Skip to content

[2.8.0] Authorize signed plaintext remote admin in licensed mode #10971

Description

@RCGV1

Description

Implement the signed plaintext licensed-mode remote-administration design from meshtastic/design#123 as a separate follow-up stacked on #10967 and #10969.

This must reuse existing Router-verified XEdDSA, security.admin_key[], and the AdminModule session challenge. It must not add an authentication version, signature format, certificate scheme, encrypted ham traffic, or normal-mode signed-admin fallback.

Required behavior

  • Accept a licensed remote Admin request/mutation only when it is directed to this node, has a successfully verified XEdDSA signature, and the exact verified signer key matches a populated admin_key slot.
  • Carry the exact verified signer key from Router to AdminModule as transient authenticated state; clear and ignore serialized auth flags/keys at ingress.
  • Require prior verified signed NodeInfo discovery or warm-store key retention; admin_key is authorization, not discovery.
  • Retain the existing session-passkey requirement for mutations.
  • Add explicit session-initialized state so an all-zero passkey cannot authorize during the first minutes after boot.
  • Require licensed Admin replies to be directed, plaintext, and Router-verified signed.
  • Keep normal PKI remote administration unchanged.
  • Keep decoded MQTT Admin injection blocked; binary ingress must traverse normal Router verification.
  • Reject unsigned, oversized-unsigned, malformed, invalid, unverifiable, unknown-key, non-allowlisted, broadcast, and wrong-destination Admin traffic.

Client dependency

Official clients must avoid setting pki_encrypted=true when sending remote Admin traffic through a licensed local radio and must display verified-signature semantics rather than an encryption lock. Track client changes separately after the firmware behavior is reviewable.

Validation

  • authorized/unauthorized signer keys and empty admin slots;
  • missing, zero-before-generation, valid, stale, and reboot-invalidated session values;
  • getters, session request, mutation, and response paths;
  • first-contact signed NodeInfo followed by Admin and warm-store signer lookup;
  • invalid/malformed/unsigned/oversized signatures, broadcast, and wrong destination;
  • normal-mode PKI regression coverage;
  • decoded MQTT rejection and binary Router-verified ingress;
  • two-radio RF capture showing readable plaintext request/reply and no PKI/PSK encryption.

Keep the implementation PR draft until representative hardware and cross-device interoperability are recorded.

Dependencies

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions