[gPXE] Fwd: Re:Re: why?username and password is right , but can't boot?

Kevin Tran ktran at broadcom.com
Wed Mar 17 06:08:00 EDT 2010


Current code only handles challenge response that is string of hex numbers that started with either $B!H(B0x$B!I(B.  The challenge sent back by this target is in base64 format.  I think we need to add base64 (per RFC 3720) format support  in order to solve this problem.   The description of this format is in RFC 3720:

  base64-constant: base64 constant encoded as a string that starts
       with "0b" or "0B" followed by 1 or more digits or letters or plus
       or slash or equal.  The encoding is done according to [RFC2045]
       and each character, except equal, represents a base64 digit or a
       6-bit binary string.  Base64-constants are used to encode
       numerical-values or binary strings.  When used to encode
       numerical values, the excessive use of leading 0 digits (encoded
       as A) is discouraged.  The string following 0B (or 0b) represents
       a base64 number that starts with the most significant base64
       digit, followed by all other digits in decreasing order of
       significance and ending with the least-significant base64 digit;
       the least significant base64 digit may be optionally followed by
       pad digits (encoded as equal) that are not considered as part of
       the number.  When used to encode binary strings, base64-constants
       have an implicit
       byte-length that includes six bits for every character of the
       constant, excluding trailing equals (i.e., a base64-constant of n
       base64 characters excluding the trailing equals has a byte-length
       of ((the integer part of) (n*3/4)).  Correctly encoded base64
       strings cannot have n values of 1, 5 ... k*4+1.

This support is already in Open-ISCSI Initiator.

static int
acl_text_to_data(const char *text, unsigned char *data,
            unsigned int *data_length)
{
     int status;
     unsigned int text_length;

     status = acl_chk_string(text, 2 + 2 * AUTH_LARGE_BINARY_MAX_LEN + 1,
                     &text_length);
     if (status)
           return status;

     if (text[0] == '0' && (text[1] == 'x' || text[1] == 'X')) {
           /* skip prefix */
           text += 2;
           text_length -= 2;
           status = acl_hex_to_data(text, text_length, data, data_length);
     } else if (text[0] == '0' && (text[1] == 'b' || text[1] == 'B')) {
           /* skip prefix */
           text += 2;
           text_length -= 2;
           status = acl_base64_to_data(text, data, data_length);
     } else
           status = 1;     /* prefix not recognized. */

     return status;
}


So my initial proposed fix WILL not work.  Sorry$B!D(B.

Regards,

Kevin

From: Kevin Tran
Sent: Wednesday, March 17, 2010 1:59 AM
To: 'lsq726'
Cc: 'gpxe at etherboot.org'
Subject: RE: Re:Re: [gPXE] Fwd: Re:Re: why?username and password is right , but can't boot?

Hi,
I was looking at the network trace  that was captured between the MSFT iSCSI initiator and iSCSI target.   That explains everything work correctly. :)

LSQ726 sent me another trace (88888..).  I looked at the trace and the iSCSI code and  I think I know that the problem is.


1.       gPXE sent out iSCSI login command with CHAP_A=5.

[cid:image003.png at 01CAC57C.8BD88580]


2.       iSCSI target sent back iSCSI response with CHAP_A,CHAP_I, and CHAP_C

[cid:image004.png at 01CAC57C.8BD88580]


3.       CHAP processing code rejected the challenge because it didn$B!G(Bt start with $B!H(B0x$B!I(B.

static int iscsi_handle_chap_c_value ( struct iscsi_session *iscsi,
                            const char *value ) {
     char buf[3];
     char *endp;
     uint8_t byte;
     unsigned int i;

     /* Check and strip leading "0x" */
     if ( ( value[0] != '0' ) || ( value[1] != 'x' ) ) {
           DBGC ( iscsi, "iSCSI %p saw invalid CHAP challenge \"%s\"\n",
                  iscsi, value );
           return -EPROTO;
     }
     value += 2;

I don$B!G(Bt think there is such a requirement.  If it starts with $B!H(B0x$B!I(B, then it should skip two bytes.    I can double-check the specs tomorrow.     For now, can you recompile the code with the following changes:

/* Check and strip leading "0x" */
     if ( ( value[0] == '0' ) && ( (value[1] == 'x') || (value[1] ==  $B!F(BX$B!G(B))  ) {

          value += 2;
      }

Regards,

Kevin

From: Kevin Tran
Sent: Tuesday, March 16, 2010 11:32 PM
To: 'lsq726'
Cc: gpxe at etherboot.org
Subject: RE: Re:Re: [gPXE] Fwd: Re:Re: why?username and password is right , but can't boot?

