Change in ...osmo-sgsn[master]: osmo-sgsn: add VTY parameter to toggle authentication
laforge has posted comments on this change. ( https://gerrit.osmocom.org/c/osmo-sgsn/+/14194 ) Change subject: osmo-sgsn: add VTY parameter to toggle authentication .. Patch Set 3: Code-Review+2 -- To view, visit https://gerrit.osmocom.org/c/osmo-sgsn/+/14194 To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings Gerrit-Project: osmo-sgsn Gerrit-Branch: master Gerrit-Change-Id: I9909145e7e0af587c28827e16301a61b13eedaa9 Gerrit-Change-Number: 14194 Gerrit-PatchSet: 3 Gerrit-Owner: fixeria Gerrit-Reviewer: Jenkins Builder Gerrit-Reviewer: fixeria Gerrit-Reviewer: laforge Gerrit-Reviewer: lynxis lazus Gerrit-CC: pespin Gerrit-Comment-Date: Thu, 06 Jun 2019 19:45:32 + Gerrit-HasComments: No Gerrit-Has-Labels: Yes Gerrit-MessageType: comment
Change in ...osmo-sgsn[master]: osmo-sgsn: add VTY parameter to toggle authentication
laforge has submitted this change and it was merged. ( https://gerrit.osmocom.org/c/osmo-sgsn/+/14194 ) Change subject: osmo-sgsn: add VTY parameter to toggle authentication .. osmo-sgsn: add VTY parameter to toggle authentication It may be useful to have 'remote' authorization policy, but do not require authentication in GERAN at the same time, e.g. in combination with 'subscriber-create-on-demand' feature of OsmoHLR. This change introduces a new VTY parameter similar to the one that we already have in OsmoMSC: authentication (optional|required) Please note that 'required' only applies if 'auth-policy' is 'remote'. Change-Id: I9909145e7e0af587c28827e16301a61b13eedaa9 --- M doc/examples/osmo-sgsn/osmo-sgsn-accept-all.cfg M doc/examples/osmo-sgsn/osmo-sgsn.cfg M doc/manuals/vty/sgsn_vty_reference.xml M src/gprs/sgsn_vty.c 4 files changed, 45 insertions(+), 1 deletion(-) Approvals: laforge: Looks good to me, approved Jenkins Builder: Verified diff --git a/doc/examples/osmo-sgsn/osmo-sgsn-accept-all.cfg b/doc/examples/osmo-sgsn/osmo-sgsn-accept-all.cfg index b47878a..85112f4 100644 --- a/doc/examples/osmo-sgsn/osmo-sgsn-accept-all.cfg +++ b/doc/examples/osmo-sgsn/osmo-sgsn-accept-all.cfg @@ -10,6 +10,7 @@ ggsn 0 remote-ip 127.0.0.2 ggsn 0 gtp-version 1 ggsn 0 echo-interval 60 + authentication optional auth-policy accept-all ! ns diff --git a/doc/examples/osmo-sgsn/osmo-sgsn.cfg b/doc/examples/osmo-sgsn/osmo-sgsn.cfg index 263bd00..3be4d49 100644 --- a/doc/examples/osmo-sgsn/osmo-sgsn.cfg +++ b/doc/examples/osmo-sgsn/osmo-sgsn.cfg @@ -10,6 +10,7 @@ ggsn 0 remote-ip 127.0.0.2 ggsn 0 gtp-version 1 ggsn 0 echo-interval 60 + authentication required auth-policy remote gsup remote-ip 127.0.0.1 gsup remote-port 4222 diff --git a/doc/manuals/vty/sgsn_vty_reference.xml b/doc/manuals/vty/sgsn_vty_reference.xml index 7619215..ed11777 100644 --- a/doc/manuals/vty/sgsn_vty_reference.xml +++ b/doc/manuals/vty/sgsn_vty_reference.xml @@ -2230,6 +2230,13 @@ + + + + + + + diff --git a/src/gprs/sgsn_vty.c b/src/gprs/sgsn_vty.c index 6389d92..29c9771 100644 --- a/src/gprs/sgsn_vty.c +++ b/src/gprs/sgsn_vty.c @@ -211,6 +211,8 @@ if (g_cfg->gsup_server_port) vty_out(vty, " gsup remote-port %d%s", g_cfg->gsup_server_port, VTY_NEWLINE); + vty_out(vty, " authentication %s%s", + g_cfg->require_authentication ? "required" : "optional", VTY_NEWLINE); vty_out(vty, " auth-policy %s%s", get_value_string(sgsn_auth_pol_strs, g_cfg->auth_policy), VTY_NEWLINE); @@ -693,6 +695,27 @@ return