You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
[FOLLOW-UP] [ALIGNMENT]: Signed plaintext remote administration in licensed mode
Goal
Allow authenticated remote administration between licensed/ham-mode nodes while keeping every request, response, and mutation plaintext on air.
This follows the existing receive-policy work in #121 and authenticated plaintext licensed traffic in #122. It reuses the current XEdDSA signature, identity key, security.admin_key[] authorization list, and AdminModule session-passkey flow. It does not introduce an authentication version, signature tuple, certificate system, encrypted admin channel, or new wire message.
Signed plaintext direct messages are already covered by meshtastic/firmware#10969. This issue is specifically the higher-risk remote-administration authorization boundary.
Authorization rule
A remote Admin request or mutation is eligible only when all of these are true:
The receiving node is in licensed mode.
The decoded packet is ADMIN_APP, directed unicast, and addressed to the receiving node.
Router has successfully verified the existing XEdDSA signature.
The exact public key used for that verification is 32 bytes and matches one populated security.admin_key[0..2] entry.
Mutations pass the existing AdminModule session-passkey check.
Unsigned, oversized-unsigned, malformed, invalid, unverifiable, broadcast, wrong-destination, or non-allowlisted Admin packets fail closed. A node number, callsign, serialized xeddsa_signed flag, or serialized public_key field never authorizes administration.
Normal mode retains its existing PKI/admin-channel authorization behavior and must not gain a signed-plaintext fallback.
Verified-key handoff
Router should carry the exact public key used during successful XEdDSA verification to AdminModule as transient authenticated packet state. AdminModule must not trust inbound serialized authentication metadata or re-read a potentially changed NodeDB key after verification.
Key discovery remains separate from authorization: the administrator and target must first exchange a verified signed NodeInfo (or retain the key in warm storage). admin_key[] authorizes an already-known signer; it does not become a new bootstrap or certificate mechanism.
Requests, responses, and replay
Licensed Admin requests, session requests, mutations, and replies remain plaintext and are signed when they fit.
Licensed remote responses must also have a Router-verified signature and be directed unicast.
A response sender is not checked against the receiver's local admin_key[]; that allowlist applies to administrators of the target, not targets replying to an administrator.
The existing weak response-correlation behavior remains documented unless outstanding (remote node, request id) tracking is added without changing the wire format.
The current signature tuple does not include to. The target-specific session challenge limits mutation redirection, but signatures alone do not provide permanent replay protection.
Session initialization correction
AdminModule currently initializes the session passkey buffer and timestamp to zero. During the first several minutes after boot, an eight-zero passkey can satisfy the existing comparison before any session was generated. Add explicit session-initialized state; checking only session_time != 0 is insufficient because generation can occur during uptime second zero.
Reboot must invalidate all session state. Mutations require a generated, unexpired session passkey even when the packet signature is valid.
[FOLLOW-UP] [ALIGNMENT]: Signed plaintext remote administration in licensed mode
Goal
Allow authenticated remote administration between licensed/ham-mode nodes while keeping every request, response, and mutation plaintext on air.
This follows the existing receive-policy work in #121 and authenticated plaintext licensed traffic in #122. It reuses the current XEdDSA signature, identity key,
security.admin_key[]authorization list, and AdminModule session-passkey flow. It does not introduce an authentication version, signature tuple, certificate system, encrypted admin channel, or new wire message.Signed plaintext direct messages are already covered by meshtastic/firmware#10969. This issue is specifically the higher-risk remote-administration authorization boundary.
Authorization rule
A remote Admin request or mutation is eligible only when all of these are true:
ADMIN_APP, directed unicast, and addressed to the receiving node.security.admin_key[0..2]entry.Unsigned, oversized-unsigned, malformed, invalid, unverifiable, broadcast, wrong-destination, or non-allowlisted Admin packets fail closed. A node number, callsign, serialized
xeddsa_signedflag, or serializedpublic_keyfield never authorizes administration.Normal mode retains its existing PKI/admin-channel authorization behavior and must not gain a signed-plaintext fallback.
Verified-key handoff
Router should carry the exact public key used during successful XEdDSA verification to AdminModule as transient authenticated packet state. AdminModule must not trust inbound serialized authentication metadata or re-read a potentially changed NodeDB key after verification.
Key discovery remains separate from authorization: the administrator and target must first exchange a verified signed NodeInfo (or retain the key in warm storage).
admin_key[]authorizes an already-known signer; it does not become a new bootstrap or certificate mechanism.Requests, responses, and replay
admin_key[]; that allowlist applies to administrators of the target, not targets replying to an administrator.(remote node, request id)tracking is added without changing the wire format.to. The target-specific session challenge limits mutation redirection, but signatures alone do not provide permanent replay protection.Session initialization correction
AdminModule currently initializes the session passkey buffer and timestamp to zero. During the first several minutes after boot, an eight-zero passkey can satisfy the existing comparison before any session was generated. Add explicit session-initialized state; checking only
session_time != 0is insufficient because generation can occur during uptime second zero.Reboot must invalidate all session state. Mutations require a generated, unexpired session passkey even when the packet signature is valid.
Ingress and clients
pki_encrypted=false; explicit PKI requests continue failing in licensed mode.Acceptance criteria
Operators remain responsible for their licence conditions, jurisdiction, permitted modes, and station-identification requirements.