<p>laforge <strong>merged</strong> this change.</p><p><a href="https://gerrit.osmocom.org/c/osmo-sgsn/+/14194">View Change</a></p><div style="white-space:pre-wrap">Approvals:
laforge: Looks good to me, approved
Jenkins Builder: Verified
</div><pre style="font-family: monospace,monospace; white-space: pre-wrap;">osmo-sgsn: add VTY parameter to toggle authentication<br><br>It may be useful to have 'remote' authorization policy, but do not<br>require authentication in GERAN at the same time, e.g. in combination<br>with 'subscriber-create-on-demand' feature of OsmoHLR.<br><br>This change introduces a new VTY parameter similar to the one<br>that we already have in OsmoMSC:<br><br> authentication (optional|required)<br><br>Please note that 'required' only applies if 'auth-policy' is 'remote'.<br><br>Change-Id: I9909145e7e0af587c28827e16301a61b13eedaa9<br>---<br>M doc/examples/osmo-sgsn/osmo-sgsn-accept-all.cfg<br>M doc/examples/osmo-sgsn/osmo-sgsn.cfg<br>M doc/manuals/vty/sgsn_vty_reference.xml<br>M src/gprs/sgsn_vty.c<br>4 files changed, 45 insertions(+), 1 deletion(-)<br><br></pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;"><span>diff --git a/doc/examples/osmo-sgsn/osmo-sgsn-accept-all.cfg b/doc/examples/osmo-sgsn/osmo-sgsn-accept-all.cfg</span><br><span>index b47878a..85112f4 100644</span><br><span>--- a/doc/examples/osmo-sgsn/osmo-sgsn-accept-all.cfg</span><br><span>+++ b/doc/examples/osmo-sgsn/osmo-sgsn-accept-all.cfg</span><br><span>@@ -10,6 +10,7 @@</span><br><span> ggsn 0 remote-ip 127.0.0.2</span><br><span> ggsn 0 gtp-version 1</span><br><span> ggsn 0 echo-interval 60</span><br><span style="color: hsl(120, 100%, 40%);">+ authentication optional</span><br><span> auth-policy accept-all</span><br><span> !</span><br><span> ns</span><br><span>diff --git a/doc/examples/osmo-sgsn/osmo-sgsn.cfg b/doc/examples/osmo-sgsn/osmo-sgsn.cfg</span><br><span>index 263bd00..3be4d49 100644</span><br><span>--- a/doc/examples/osmo-sgsn/osmo-sgsn.cfg</span><br><span>+++ b/doc/examples/osmo-sgsn/osmo-sgsn.cfg</span><br><span>@@ -10,6 +10,7 @@</span><br><span> ggsn 0 remote-ip 127.0.0.2</span><br><span> ggsn 0 gtp-version 1</span><br><span> ggsn 0 echo-interval 60</span><br><span style="color: hsl(120, 100%, 40%);">+ authentication required</span><br><span> auth-policy remote</span><br><span> gsup remote-ip 127.0.0.1</span><br><span> gsup remote-port 4222</span><br><span>diff --git a/doc/manuals/vty/sgsn_vty_reference.xml b/doc/manuals/vty/sgsn_vty_reference.xml</span><br><span>index 7619215..ed11777 100644</span><br><span>--- a/doc/manuals/vty/sgsn_vty_reference.xml</span><br><span>+++ b/doc/manuals/vty/sgsn_vty_reference.xml</span><br><span>@@ -2230,6 +2230,13 @@</span><br><span> <param name='remote' doc='Use remote subscription data only (HLR)' /></span><br><span> </params></span><br><span> </command></span><br><span style="color: hsl(120, 100%, 40%);">+ <command id='authentication (optional|required)'></span><br><span style="color: hsl(120, 100%, 40%);">+ <params></span><br><span style="color: hsl(120, 100%, 40%);">+ <param name='authentication' doc='Whether to enforce MS authentication in GERAN' /></span><br><span style="color: hsl(120, 100%, 40%);">+ <param name='optional' doc='Allow MS to attach via GERAN without