Change in osmo-sgsn[master]: osmo-sgsn: add VTY parameter to toggle authentication

This is merely a historical archive of years 2008-2021, before the migration to mailman3.

A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.

Vadim Yanitskiy gerrit-no-reply at lists.osmocom.org
Sun May 26 22:51:10 UTC 2019 

Vadim Yanitskiy has uploaded this change for review. ( https://gerrit.osmocom.org/14194


Change subject: osmo-sgsn: add VTY parameter to toggle authentication
......................................................................

osmo-sgsn: add VTY parameter to toggle authentication

It may be useful to have 'remote' authorization policy, but do not
require authentication in GERAN at the same time, e.g. in combination
with 'subscriber-create-on-demand' feature of OsmoHLR.

This change introduces a new VTY parameter similar to the one
that we already have in OsmoMSC:

  authentication (optional|required)

Please note that 'required' only applies if 'auth-policy' is 'remote'.

Change-Id: I9909145e7e0af587c28827e16301a61b13eedaa9
---
M doc/examples/osmo-sgsn/osmo-sgsn-accept-all.cfg
M doc/examples/osmo-sgsn/osmo-sgsn.cfg
M src/gprs/sgsn_vty.c
3 files changed, 37 insertions(+), 1 deletion(-)



  git pull ssh://gerrit.osmocom.org:29418/osmo-sgsn refs/changes/94/14194/1

diff --git a/doc/examples/osmo-sgsn/osmo-sgsn-accept-all.cfg b/doc/examples/osmo-sgsn/osmo-sgsn-accept-all.cfg
index b47878a..85112f4 100644
--- a/doc/examples/osmo-sgsn/osmo-sgsn-accept-all.cfg
+++ b/doc/examples/osmo-sgsn/osmo-sgsn-accept-all.cfg
@@ -10,6 +10,7 @@
  ggsn 0 remote-ip 127.0.0.2
  ggsn 0 gtp-version 1
  ggsn 0 echo-interval 60
+ authentication optional
  auth-policy accept-all
 !
 ns
diff --git a/doc/examples/osmo-sgsn/osmo-sgsn.cfg b/doc/examples/osmo-sgsn/osmo-sgsn.cfg
index 263bd00..3be4d49 100644
--- a/doc/examples/osmo-sgsn/osmo-sgsn.cfg
+++ b/doc/examples/osmo-sgsn/osmo-sgsn.cfg
@@ -10,6 +10,7 @@
  ggsn 0 remote-ip 127.0.0.2
  ggsn 0 gtp-version 1
  ggsn 0 echo-interval 60
+ authentication required
  auth-policy remote
  gsup remote-ip 127.0.0.1
  gsup remote-port 4222
diff --git a/src/gprs/sgsn_vty.c b/src/gprs/sgsn_vty.c
index c01de3b..ad2c809 100644
--- a/src/gprs/sgsn_vty.c
+++ b/src/gprs/sgsn_vty.c
@@ -211,6 +211,8 @@
 	if (g_cfg->gsup_server_port)
 		vty_out(vty, " gsup remote-port %d%s",
 			g_cfg->gsup_server_port, VTY_NEWLINE);
+	vty_out(vty, " authentication %s%s",
+		gsmnet->authentication_required ? "required" : "optional", VTY_NEWLINE);
 	vty_out(vty, " auth-policy %s%s",
 		get_value_string(sgsn_auth_pol_strs, g_cfg->auth_policy),
 		VTY_NEWLINE);
@@ -693,6 +695,27 @@
 	return CMD_SUCCESS;
 }
 
+DEFUN(cfg_authentication, cfg_authentication_cmd,
+      "authentication (optional|required)",
+      "Whether to enforce MS authentication in GERAN\n"
+      "Allow MS to attach via GERAN without authentication\n"
+      "Always require authentication\n")
+{
+	int required = (argv[0][0] == 'r');
+
+	if (vty->type != VTY_FILE) {
+		if (g_cfg->auth_policy != SGSN_AUTH_POLICY_REMOTE && required) {
+			vty_out(vty, "Authentication is not possible without HLR, "
+				     "consider setting 'auth-policy' to 'remote'%s",
+				     VTY_NEWLINE);
+			return CMD_WARNING;
+		}
+	}
+
+	g_cfg->require_authentication = required;
+	return CMD_SUCCESS;
+}
+
 DEFUN(cfg_auth_policy, cfg_auth_policy_cmd,
 	"auth-policy (accept-all|closed|acl-only|remote)",
 	"Configure the Authorization policy of the SGSN. This setting determines which subscribers are"
@@ -705,9 +728,12 @@
 	int val = get_string_value(sgsn_auth_pol_strs, argv[0]);
 	OSMO_ASSERT(val >= SGSN_AUTH_POLICY_OPEN && val <= SGSN_AUTH_POLICY_REMOTE);
 	g_cfg->auth_policy = val;
-	g_cfg->require_authentication = (val == SGSN_AUTH_POLICY_REMOTE);
 	g_cfg->require_update_location = (val == SGSN_AUTH_POLICY_REMOTE);
 
+	/* Authentication is not possible without HLR */
+	if (val != SGSN_AUTH_POLICY_REMOTE)
+		g_cfg->require_authentication = 0;
+
 	return CMD_SUCCESS;
 }
 
@@ -1462,6 +1488,14 @@
 		return rc;
 	}
 
+	if (g_cfg->auth_policy != SGSN_AUTH_POLICY_REMOTE
+	    && g_cfg->require_authentication) {
+		fprintf(stderr, "Configuration error:"
+			" authentication is not possible without HLR."
+			" Consider setting 'auth-policy' to 'remote'\n");
+		return -EINVAL;
+	}
+
 	if (g_cfg->auth_policy == SGSN_AUTH_POLICY_REMOTE
 	    && !(g_cfg->gsup_server_addr.sin_addr.s_addr
 		 && g_cfg->gsup_server_port)) {

-- 
To view, visit https://gerrit.osmocom.org/14194
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings

Gerrit-Project: osmo-sgsn
Gerrit-Branch: master
Gerrit-MessageType: newchange
Gerrit-Change-Id: I9909145e7e0af587c28827e16301a61b13eedaa9
Gerrit-Change-Number: 14194
Gerrit-PatchSet: 1
Gerrit-Owner: Vadim Yanitskiy <axilirator at gmail.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osmocom.org/pipermail/gerrit-log/attachments/20190526/923e804c/attachment.htm>

More information about the gerrit-log mailing list