CMD_SUCCESS; } +DEFUN(cfg_authentication, cfg_authentication_cmd, + "authentication (optional|required)", + "Whether to enforce MS authentication in GERAN\n" + "Allow MS to attach via GERAN without authentication\n" + "Always require authentication\n") +{ + int required = (argv[0][0] == 'r'); + + if (vty->type != VTY_FILE) { + if (g_cfg->auth_policy != SGSN_AUTH_POLICY_REMOTE && required) { + vty_out(vty, "%% Authentication is not possible without HLR, " +"consider setting 'auth-policy' to 'remote'%s", +VTY_NEWLINE); + return CMD_WARNING; + } + } + + g_cfg->require_authentication = required; + return CMD_SUCCESS; +} + DEFUN(cfg_auth_policy, cfg_auth_policy_cmd, "auth-policy (accept-all|closed|acl-only|remote)", "Configure the Authorization policy of the SGSN. This setting determines which subscribers are" @@ -705,9 +728,12 @@ int val = get_string_value(sgsn_auth_pol_strs, argv[0]); OSMO_ASSERT(val >= SGSN_AUTH_POLICY_OPEN && val <= SGSN_AUTH_POLICY_REMOTE); g_cfg->auth_policy = val; - g_cfg->require_authentication = (val == SGSN_AUTH_POLICY_REMOTE); g_cfg->require_update_location = (val == SGSN_AUTH_POLICY_REMOTE); + /* Authentication is not possible without HLR */ + if (val != SGSN_AUTH_POLICY_REMOTE) + g_cfg->require_authentication = 0; + return CMD_SUCCESS; } @@ -1391,6 +1417,7 @@ install_element(SGSN_NODE, _ggsn_no_echo_interval_cmd); install_element(SGSN_NODE, _imsi_acl_cmd); install_element(SGSN_NODE, _auth_policy_cmd); + install_element(SGSN_NODE, _authentication_cmd); install_element(SGSN_NODE, _encrypt_cmd); install_element(SGSN_NODE, _gsup_ipa_name_cmd); install_element(SGSN_NODE, _gsup_remote_ip_cmd); @@ -1462,6 +1489,14 @@ return rc; } + if (g_cfg->auth_policy != SGSN_AUTH_POLICY_REMOTE + && g_cfg->require_authentication) { +
Change in ...osmo-sgsn[master]: osmo-sgsn: add VTY parameter to toggle authentication
Harald Welte has posted comments on this change. ( https://gerrit.osmocom.org/c/osmo-sgsn/+/14194 ) Change subject: osmo-sgsn: add VTY parameter to toggle authentication .. Patch Set 3: Code-Review+1 -- To view, visit https://gerrit.osmocom.org/c/osmo-sgsn/+/14194 To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings Gerrit-Project: osmo-sgsn Gerrit-Branch: master Gerrit-Change-Id: I9909145e7e0af587c28827e16301a61b13eedaa9 Gerrit-Change-Number: 14194 Gerrit-PatchSet: 3 Gerrit-Owner: fixeria Gerrit-Reviewer: Harald Welte Gerrit-Reviewer: Jenkins Builder Gerrit-Reviewer: fixeria Gerrit-Reviewer: lynxis lazus Gerrit-CC: pespin Gerrit-Comment-Date: Tue, 04 Jun 2019 21:31:32 + Gerrit-HasComments: No Gerrit-Has-Labels: Yes Gerrit-MessageType: comment
Change in ...osmo-sgsn[master]: osmo-sgsn: add VTY parameter to toggle authentication
fixeria has posted comments on this change. ( https://gerrit.osmocom.org/c/osmo-sgsn/+/14194 ) Change subject: osmo-sgsn: add VTY parameter to toggle authentication .. Set Ready For Review -- To view, visit https://gerrit.osmocom.org/c/osmo-sgsn/+/14194 To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings Gerrit-Project: osmo-sgsn Gerrit-Branch: master Gerrit-Change-Id: I9909145e7e0af587c28827e16301a61b13eedaa9 Gerrit-Change-Number: 14194 Gerrit-PatchSet: 3 Gerrit-Owner: fixeria Gerrit-Reviewer: Harald Welte Gerrit-Reviewer: Jenkins Builder Gerrit-Reviewer: fixeria Gerrit-Reviewer: lynxis lazus Gerrit-CC: pespin Gerrit-Comment-Date: Tue, 04 Jun 2019 18:50:41 + Gerrit-HasComments: No Gerrit-Has-Labels: No Gerrit-MessageType: comment
