<p>Vadim Yanitskiy has uploaded this change for <strong>review</strong>.</p><p><a href="https://gerrit.osmocom.org/14194">View Change</a></p><pre style="font-family: monospace,monospace; white-space: pre-wrap;">osmo-sgsn: add VTY parameter to toggle authentication<br><br>It may be useful to have 'remote' authorization policy, but do not<br>require authentication in GERAN at the same time, e.g. in combination<br>with 'subscriber-create-on-demand' feature of OsmoHLR.<br><br>This change introduces a new VTY parameter similar to the one<br>that we already have in OsmoMSC:<br><br> authentication (optional|required)<br><br>Please note that 'required' only applies if 'auth-policy' is 'remote'.<br><br>Change-Id: I9909145e7e0af587c28827e16301a61b13eedaa9<br>---<br>M doc/examples/osmo-sgsn/osmo-sgsn-accept-all.cfg<br>M doc/examples/osmo-sgsn/osmo-sgsn.cfg<br>M src/gprs/sgsn_vty.c<br>3 files changed, 37 insertions(+), 1 deletion(-)<br><br></pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;">git pull ssh://gerrit.osmocom.org:29418/osmo-sgsn refs/changes/94/14194/1</pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;"><span>diff --git a/doc/examples/osmo-sgsn/osmo-sgsn-accept-all.cfg b/doc/examples/osmo-sgsn/osmo-sgsn-accept-all.cfg</span><br><span>index b47878a..85112f4 100644</span><br><span>--- a/doc/examples/osmo-sgsn/osmo-sgsn-accept-all.cfg</span><br><span>+++ b/doc/examples/osmo-sgsn/osmo-sgsn-accept-all.cfg</span><br><span>@@ -10,6 +10,7 @@</span><br><span> ggsn 0 remote-ip 127.0.0.2</span><br><span> ggsn 0 gtp-version 1</span><br><span> ggsn 0 echo-interval 60</span><br><span style="color: hsl(120, 100%, 40%);">+ authentication optional</span><br><span> auth-policy accept-all</span><br><span> !</span><br><span> ns</span><br><span>diff --git a/doc/examples/osmo-sgsn/osmo-sgsn.cfg b/doc/examples/osmo-sgsn/osmo-sgsn.cfg</span><br><span>index 263bd00..3be4d49 100644</span><br><span>--- a/doc/examples/osmo-sgsn/osmo-sgsn.cfg</span><br><span>+++ b/doc/examples/osmo-sgsn/osmo-sgsn.cfg</span><br><span>@@ -10,6 +10,7 @@</span><br><span> ggsn 0 remote-ip 127.0.0.2</span><br><span> ggsn 0 gtp-version 1</span><br><span> ggsn 0 echo-interval 60</span><br><span style="color: hsl(120, 100%, 40%);">+ authentication required</span><br><span> auth-policy remote</span><br><span> gsup remote-ip 127.0.0.1</span><br><span> gsup remote-port 4222</span><br><span>diff --git a/src/gprs/sgsn_vty.c b/src/gprs/sgsn_vty.c</span><br><span>index c01de3b..ad2c809 100644</span><br><span>--- a/src/gprs/sgsn_vty.c</span><br><span>+++ b/src/gprs/sgsn_vty.c</span><br><span>@@ -211,6 +211,8 @@</span><br><span> if (g_cfg->gsup_server_port)</span><br><span> vty_out(vty, " gsup remote-port %d%s",</span><br><span> g_cfg->gsup_server_port, VTY_NEWLINE);</span><br><span style="color: hsl(120, 100%, 40%);">+ vty_out(vty, " authentication %s%s",</span><br><span style="color: hsl(120, 100%, 40%);">+ gsmnet->authentication_required ? "required" : "optional", VTY_NEWLINE);</span><br><span> vty_out(vty, " auth-policy %s%s",</span><br><span> get_value_string(sgsn_auth_pol_strs, g_cfg->auth_policy),</span><br><span> VTY_NEWLINE);</span><br><span>@@ -693,6 +695,27 @@</span><br><span> return CMD_SUCCESS;</span><br><span> }</span><br><span> </span><br><span style="color: hsl(120, 100%, 40%);">+DEFUN(cfg_authentication, cfg_authentication_cmd,</span><br><span style="color: hsl(120, 100%, 40%);">+ "authentication (optional|required)",</span><br><span style="color: hsl(120, 100%, 40%);">+ "Whether to enforce MS authentication in GERAN\n"</span><br><span style="color: hsl(120, 100%, 40%);">+ "Allow MS to attach via GERAN without authentication\n"</span><br><span style="color: hsl(120, 100%, 40%);">+ "Always require authentication\n")</span><br><span