Change in ...osmo-sgsn[master]: osmo-sgsn: add VTY parameter to toggle authentication

This is merely a historical archive of years 2008-2021, before the migration to mailman3.

A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.

laforge gerrit-no-reply at lists.osmocom.org
Thu Jun 6 19:45:34 UTC 2019


laforge has submitted this change and it was merged. ( https://gerrit.osmocom.org/c/osmo-sgsn/+/14194 )

Change subject: osmo-sgsn: add VTY parameter to toggle authentication
......................................................................

osmo-sgsn: add VTY parameter to toggle authentication

It may be useful to have 'remote' authorization policy, but do not
require authentication in GERAN at the same time, e.g. in combination
with 'subscriber-create-on-demand' feature of OsmoHLR.

This change introduces a new VTY parameter similar to the one
that we already have in OsmoMSC:

  authentication (optional|required)

Please note that 'required' only applies if 'auth-policy' is 'remote'.

Change-Id: I9909145e7e0af587c28827e16301a61b13eedaa9
---
M doc/examples/osmo-sgsn/osmo-sgsn-accept-all.cfg
M doc/examples/osmo-sgsn/osmo-sgsn.cfg
M doc/manuals/vty/sgsn_vty_reference.xml
M src/gprs/sgsn_vty.c
4 files changed, 45 insertions(+), 1 deletion(-)

Approvals:
  laforge: Looks good to me, approved
  Jenkins Builder: Verified



diff --git a/doc/examples/osmo-sgsn/osmo-sgsn-accept-all.cfg b/doc/examples/osmo-sgsn/osmo-sgsn-accept-all.cfg
index b47878a..85112f4 100644
--- a/doc/examples/osmo-sgsn/osmo-sgsn-accept-all.cfg
+++ b/doc/examples/osmo-sgsn/osmo-sgsn-accept-all.cfg
@@ -10,6 +10,7 @@
  ggsn 0 remote-ip 127.0.0.2
  ggsn 0 gtp-version 1
  ggsn 0 echo-interval 60
+ authentication optional
  auth-policy accept-all
 !
 ns
diff --git a/doc/examples/osmo-sgsn/osmo-sgsn.cfg b/doc/examples/osmo-sgsn/osmo-sgsn.cfg
index 263bd00..3be4d49 100644
--- a/doc/examples/osmo-sgsn/osmo-sgsn.cfg
+++ b/doc/examples/osmo-sgsn/osmo-sgsn.cfg
@@ -10,6 +10,7 @@
  ggsn 0 remote-ip 127.0.0.2
  ggsn 0 gtp-version 1
  ggsn 0 echo-interval 60
+ authentication required
  auth-policy remote
  gsup remote-ip 127.0.0.1
  gsup remote-port 4222
diff --git a/doc/manuals/vty/sgsn_vty_reference.xml b/doc/manuals/vty/sgsn_vty_reference.xml
index 7619215..ed11777 100644
--- a/doc/manuals/vty/sgsn_vty_reference.xml
+++ b/doc/manuals/vty/sgsn_vty_reference.xml
@@ -2230,6 +2230,13 @@
         <param name='remote' doc='Use remote subscription data only (HLR)' />
       </params>
     </command>
+    <command id='authentication (optional|required)'>
+      <params>
+        <param name='authentication' doc='Whether to enforce MS authentication in GERAN' />
+        <param name='optional' doc='Allow MS to attach via GERAN without authentication' />
+        <param name='required' doc='Always require authentication' />
+      </params>
+    </command>
     <command id='encryption (GEA0|GEA1|GEA2|GEA3|GEA4)'>
       <params>
         <param name='encryption' doc='Set encryption algorithm for SGSN' />
diff --git a/src/gprs/sgsn_vty.c b/src/gprs/sgsn_vty.c
index 6389d92..29c9771 100644
--- a/src/gprs/sgsn_vty.c
+++ b/src/gprs/sgsn_vty.c
@@ -211,6 +211,8 @@
 	if (g_cfg->gsup_server_port)
 		vty_out(vty, " gsup remote-port %d%s",
 			g_cfg->gsup_server_port, VTY_NEWLINE);
+	vty_out(vty, " authentication %s%s",
+		g_cfg->require_authentication ? "required" : "optional", VTY_NEWLINE);
 	vty_out(vty, " auth-policy %s%s",
 		get_value_string(sgsn_auth_pol_strs, g_cfg->auth_policy),
 		VTY_NEWLINE);
@@ -693,6 +695,27 @@
 	return CMD_SUCCESS;
 }
 
