This is merely a historical archive of years 2008-2021, before the migration to mailman3.
A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.
laforge gerrit-no-reply at lists.osmocom.orglaforge has submitted this change and it was merged. ( https://gerrit.osmocom.org/c/osmo-sgsn/+/14194 ) Change subject: osmo-sgsn: add VTY parameter to toggle authentication ...................................................................... osmo-sgsn: add VTY parameter to toggle authentication It may be useful to have 'remote' authorization policy, but do not require authentication in GERAN at the same time, e.g. in combination with 'subscriber-create-on-demand' feature of OsmoHLR. This change introduces a new VTY parameter similar to the one that we already have in OsmoMSC: authentication (optional|required) Please note that 'required' only applies if 'auth-policy' is 'remote'. Change-Id: I9909145e7e0af587c28827e16301a61b13eedaa9 --- M doc/examples/osmo-sgsn/osmo-sgsn-accept-all.cfg M doc/examples/osmo-sgsn/osmo-sgsn.cfg M doc/manuals/vty/sgsn_vty_reference.xml M src/gprs/sgsn_vty.c 4 files changed, 45 insertions(+), 1 deletion(-) Approvals: laforge: Looks good to me, approved Jenkins Builder: Verified diff --git a/doc/examples/osmo-sgsn/osmo-sgsn-accept-all.cfg b/doc/examples/osmo-sgsn/osmo-sgsn-accept-all.cfg index b47878a..85112f4 100644 --- a/doc/examples/osmo-sgsn/osmo-sgsn-accept-all.cfg +++ b/doc/examples/osmo-sgsn/osmo-sgsn-accept-all.cfg @@ -10,6 +10,7 @@ ggsn 0 remote-ip 127.0.0.2 ggsn 0 gtp-version 1 ggsn 0 echo-interval 60 + authentication optional auth-policy accept-all ! ns diff --git a/doc/examples/osmo-sgsn/osmo-sgsn.cfg b/doc/examples/osmo-sgsn/osmo-sgsn.cfg index 263bd00..3be4d49 100644 --- a/doc/examples/osmo-sgsn/osmo-sgsn.cfg +++ b/doc/examples/osmo-sgsn/osmo-sgsn.cfg @@ -10,6 +10,7 @@ ggsn 0 remote-ip 127.0.0.2 ggsn 0 gtp-version 1 ggsn 0 echo-interval 60 + authentication required auth-policy remote gsup remote-ip 127.0.0.1 gsup remote-port 4222 diff --git a/doc/manuals/vty/sgsn_vty_reference.xml b/doc/manuals/vty/sgsn_vty_reference.xml index 7619215..ed11777 100644 --- a/doc/manuals/vty/sgsn_vty_reference.xml +++ b/doc/manuals/vty/sgsn_vty_reference.xml @@ -2230,6 +2230,13 @@ <param name='remote' doc='Use remote subscription data only (HLR)' /> </params> </command> + <command id='authentication (optional|required)'> + <params> + <param name='authentication' doc='Whether to enforce MS authentication in GERAN' /> + <param name='optional' doc='Allow MS to attach via GERAN without authentication' /> + <param name='required' doc='Always require authentication' /> + </params> + </command> <command id='encryption (GEA0|GEA1|GEA2|GEA3|GEA4)'> <params> <param name='encryption' doc='Set encryption algorithm for SGSN' /> diff --git a/src/gprs/sgsn_vty.c b/src/gprs/sgsn_vty.c index 6389d92..29c9771 100644 --- a/src/gprs/sgsn_vty.c +++ b/src/gprs/sgsn_vty.c @@ -211,6 +211,8 @@ if (g_cfg->gsup_server_port) vty_out(vty, " gsup remote-port %d%s", g_cfg->gsup_server_port, VTY_NEWLINE); + vty_out(vty, " authentication %s%s", + g_cfg->require_authentication ? "required" : "optional", VTY_NEWLINE); vty_out(vty, " auth-policy %s%s", get_value_string(sgsn_auth_pol_strs, g_cfg->auth_policy), VTY_NEWLINE); @@ -693,6 +695,27 @@ return CMD_SUCCESS; } +DEFUN(cfg_authentication, cfg_authentication_cmd, + "authentication (optional|required)", + "Whether to enforce MS authentication in GERAN\n" + "Allow MS to attach via GERAN without authentication\n" + "Always require authentication\n") +{ + int required = (argv[0][0] == 'r'); + + if (vty->type != VTY_FILE) { + if (g_cfg->auth_policy != SGSN_AUTH_POLICY_REMOTE && required) { + vty_out(vty, "%% Authentication is not possible without HLR, " + "consider setting 'auth-policy' to 'remote'%s", + VTY_NEWLINE); + return CMD_WARNING; + } + } + + g_cfg->require_authentication = required; + return CMD_SUCCESS; +} + DEFUN(cfg_auth_policy, cfg_auth_policy_cmd, "auth-policy (accept-all|closed|acl-only|remote)", "Configure the Authorization policy of the SGSN. This setting determines which subscribers are" @@ -705,9 +728,12 @@ int val = get_string_value(sgsn_auth_pol_strs, argv[0]); OSMO_ASSERT(val >= SGSN_AUTH_POLICY_OPEN && val <= SGSN_AUTH_POLICY_REMOTE); g_cfg->auth_policy = val; - g_cfg->require_authentication = (val == SGSN_AUTH_POLICY_REMOTE); g_cfg->require_update_location = (val == SGSN_AUTH_POLICY_REMOTE); + /* Authentication is not possible without HLR */ + if (val != SGSN_AUTH_POLICY_REMOTE) + g_cfg->require_authentication = 0; + return CMD_SUCCESS; } @@ -1391,6 +1417,7 @@ install_element(SGSN_NODE, &cfg_ggsn_no_echo_interval_cmd); install_element(SGSN_NODE, &cfg_imsi_acl_cmd); install_element(SGSN_NODE, &cfg_auth_policy_cmd); + install_element(SGSN_NODE, &cfg_authentication_cmd); install_element(SGSN_NODE, &cfg_encrypt_cmd); install_element(SGSN_NODE, &cfg_gsup_ipa_name_cmd); install_element(SGSN_NODE, &cfg_gsup_remote_ip_cmd); @@ -1462,6 +1489,14 @@ return rc; } + if (g_cfg->auth_policy != SGSN_AUTH_POLICY_REMOTE + && g_cfg->require_authentication) { + fprintf(stderr, "Configuration error:" + " authentication is not possible without HLR." + " Consider setting 'auth-policy' to 'remote'\n"); + return -EINVAL; + } + if (g_cfg->auth_policy == SGSN_AUTH_POLICY_REMOTE && !(g_cfg->gsup_server_addr.sin_addr.s_addr && g_cfg->gsup_server_port)) { -- To view, visit https://gerrit.osmocom.org/c/osmo-sgsn/+/14194 To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings Gerrit-Project: osmo-sgsn Gerrit-Branch: master Gerrit-Change-Id: I9909145e7e0af587c28827e16301a61b13eedaa9 Gerrit-Change-Number: 14194 Gerrit-PatchSet: 4 Gerrit-Owner: fixeria <axilirator at gmail.com> Gerrit-Reviewer: Jenkins Builder Gerrit-Reviewer: fixeria <axilirator at gmail.com> Gerrit-Reviewer: laforge <laforge at gnumonks.org> Gerrit-Reviewer: lynxis lazus <lynxis at fe80.eu> Gerrit-CC: pespin <pespin at sysmocom.de> Gerrit-MessageType: merged -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.osmocom.org/pipermail/gerrit-log/attachments/20190606/fa4a3ae4/attachment.htm>