Change in osmo-sgsn[master]: osmo-sgsn: add VTY parameter to toggle authentication
Harald Welte has posted comments on this change. ( https://gerrit.osmocom.org/14194 ) Change subject: osmo-sgsn: add VTY parameter to toggle authentication .. Patch Set 2: Code-Review-1 actually, what we're missing is an update to the user manual here. -- To view, visit https://gerrit.osmocom.org/14194 To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings Gerrit-Project: osmo-sgsn Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: I9909145e7e0af587c28827e16301a61b13eedaa9 Gerrit-Change-Number: 14194 Gerrit-PatchSet: 2 Gerrit-Owner: Vadim Yanitskiy Gerrit-Reviewer: Harald Welte Gerrit-Reviewer: Jenkins Builder (102) Gerrit-Reviewer: Vadim Yanitskiy Gerrit-Reviewer: lynxis lazus Gerrit-CC: Pau Espin Pedrol Gerrit-Comment-Date: Wed, 29 May 2019 08:47:42 + Gerrit-HasComments: No Gerrit-HasLabels: Yes
Change in osmo-sgsn[master]: osmo-sgsn: add VTY parameter to toggle authentication
Harald Welte has posted comments on this change. ( https://gerrit.osmocom.org/14194 ) Change subject: osmo-sgsn: add VTY parameter to toggle authentication .. Patch Set 2: Code-Review+2 (1 comment) https://gerrit.osmocom.org/#/c/14194/2//COMMIT_MSG Commit Message: https://gerrit.osmocom.org/#/c/14194/2//COMMIT_MSG@11 PS2, Line 11: with 'subscriber-create-on-demand' feature of OsmoHLR. > If authroization policy is "remote", shouldn't then OsmoHLR be the one > deciding whether to require a […] The HLR never decides anythign. It is just asked for auth tuples (if the MSC/VLR/SGSN need some) and it's updated with information. -- To view, visit https://gerrit.osmocom.org/14194 To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings Gerrit-Project: osmo-sgsn Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: I9909145e7e0af587c28827e16301a61b13eedaa9 Gerrit-Change-Number: 14194 Gerrit-PatchSet: 2 Gerrit-Owner: Vadim Yanitskiy Gerrit-Reviewer: Harald Welte Gerrit-Reviewer: Jenkins Builder (102) Gerrit-Reviewer: Vadim Yanitskiy Gerrit-Reviewer: lynxis lazus Gerrit-CC: Pau Espin Pedrol Gerrit-Comment-Date: Wed, 29 May 2019 08:47:09 + Gerrit-HasComments: Yes Gerrit-HasLabels: Yes
Change in osmo-sgsn[master]: osmo-sgsn: add VTY parameter to toggle authentication
Vadim Yanitskiy has posted comments on this change. ( https://gerrit.osmocom.org/14194 ) Change subject: osmo-sgsn: add VTY parameter to toggle authentication .. Patch Set 2: (1 comment) https://gerrit.osmocom.org/#/c/14194/2//COMMIT_MSG Commit Message: https://gerrit.osmocom.org/#/c/14194/2//COMMIT_MSG@11 PS2, Line 11: with 'subscriber-create-on-demand' feature of OsmoHLR. > If authroization policy is "remote", shouldn't then OsmoHLR be the one > deciding whether to require a […] No, and I don't think OsmoHLR should be the deciding side. In this particular case HLR is just a storage. OsmoMSC also has a similar configuration parameter, so one can configure authentication for both PS and CS domains separately. -- To view, visit https://gerrit.osmocom.org/14194 To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings Gerrit-Project: osmo-sgsn Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: I9909145e7e0af587c28827e16301a61b13eedaa9 Gerrit-Change-Number: 14194 Gerrit-PatchSet: 2 Gerrit-Owner: Vadim Yanitskiy Gerrit-Reviewer: Harald Welte Gerrit-Reviewer: Jenkins Builder (102) Gerrit-Reviewer: Vadim Yanitskiy Gerrit-Reviewer: lynxis lazus Gerrit-CC: Pau Espin Pedrol Gerrit-Comment-Date: Mon, 27 May 2019 08:40:10 + Gerrit-HasComments: Yes Gerrit-HasLabels: No
