24 12:39:15 UTC 2014 

Updated to a public bug, no advisory, tagged as possible security
hardening feature/improvement.

** Information type changed from Private Security to Public

** Tags added: security

** No longer affects: ossa

-- 
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1329214

Title:
  tgtadm iscsi chap does not work

Status in Cinder:
  New

Bug description:
  When using LVMISCSIDriver and iscsi_helper tgtadm, it should support chap unidirectional authentication because target configuration file and db.volume  has record chap user and chap passwd. 
  By testing, I found that tgtadm iscsi chap does not work.
  Is it a security bug for iscsi_helper tgtadm? 

  My detail test work is as follows.
  1. Test details as follows without modify the source code:
  1) Devstack all in one server A(10.250.10.190); another testing server B(10.250.10.191)
  2) create a vm  VM-A  and a cinder volume VOLUME-A, attach VOLUME-A to VM-A
  3) server B directly login the iscsi target that server-A export and get VOLUME-A sucessfully . 
      iscsiadm -m discovery -t sendtargets -p 10.250.10.190
      iscsiadm -m node -T  iqn.2010-10.org.openstack:volume-ee32035f-73d2-4312-a468-c7773f90a75e -p 10.250.10.190 -l --login

  2. Test details as follows with modify the source code:
  1) add creating user/passwd and binding user to tid code before leaving the function TgtAdm:create_iscsi_target. 
          type, name, passwd = chap_auth.split()
          self._execute('tgtadm',
                        '--lld',
                        'iscsi',
                        '--mode',
                        'account',
                        '--op',
                        'new',
                        '--user',
                        name,
                        '--password',
                        passwd)
          self._execute('tgtadm',
                        '--lld',
                        'iscsi',
                        '--mode',
                        'account',
                        '--op',
                        'bind',
                        '--tid',
                        tid,
                        '--user',
                        name
                        )

  2) try to login VOLUME-A as the steps in item 1, it reported an authorization error as follows.
  root at devaio1:/etc/iscsi#     iscsiadm -m node -T  iqn.2010-10.org.openstack:volume-ee32035f-73d2-4312-a468-c7773f90a75e -p 10.250.10.190 -l --login
  Logging in to [iface: default, target: iqn.2010-10.org.openstack:volume-ee32035f-73d2-4312-a468-c7773f90a75e, portal: 10.250.10.190,3260] (multiple)
  iscsiadm: Could not login to [iface: default, target: iqn.2010-10.org.openstack:volume-ee32035f-73d2-4312-a468-c7773f90a75e, portal: 10.250.10.190,3260].
  iscsiadm: initiator reported error (24 - iSCSI login failed due to authorization failure)
  iscsiadm: Could not log into all portals

To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1329214/+subscriptions

More information about the Openstack-security mailing list