authentication' /></span><br><span style="color: hsl(120, 100%, 40%);">+ <param name='required' doc='Always require authentication' /></span><br><span style="color: hsl(120, 100%, 40%);">+ </params></span><br><span style="color: hsl(120, 100%, 40%);">+ </command></span><br><span> <command id='encryption (GEA0|GEA1|GEA2|GEA3|GEA4)'></span><br><span> <params></span><br><span> <param name='encryption' doc='Set encryption algorithm for SGSN' /></span><br><span>diff --git a/src/gprs/sgsn_vty.c b/src/gprs/sgsn_vty.c</span><br><span>index 6389d92..29c9771 100644</span><br><span>--- a/src/gprs/sgsn_vty.c</span><br><span>+++ b/src/gprs/sgsn_vty.c</span><br><span>@@ -211,6 +211,8 @@</span><br><span> if (g_cfg->gsup_server_port)</span><br><span> vty_out(vty, " gsup remote-port %d%s",</span><br><span> g_cfg->gsup_server_port, VTY_NEWLINE);</span><br><span style="color: hsl(120, 100%, 40%);">+ vty_out(vty, " authentication %s%s",</span><br><span style="color: hsl(120, 100%, 40%);">+ g_cfg->require_authentication ? "required" : "optional", VTY_NEWLINE);</span><br><span> vty_out(vty, " auth-policy %s%s",</span><br><span> get_value_string(sgsn_auth_pol_strs, g_cfg->auth_policy),</span><br><span> VTY_NEWLINE);</span><br><span>@@ -693,6 +695,27 @@</span><br><span> return CMD_SUCCESS;</span><br><span> }</span><br><span> </span><br><span style="color: hsl(120, 100%, 40%);">+DEFUN(cfg_authentication, cfg_authentication_cmd,</span><br><span style="color: hsl(120, 100%, 40%);">+ "authentication (optional|required)",</span><br><span style="color: hsl(120, 100%, 40%);">+ "Whether to enforce MS authentication in GERAN\n"</span><br><span style="color: hsl(120, 100%, 40%);">+ "Allow MS to attach via GERAN without authentication\n"</span><br><span style="color: hsl(120, 100%, 40%);">+ "Always require authentication\n")</span><br><span style="color: hsl(120, 100%, 40%);">+{</span><br><span style="color: hsl(120, 100%, 40%);">+ int required = (argv[0][0] == 'r');</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ if (vty->type != VTY_FILE) {</span><br><span style="color: hsl(120, 100%, 40%);">+ if (g_cfg->auth_policy != SGSN_AUTH_POLICY_REMOTE && required) {</span><br><span style="color: hsl(120, 100%, 40%);">+ vty_out(vty, "%% Authentication is not possible without HLR, "</span><br><span style="color: hsl(120, 100%, 40%);">+ "consider setting 'auth-policy' to 'remote'%s",</span><br><span style="color: hsl(120, 100%, 40%);">+ VTY_NEWLINE);</span><br><span style="color: hsl(120, 100%, 40%);">+ return CMD_WARNING;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ g_cfg->require_authentication = required;</span><br><span style="color: hsl(120, 100%, 40%);">+ return CMD_SUCCESS;</span><br><span style="color: hsl(120, 100%, 40%);">+}</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span> DEFUN(cfg_auth_policy, cfg_auth_policy_cmd,</span><br><span> "auth-policy (accept-all|closed|acl-only|remote)",</span><br><span> "Configure the Authorization policy of the SGSN. This setting determines which subscribers are"</span><br><span>@@ -705,9 +728,12 @@</span><br><span> int val = get_string_value(sgsn_auth_pol_strs, argv[0]);</span><br><span> OSMO_ASSERT(val >= SGSN_AUTH_POLICY_OPEN && val <= SGSN_AUTH_POLICY_REMOTE);</span><br><span> g_cfg->auth_policy = val;</span><br><span style="color: hsl(0, 100%, 40%);">- g_cfg->require_authentication = (val == SGSN_AUTH_POLICY_REMOTE);</span><br><span> g_cfg->require_update_location = (val == SGSN_AUTH_POLICY_REMOTE);</span><br><span> </span><br><span style="color: hsl(120, 100%, 40%);">+ /* Authentication is not possible without HLR */</span><br><span style="color: hsl(120, 100%, 40%);">+ if (val != SGSN_AUTH_POLICY_REMOTE)</span><br><span style="color: hsl(120, 100%, 40%);">+ g_cfg->require_authentication = 0;</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span> return CMD_SUCCESS;</span><br><span> }</span><br><span> </span><br><span>@@ -1391,6 +1417,7 @@</span><br><span> install_element(SGSN_NODE, &cfg_ggsn_no_echo_interval_cmd);</span><br><span> install_element(SGSN_NODE, &cfg_imsi_acl_cmd);</span><br><span> install_element(SGSN_NODE, &cfg_auth_policy_cmd);</span><br><span style="color: hsl(120, 100%, 40%);">+ install_element(SGSN_NODE, &cfg_authentication_cmd);</span><br><span> install_element(SGSN_NODE, &cfg_encrypt_cmd);</span><br><span> install_element(SGSN_NODE, &cfg_gsup_ipa_name_cmd);</span><br><span> install_element(SGSN_NODE, &cfg_gsup_remote_ip_cmd);</span><br><span>@@ -1462,6 +1489,14 @@</span><br><span> return rc;</span><br><span> }</span><br><span> </span><br><span style="color: hsl(120, 100%, 40%);">+ if (g_cfg->auth_policy != SGSN_AUTH_POLICY_REMOTE</span><br><span style="color: hsl(120, 100%, 40%);">+ && g_cfg->require_authentication) {</span><br><span style="color: hsl(120, 100%, 40%);">+ fprintf(stderr, "Configuration error:"</span><br><span style="color: hsl(120, 100%, 40%);">+ " authentication is not possible without HLR."</span><br><span style="color: hsl(120, 100%, 40%);">+ " Consider setting 'auth-policy' to 'remote'\n");</span><br><span style="color: hsl(120, 100%, 40%);">+ return -EINVAL;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span> if (g_cfg->auth_policy == SGSN_AUTH_POLICY_REMOTE</span><br><span> && !(g_cfg->gsup_server_addr.sin_addr.s_addr</span><br><span> && g_cfg->gsup_server_port)) {</span><br><span></span><br></pre><p>To view, visit <a href="https://gerrit.osmocom.org/c/osmo-sgsn/+/14194">change 14194</a>. To unsubscribe, or for help writing mail filters, visit <a href="https://gerrit.osmocom.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://gerrit.osmocom.org/c/osmo-sgsn/+/14194"/><meta itemprop="name" content="View Change"/></div></div>
<div style="display:none"> Gerrit-Project: osmo-sgsn </div>
<div style="display:none"> Gerrit-Branch: master </div>
<div style="display:none"> Gerrit-Change-Id: I9909145e7e0af587c28827e16301a61b13eedaa9 </div>
<div style="display:none"> Gerrit-Change-Number: 14194 </div>
<div style="display:none"> Gerrit-PatchSet: 4 </div>
<div style="display:none"> Gerrit-Owner: fixeria <axilirator@gmail.com> </div>
<div style="display:none"> Gerrit-Reviewer: Jenkins Builder </div>
<div style="display:none"> Gerrit-Reviewer: fixeria <axilirator@gmail.com> </div>
<div style="display:none"> Gerrit-Reviewer: laforge <laforge@gnumonks.org> </div>
<div style="display:none"> Gerrit-Reviewer: lynxis lazus <lynxis@fe80.eu> </div>
<div style="display:none"> Gerrit-CC: pespin <pespin@sysmocom.de> </div>
<div style="display:none"> Gerrit-MessageType: merged </div>