This is merely a historical archive of years 2008-2021, before the migration to mailman3.
A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.
Vadim Yanitskiy gerrit-no-reply at lists.osmocom.orgVadim Yanitskiy has uploaded this change for review. ( https://gerrit.osmocom.org/14194 Change subject: osmo-sgsn: add VTY parameter to toggle authentication ...................................................................... osmo-sgsn: add VTY parameter to toggle authentication It may be useful to have 'remote' authorization policy, but do not require authentication in GERAN at the same time, e.g. in combination with 'subscriber-create-on-demand' feature of OsmoHLR. This change introduces a new VTY parameter similar to the one that we already have in OsmoMSC: authentication (optional|required) Please note that 'required' only applies if 'auth-policy' is 'remote'. Change-Id: I9909145e7e0af587c28827e16301a61b13eedaa9 --- M doc/examples/osmo-sgsn/osmo-sgsn-accept-all.cfg M doc/examples/osmo-sgsn/osmo-sgsn.cfg M src/gprs/sgsn_vty.c 3 files changed, 37 insertions(+), 1 deletion(-) git pull ssh://gerrit.osmocom.org:29418/osmo-sgsn refs/changes/94/14194/1 diff --git a/doc/examples/osmo-sgsn/osmo-sgsn-accept-all.cfg b/doc/examples/osmo-sgsn/osmo-sgsn-accept-all.cfg index b47878a..85112f4 100644 --- a/doc/examples/osmo-sgsn/osmo-sgsn-accept-all.cfg +++ b/doc/examples/osmo-sgsn/osmo-sgsn-accept-all.cfg @@ -10,6 +10,7 @@ ggsn 0 remote-ip 127.0.0.2 ggsn 0 gtp-version 1 ggsn 0 echo-interval 60 + authentication optional auth-policy accept-all ! ns diff --git a/doc/examples/osmo-sgsn/osmo-sgsn.cfg b/doc/examples/osmo-sgsn/osmo-sgsn.cfg index 263bd00..3be4d49 100644 --- a/doc/examples/osmo-sgsn/osmo-sgsn.cfg +++ b/doc/examples/osmo-sgsn/osmo-sgsn.cfg @@ -10,6 +10,7 @@ ggsn 0 remote-ip 127.0.0.2 ggsn 0 gtp-version 1 ggsn 0 echo-interval 60 + authentication required auth-policy remote gsup remote-ip 127.0.0.1 gsup remote-port 4222 diff --git a/src/gprs/sgsn_vty.c b/src/gprs/sgsn_vty.c index c01de3b..ad2c809 100644 --- a/src/gprs/sgsn_vty.c +++ b/src/gprs/sgsn_vty.c @@ -211,6 +211,8 @@ if (g_cfg->gsup_server_port) vty_out(vty, " gsup remote-port %d%s", g_cfg->gsup_server_port, VTY_NEWLINE); + vty_out(vty, " authentication %s%s", + gsmnet->authentication_required ? "required" : "optional", VTY_NEWLINE); vty_out(vty, " auth-policy %s%s", get_value_string(sgsn_auth_pol_strs, g_cfg->auth_policy), VTY_NEWLINE); @@ -693,6 +695,27 @@ return CMD_SUCCESS; } +DEFUN(cfg_authentication, cfg_authentication_cmd, + "authentication (optional|required)", + "Whether to enforce MS authentication in GERAN\n" + "Allow MS to attach via GERAN without authentication\n" + "Always require authentication\n") +{ + int required = (argv[0][0] == 'r'); + + if (vty->type != VTY_FILE) { + if (g_cfg->auth_policy != SGSN_AUTH_POLICY_REMOTE && required) { + vty_out(vty, "Authentication is not possible without HLR, " + "consider setting 'auth-policy' to 'remote'%s", + VTY_NEWLINE); + return CMD_WARNING; + } + } + + g_cfg->require_authentication = required; + return CMD_SUCCESS; +} + DEFUN(cfg_auth_policy, cfg_auth_policy_cmd, "auth-policy (accept-all|closed|acl-only|remote)", "Configure the Authorization policy of the SGSN. This setting determines which subscribers are" @@ -705,9 +728,12 @@ int val = get_string_value(sgsn_auth_pol_strs, argv[0]); OSMO_ASSERT(val >= SGSN_AUTH_POLICY_OPEN && val <= SGSN_AUTH_POLICY_REMOTE); g_cfg->auth_policy = val; - g_cfg->require_authentication = (val == SGSN_AUTH_POLICY_REMOTE); g_cfg->require_update_location = (val == SGSN_AUTH_POLICY_REMOTE); + /* Authentication is not possible without HLR */ + if (val != SGSN_AUTH_POLICY_REMOTE) + g_cfg->require_authentication = 0; + return CMD_SUCCESS; } @@ -1462,6 +1488,14 @@ return rc; } + if (g_cfg->auth_policy != SGSN_AUTH_POLICY_REMOTE + && g_cfg->require_authentication) { + fprintf(stderr, "Configuration error:" + " authentication is not possible without HLR." + " Consider setting 'auth-policy' to 'remote'\n"); + return -EINVAL; + } + if (g_cfg->auth_policy == SGSN_AUTH_POLICY_REMOTE && !(g_cfg->gsup_server_addr.sin_addr.s_addr && g_cfg->gsup_server_port)) { -- To view, visit https://gerrit.osmocom.org/14194 To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings Gerrit-Project: osmo-sgsn Gerrit-Branch: master Gerrit-MessageType: newchange Gerrit-Change-Id: I9909145e7e0af587c28827e16301a61b13eedaa9 Gerrit-Change-Number: 14194 Gerrit-PatchSet: 1 Gerrit-Owner: Vadim Yanitskiy <axilirator at gmail.com> -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.osmocom.org/pipermail/gerrit-log/attachments/20190526/923e804c/attachment.htm>