OsmoSGSN: optional / mandatory authentication
Vadim Yanitskiy
axilirator at gmail.com
Fri Jun 14 04:39:01 UTC 2019
Hi Pau,
today I cannot sign in to Gerrit for some magic reason,
so I would like to post some notes about your change [1].
[1] https://gerrit.osmocom.org/#/c/osmo-sgsn/+/14445/
> [...] it changed the default logic for remote policy to not require
> authentication, which broke TTCN3 tests because sgsn no longer
> tries to authenticate the users.
My bad, sorry for that.
> let's enable it by default when on auth-policy remote.
ACK.
> doc/manuals/vty/sgsn_vty_reference.xml
> Allow MS to attach via GERAN without authentication
> (default and only possible value for non-remote auth-policy)
Actually, no. My motivation for introducing this VTY parameter
was exactly the ability to use remote auth-policy (i.e. OsmoHLR)
to check if a subscriber is known, but not to require
authentication, just like we can do in CS-domain. In other words,
'authentication optional' should work with 'auth-policy remote'.
> src/gprs/sgsn_vty.c
> DEFUN(cfg_authentication, cfg_authentication_cmd,
> [...]
> Allow MS to attach via GERAN without authentication
> (default and only possible value for non-remote auth-policy)
Same here. It *is* possible for 'auth-policy remote' too.
> src/gprs/gprs_sgsn.c
> struct sgsn_instance *sgsn_instance_alloc(void *talloc_ctx)
> [...]
> inst->cfg.auth_policy = SGSN_AUTH_POLICY_CLOSED;
> /* only applies if auth_policy is REMOTE */
> inst->cfg.require_authentication = true;
> [...]
Are you sure this wouldn't break non-remote auth-policy use cases?
AFAIR, the GMM layer requests authentication regardless of the
'auth-policy', so then in 'gprs/sgsn_auth.c' we conditionally
perform authentication or immediately return SGSN_AUTH_ACCEPTED.
An alternative solution is to invert 'cfg.require_authentication',
e.g. to 'cfg.omit_authentication', so by default we will require
authentication since it's initialized to false.
With best regards,
Vadim Yanitskiy.
More information about the OpenBSC
mailing list