style="color: hsl(120, 100%, 40%);">+{</span><br><span style="color: hsl(120, 100%, 40%);">+ int required = (argv[0][0] == 'r');</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ if (vty->type != VTY_FILE) {</span><br><span style="color: hsl(120, 100%, 40%);">+ if (g_cfg->auth_policy != SGSN_AUTH_POLICY_REMOTE && required) {</span><br><span style="color: hsl(120, 100%, 40%);">+ vty_out(vty, "Authentication is not possible without HLR, "</span><br><span style="color: hsl(120, 100%, 40%);">+ "consider setting 'auth-policy' to 'remote'%s",</span><br><span style="color: hsl(120, 100%, 40%);">+ VTY_NEWLINE);</span><br><span style="color: hsl(120, 100%, 40%);">+ return CMD_WARNING;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ g_cfg->require_authentication = required;</span><br><span style="color: hsl(120, 100%, 40%);">+ return CMD_SUCCESS;</span><br><span style="color: hsl(120, 100%, 40%);">+}</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span> DEFUN(cfg_auth_policy, cfg_auth_policy_cmd,</span><br><span> "auth-policy (accept-all|closed|acl-only|remote)",</span><br><span> "Configure the Authorization policy of the SGSN. This setting determines which subscribers are"</span><br><span>@@ -705,9 +728,12 @@</span><br><span> int val = get_string_value(sgsn_auth_pol_strs, argv[0]);</span><br><span> OSMO_ASSERT(val >= SGSN_AUTH_POLICY_OPEN && val <= SGSN_AUTH_POLICY_REMOTE);</span><br><span> g_cfg->auth_policy = val;</span><br><span style="color: hsl(0, 100%, 40%);">- g_cfg->require_authentication = (val == SGSN_AUTH_POLICY_REMOTE);</span><br><span> g_cfg->require_update_location = (val == SGSN_AUTH_POLICY_REMOTE);</span><br><span> </span><br><span style="color: hsl(120, 100%, 40%);">+ /* Authentication is not possible without HLR */</span><br><span style="color: hsl(120, 100%, 40%);">+ if (val != SGSN_AUTH_POLICY_REMOTE)</span><br><span style="color: hsl(120, 100%, 40%);">+ g_cfg->require_authentication = 0;</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span> return CMD_SUCCESS;</span><br><span> }</span><br><span> </span><br><span>@@ -1462,6 +1488,14 @@</span><br><span> return rc;</span><br><span> }</span><br><span> </span><br><span style="color: hsl(120, 100%, 40%);">+ if (g_cfg->auth_policy != SGSN_AUTH_POLICY_REMOTE</span><br><span style="color: hsl(120, 100%, 40%);">+ && g_cfg->require_authentication) {</span><br><span style="color: hsl(120, 100%, 40%);">+ fprintf(stderr, "Configuration error:"</span><br><span style="color: hsl(120, 100%, 40%);">+ " authentication is not possible without HLR."</span><br><span style="color: hsl(120, 100%, 40%);">+ " Consider setting 'auth-policy' to 'remote'\n");</span><br><span style="color: hsl(120, 100%, 40%);">+ return -EINVAL;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span> if (g_cfg->auth_policy == SGSN_AUTH_POLICY_REMOTE</span><br><span> && !(g_cfg->gsup_server_addr.sin_addr.s_addr</span><br><span> && g_cfg->gsup_server_port)) {</span><br><span></span><br></pre><p>To view, visit <a href="https://gerrit.osmocom.org/14194">change 14194</a>. To unsubscribe, or for help writing mail filters, visit <a href="https://gerrit.osmocom.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://gerrit.osmocom.org/14194"/><meta itemprop="name" content="View Change"/></div></div>
<div style="display:none"> Gerrit-Project: osmo-sgsn </div>
<div style="display:none"> Gerrit-Branch: master </div>
<div style="display:none"> Gerrit-MessageType: newchange </div>
<div style="display:none"> Gerrit-Change-Id: I9909145e7e0af587c28827e16301a61b13eedaa9 </div>
<div style="display:none"> Gerrit-Change-Number: 14194 </div>
<div style="display:none"> Gerrit-PatchSet: 1 </div>
<div style="display:none"> Gerrit-Owner: Vadim Yanitskiy <axilirator@gmail.com> </div>