+DEFUN(cfg_authentication, cfg_authentication_cmd,
+      "authentication (optional|required)",
+      "Whether to enforce MS authentication in GERAN\n"
+      "Allow MS to attach via GERAN without authentication\n"
+      "Always require authentication\n")
+{
+	int required = (argv[0][0] == 'r');
+
+	if (vty->type != VTY_FILE) {
+		if (g_cfg->auth_policy != SGSN_AUTH_POLICY_REMOTE && required) {
+			vty_out(vty, "%% Authentication is not possible without HLR, "
+				     "consider setting 'auth-policy' to 'remote'%s",
+				     VTY_NEWLINE);
+			return CMD_WARNING;
+		}
+	}
+
+	g_cfg->require_authentication = required;
+	return CMD_SUCCESS;
+}
+
 DEFUN(cfg_auth_policy, cfg_auth_policy_cmd,
 	"auth-policy (accept-all|closed|acl-only|remote)",
 	"Configure the Authorization policy of the SGSN. This setting determines which subscribers are"
@@ -705,9 +728,12 @@
 	int val = get_string_value(sgsn_auth_pol_strs, argv[0]);
 	OSMO_ASSERT(val >= SGSN_AUTH_POLICY_OPEN && val <= SGSN_AUTH_POLICY_REMOTE);
 	g_cfg->auth_policy = val;
-	g_cfg->require_authentication = (val == SGSN_AUTH_POLICY_REMOTE);
 	g_cfg->require_update_location = (val == SGSN_AUTH_POLICY_REMOTE);
 
+	/* Authentication is not possible without HLR */
+	if (val != SGSN_AUTH_POLICY_REMOTE)
+		g_cfg->require_authentication = 0;
+
 	return CMD_SUCCESS;
 }
 
@@ -1391,6 +1417,7 @@
 	install_element(SGSN_NODE, &cfg_ggsn_no_echo_interval_cmd);
 	install_element(SGSN_NODE, &cfg_imsi_acl_cmd);
 	install_element(SGSN_NODE, &cfg_auth_policy_cmd);
+	install_element(SGSN_NODE, &cfg_authentication_cmd);
 	install_element(SGSN_NODE, &cfg_encrypt_cmd);
 	install_element(SGSN_NODE, &cfg_gsup_ipa_name_cmd);
 	install_element(SGSN_NODE, &cfg_gsup_remote_ip_cmd);
@@ -1462,6 +1489,14 @@
 		return rc;
 	}
 
+	if (g_cfg->auth_policy != SGSN_AUTH_POLICY_REMOTE
+	    && g_cfg->require_authentication) {
+		fprintf(stderr, "Configuration error:"
+			" authentication is not possible without HLR."
+			" Consider setting 'auth-policy' to 'remote'\n");
+		return -EINVAL;
+	}
+
 	if (g_cfg->auth_policy == SGSN_AUTH_POLICY_REMOTE
 	    && !(g_cfg->gsup_server_addr.sin_addr.s_addr
 		 && g_cfg->gsup_server_port)) {

-- 
To view, visit https://gerrit.osmocom.org/c/osmo-sgsn/+/14194
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings

Gerrit-Project: osmo-sgsn
Gerrit-Branch: master
Gerrit-Change-Id: I9909145e7e0af587c28827e16301a61b13eedaa9
Gerrit-Change-Number: 14194
Gerrit-PatchSet: 4
Gerrit-Owner: fixeria <axilirator at gmail.com>
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: fixeria <axilirator at gmail.com>
Gerrit-Reviewer: laforge <laforge at gnumonks.org>
Gerrit-Reviewer: lynxis lazus <lynxis at fe80.eu>
Gerrit-CC: pespin <pespin at sysmocom.de>
Gerrit-MessageType: merged
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osmocom.org/pipermail/gerrit-log/attachments/20190606/fa4a3ae4/attachment.htm>


More information about the gerrit-log mailing list