Authentication

Authentication may be configured for either the initiator or both the target and initiator.

CHAP Authentication

Targets may need to authenticate initiators that connect to them. The initiator supports CHAP authentication for this purpose, which requires a CHAP name and secret that is shared with the target. The initiator's CHAP name can be specified as follows:

$ sudo iscsictl modify initiator-config -CHAP-name <name>

Similarly, the CHAP shared secret can be specified using:

$ sudo iscsictl modify initiator-config -CHAP-secret

A command-line password prompt will appear that requires the user to enter and verify the shared secret. Once the CHAP name and secret have been set, the CHAP authentication mode can be enabled using the following command:

$ sudo iscsictl modify initiator-config -authentication CHAP

Similarly, the authentication can be disabled using the following command:

$ sudo iscsictl modify initiator-config -authentication None

The authentication method in use by the initiator can be verified by showing the initiator configuration:

$ iscsictl list initiator-config

Mutual CHAP

Once CHAP is enabled for initiator authentication, mutual CHAP may be used so that the initiator can authenticate a given target. As in the case of simple CHAP authentication, the CHAP user can be specified for a particular target using the following command:

$ sudo iscsictl modify target-config <target> -CHAP-name <name>

Similarly, the CHAP shared secret can be set using:

$ sudo iscsictl modify target-config <target> -CHAP-secret

Once the user and secret have been set, mutual authentication can be enabled using:

$ sudo iscsictl modify target-config <target> -authentication CHAP

Mutual CHAP will only be used if CHAP is also used for initiator authentication as described in the preceding section. The authentication method in use can be verified by showing the target configuration:

$ iscsictl list target-config <target>