You need to check your configuration.  Based on the network trace, the response to $B!H(BRead Capacity10$B!I(B was  1GB.

[cid:image005.png at 01CAC57C.8BD88580]


From: lsq726 [mailto:lsq726 at 163.com]
Sent: Tuesday, March 16, 2010 11:25 PM
To: Kevin Tran
Subject: Re:Re: [gPXE] Fwd: Re:Re: why?username and password is right , but can't boot?

HI,
The partition is 10GB
PLEASE GPXE.RAR



$B:_(B2010-03-17 14:09:01$B!$(B"Kevin Tran" <ktran at broadcom.com> $B<LF;!'(B

Hi,

I looked at the network trace briefly and I didn't see anything obviously wrong.



1. gPXE did login to the iSCSI target successfully with CHAP authentication (one-way).

2. The partition is only 1Gbyte and the partition is NTFS based on the MBR and Disk Inquiry response.



[cid:image006.png at 01CAC57C.8BD88580]

3. There were a lot of READ/WRITE IO$B!G(Bs from the initiator after login.

4. The last operations were iSCSI logout and then TCP connection was closed.



In normal Win2k3/Win2K8 or Linux iSCSI boot, gPXE passes iSCSI parameters + CHAP information to the OS initiator via iBFT.  OS initiator then does iSCSI login again with the iSCSI target.  I didn$B!G(Bt see such operations.  In addition, Windows partition is normally 5GB to 15GB which depends on the favor of the OS and user$B!G(Bs setup.



What are you trying to boot?



Regards!



Kevin





-----Original Message-----
From: gpxe-bounces at etherboot.org<mailto:gpxe-bounces at etherboot.org> [mailto:gpxe-bounces at etherboot.org<mailto:gpxe-bounces at etherboot.org>] On Behalf Of Marty Connor
Sent: Tuesday, March 16, 2010 9:58 PM
To: gpxe at etherboot.org<mailto:gpxe at etherboot.org>
Subject: [gPXE] Fwd: Re:Re: why?username and password is right , but can't boot?



Forwarding.  Perhaps this will be helpful in debugging this issue.



-------- Original Message --------

Subject: Re:Re: [gPXE] why?username and password is right ,but can't boot?

Date: Wed, 17 Mar 2010 09:43:12 +0800 (CST)

From: lsq726 <lsq726 at 163.com<mailto:lsq726 at 163.com>>

To: Marty Connor <mdc at etherboot.org<mailto:mdc at etherboot.org>>



SERVER ISCSI STARWIND 'S TWO LOG FILE







2010-03-17 09:17:06"Marty Connor" <mdc at etherboot.org<mailto:mdc at etherboot.org>>

>lsq726 wrote on 3/16/10 8:30 PM:

>> why?username and password is right ,but can't boot?

>> please see photo

>

>I also notice that you are getting a _lot_ of RXE (Receive Errors)

>

>It looks a lot like you may have some sort of network configuration error.

>

>And could you turn on CONSOLE_SERIAL and paste text instead of sending

>pictures?

>

>If your setup boots when if there is no password, then it could easily

>be some arcane Windows security policy issue.

>

>Getting Windows to log in detail what it doesn't like and why it is

>rejecting the connection will probably help a lot.  Perhaps the server

>is even already logging and you just need to look into it.

>

>A quick web search suggests that there is lot of information out there

>dealing with Windows iSCSI CHAP authentication on the server side.

>

>/ Marty /

>

>



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://etherboot.org/pipermail/gpxe/attachments/20100317/b1034cdf/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 40612 bytes
Desc: image003.png
Url : http://etherboot.org/pipermail/gpxe/attachments/20100317/b1034cdf/attachment-0004.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 37567 bytes
Desc: image004.png
Url : http://etherboot.org/pipermail/gpxe/attachments/20100317/b1034cdf/attachment-0005.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image005.png
Type: image/png
Size: 47479 bytes
Desc: image005.png
Url : http://etherboot.org/pipermail/gpxe/attachments/20100317/b1034cdf/attachment-0006.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image006.png
Type: image/png
Size: 50287 bytes
Desc: image006.png
Url : http://etherboot.org/pipermail/gpxe/attachments/20100317/b1034cdf/attachment-0007.png 


More information about the gPXE mailing list