Change in osmo-sgsn[master]: osmo-sgsn: add VTY parameter to toggle authentication
Pau Espin Pedrol has posted comments on this change. ( https://gerrit.osmocom.org/14194 ) Change subject: osmo-sgsn: add VTY parameter to toggle authentication .. Patch Set 2: (1 comment) https://gerrit.osmocom.org/#/c/14194/2//COMMIT_MSG Commit Message: https://gerrit.osmocom.org/#/c/14194/2//COMMIT_MSG@11 PS2, Line 11: with 'subscriber-create-on-demand' feature of OsmoHLR. If authroization policy is "remote", shouldn't then OsmoHLR be the one deciding whether to require authorization or not? -- To view, visit https://gerrit.osmocom.org/14194 To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings Gerrit-Project: osmo-sgsn Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: I9909145e7e0af587c28827e16301a61b13eedaa9 Gerrit-Change-Number: 14194 Gerrit-PatchSet: 2 Gerrit-Owner: Vadim Yanitskiy Gerrit-Reviewer: Harald Welte Gerrit-Reviewer: Jenkins Builder (102) Gerrit-Reviewer: lynxis lazus Gerrit-CC: Pau Espin Pedrol Gerrit-Comment-Date: Mon, 27 May 2019 08:29:57 + Gerrit-HasComments: Yes Gerrit-HasLabels: No
Change in osmo-sgsn[master]: osmo-sgsn: add VTY parameter to toggle authentication
Hello Jenkins Builder, I'd like you to reexamine a change. Please visit https://gerrit.osmocom.org/14194 to look at the new patch set (#2). Change subject: osmo-sgsn: add VTY parameter to toggle authentication .. osmo-sgsn: add VTY parameter to toggle authentication It may be useful to have 'remote' authorization policy, but do not require authentication in GERAN at the same time, e.g. in combination with 'subscriber-create-on-demand' feature of OsmoHLR. This change introduces a new VTY parameter similar to the one that we already have in OsmoMSC: authentication (optional|required) Please note that 'required' only applies if 'auth-policy' is 'remote'. Change-Id: I9909145e7e0af587c28827e16301a61b13eedaa9 --- M doc/examples/osmo-sgsn/osmo-sgsn-accept-all.cfg M doc/examples/osmo-sgsn/osmo-sgsn.cfg M src/gprs/sgsn_vty.c 3 files changed, 38 insertions(+), 1 deletion(-) git pull ssh://gerrit.osmocom.org:29418/osmo-sgsn refs/changes/94/14194/2 -- To view, visit https://gerrit.osmocom.org/14194 To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings Gerrit-Project: osmo-sgsn Gerrit-Branch: master Gerrit-MessageType: newpatchset Gerrit-Change-Id: I9909145e7e0af587c28827e16301a61b13eedaa9 Gerrit-Change-Number: 14194 Gerrit-PatchSet: 2 Gerrit-Owner: Vadim Yanitskiy Gerrit-Reviewer: Jenkins Builder (102)
Change in osmo-sgsn[master]: osmo-sgsn: add VTY parameter to toggle authentication
Vadim Yanitskiy has uploaded this change for review. ( https://gerrit.osmocom.org/14194 Change subject: osmo-sgsn: add VTY parameter to toggle authentication .. osmo-sgsn: add VTY parameter to toggle authentication It may be useful to have 'remote' authorization policy, but do not require authentication in GERAN at the same time, e.g. in combination with 'subscriber-create-on-demand' feature of OsmoHLR. This change introduces a new VTY parameter similar to the one that we already have in OsmoMSC: authentication (optional|required) Please note that 'required' only applies if 'auth-policy' is 'remote'. Change-Id: I9909145e7e0af587c28827e16301a61b13eedaa9 --- M doc/examples/osmo-sgsn/osmo-sgsn-accept-all.cfg M doc/examples/osmo-sgsn/osmo-sgsn.cfg M src/gprs/sgsn_vty.c 