14 Jun
2019
14 Jun
'19
6:39 a.m.
Hi Pau,
today I cannot sign in to Gerrit for some magic reason,
so I would like to post some notes about your change [1].
[1] https://gerrit.osmocom.org/#/c/osmo-sgsn/+/14445/
[...] it changed the default logic for remote policy
to not require
authentication, which broke TTCN3 tests because sgsn no longer
tries to authenticate the users.
My bad, sorry for that.
let's enable it by default when on auth-policy
remote.
ACK.
doc/manuals/vty/sgsn_vty_reference.xml
Allow MS to attach via GERAN without authentication
(default and only possible value for non-remote auth-policy)
Actually, no. My motivation for introducing this VTY parameter
was exactly the ability to use remote auth-policy (i.e. OsmoHLR)
to check if a subscriber is known, but not to require
authentication, just like we can do in CS-domain. In other words,
'authentication optional' should work with 'auth-policy remote'.
src/gprs/sgsn_vty.c
DEFUN(cfg_authentication, cfg_authentication_cmd,
[...]
Allow MS to attach via GERAN without authentication
(default and only possible value for non-remote auth-policy)
Same here. It *is* possible for 'auth-policy remote' too.
src/gprs/gprs_sgsn.c
struct sgsn_instance *sgsn_instance_alloc(void *talloc_ctx)
[...]
inst->cfg.auth_policy = SGSN_AUTH_POLICY_CLOSED;
/* only applies if auth_policy is REMOTE */
inst->cfg.require_authentication = true;
[...]
Are you sure this wouldn't break non-remote auth-policy use cases?
AFAIR, the GMM layer requests authentication regardless of the
'auth-policy', so then in 'gprs/sgsn_auth.c' we conditionally
perform authentication or immediately return SGSN_AUTH_ACCEPTED.
An alternative solution is to invert 'cfg.require_authentication',
e.g. to 'cfg.omit_authentication', so by default we will require
authentication since it's initialized to false.
With best regards,
Vadim Yanitskiy.