3 files changed, 37 insertions(+), 1 deletion(-) git pull ssh://gerrit.osmocom.org:29418/osmo-sgsn refs/changes/94/14194/1 diff --git a/doc/examples/osmo-sgsn/osmo-sgsn-accept-all.cfg b/doc/examples/osmo-sgsn/osmo-sgsn-accept-all.cfg index b47878a..85112f4 100644 --- a/doc/examples/osmo-sgsn/osmo-sgsn-accept-all.cfg +++ b/doc/examples/osmo-sgsn/osmo-sgsn-accept-all.cfg @@ -10,6 +10,7 @@ ggsn 0 remote-ip 127.0.0.2 ggsn 0 gtp-version 1 ggsn 0 echo-interval 60 + authentication optional auth-policy accept-all ! ns diff --git a/doc/examples/osmo-sgsn/osmo-sgsn.cfg b/doc/examples/osmo-sgsn/osmo-sgsn.cfg index 263bd00..3be4d49 100644 --- a/doc/examples/osmo-sgsn/osmo-sgsn.cfg +++ b/doc/examples/osmo-sgsn/osmo-sgsn.cfg @@ -10,6 +10,7 @@ ggsn 0 remote-ip 127.0.0.2 ggsn 0 gtp-version 1 ggsn 0 echo-interval 60 + authentication required auth-policy remote gsup remote-ip 127.0.0.1 gsup remote-port 4222 diff --git a/src/gprs/sgsn_vty.c b/src/gprs/sgsn_vty.c index c01de3b..ad2c809 100644 --- a/src/gprs/sgsn_vty.c +++ b/src/gprs/sgsn_vty.c @@ -211,6 +211,8 @@ if (g_cfg->gsup_server_port) vty_out(vty, " gsup remote-port %d%s", g_cfg->gsup_server_port, VTY_NEWLINE); + vty_out(vty, " authentication %s%s", + gsmnet->authentication_required ? "required" : "optional", VTY_NEWLINE); vty_out(vty, " auth-policy %s%s", get_value_string(sgsn_auth_pol_strs, g_cfg->auth_policy), VTY_NEWLINE); @@ -693,6 +695,27 @@ return CMD_SUCCESS; } +DEFUN(cfg_authentication, cfg_authentication_cmd, + "authentication (optional|required)", + "Whether to enforce MS authentication in GERAN\n" + "Allow MS to attach via GERAN without authentication\n" + "Always require authentication\n") +{ + int required = (argv[0][0] == 'r'); + + if (vty->type != VTY_FILE) { + if (g_cfg->auth_policy != SGSN_AUTH_POLICY_REMOTE && required) { + vty_out(vty, "Authentication is not possible without HLR, " +"consider setting 'auth-policy' to 'remote'%s", +VTY_NEWLINE); + return CMD_WARNING; + } + } + + g_cfg->require_authentication = required; + return CMD_SUCCESS; +} + DEFUN(cfg_auth_policy, cfg_auth_policy_cmd, "auth-policy (accept-all|closed|acl-only|remote)", "Configure the Authorization policy of the SGSN. This setting determines which subscribers are" @@ -705,9 +728,12 @@ int val = get_string_value(sgsn_auth_pol_strs, argv[0]); OSMO_ASSERT(val >= SGSN_AUTH_POLICY_OPEN && val <= SGSN_AUTH_POLICY_REMOTE); g_cfg->auth_policy = val; - g_cfg->require_authentication = (val == SGSN_AUTH_POLICY_REMOTE); g_cfg->require_update_location = (val == SGSN_AUTH_POLICY_REMOTE); + /* Authentication is not possible without HLR */ + if (val != SGSN_AUTH_POLICY_REMOTE) + g_cfg->require_authentication = 0; + return CMD_SUCCESS; } @@ -1462,6 +1488,14 @@ return rc; } + if (g_cfg->auth_policy != SGSN_AUTH_POLICY_REMOTE + && g_cfg->require_authentication) { + fprintf(stderr, "Configuration error:" + " authentication is not possible without HLR." + " Consider setting 'auth-policy' to 'remote'\n"); + return -EINVAL; + } + if (g_cfg->auth_policy == SGSN_AUTH_POLICY_REMOTE && !(g_cfg->gsup_server_addr.sin_addr.s_addr && g_cfg->gsup_server_port)) { -- To view, visit https://gerrit.osmocom.org/14194 To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings Gerrit-Project: osmo-sgsn Gerrit-Branch: master Gerrit-MessageType: newchange Gerrit-Change-Id: I9909145e7e0af587c28827e16301a61b13eedaa9 Gerrit-Change-Number: 14194 Gerrit-PatchSet: 1 Gerrit-Owner: Vadim Yanitskiy