Skip to content

Wifi security#79

Open
brainstorm wants to merge 10 commits intomainfrom
wifi_security
Open

Wifi security#79
brainstorm wants to merge 10 commits intomainfrom
wifi_security

Conversation

@brainstorm
Copy link
Owner

@brainstorm brainstorm commented Mar 14, 2026
edited
Loading

Fixes issue #63 and readies SSH Stamp for security audit in #7.

Implements WPA2-WPA3 security by default... there seems to be a problem (bug?) with WPA3-only mode on esp_hal I need to investigate further: NetworkManager mis-identifies the network as WEP and PMF is disabled (should be enabled/mandatory in WPA3).

TODO:

  • Move more of the console messages to debug!() instead of info!() so that the user sees the generated wifi password easily and can copy-paste it on their client easily.
  • Investigate WPA3 issue on esp_hal.
  • Test thoroughly on hardware.

@brainstorm
Add WiFi WPA3 logic, removing previous insecure Open wireless. Wirele…
f72ee1d 
…ss SSID and password are optionally configured via SSH ENV variables, provided that the user is properly auth'd via pubkeys.
@brainstorm brainstorm marked this pull request as draft March 14, 2026 15:39
@brainstorm
Move wifi password chars const to settings
95132f7
@brainstorm
Reduce USB console verbosity to help out with UX while provisioning: …
0c50354 
…the user should just have to see the generated WIFI PSK, IP and know whether the (UART) bridge has been established successfully. Everything else has been moved to debug log level
@brainstorm brainstorm marked this pull request as ready for review March 15, 2026 16:25
jubeormk1
jubeormk1 reviewed Mar 16, 2026
View reviewed changes
jubeormk1
jubeormk1 reviewed Mar 16, 2026
View reviewed changes
jubeormk1
jubeormk1 reviewed Mar 16, 2026
View reviewed changes
jubeormk1
jubeormk1 reviewed Mar 16, 2026
View reviewed changes
Autofix
Autofix reviewed Mar 16, 2026
View reviewed changes
Autofix
Autofix reviewed Mar 16, 2026
View reviewed changes
jubeormk1
jubeormk1 reviewed Mar 16, 2026
View reviewed changes
jubeormk1
jubeormk1 reviewed Mar 16, 2026
View reviewed changes
jubeormk1
jubeormk1 requested changes Mar 16, 2026
View reviewed changes
Copy link
Collaborator

@jubeormk1 jubeormk1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall I like the way this is looking! But there are a couple of things:

  • The board starts and the wifi is up but I cannot reach by ping or ssh ssh-stamp. We need to review what has changed.
  • Opinion: I would apply the WiFi ENV_VAR at once given that there is no error parsing SSID or PSK once all the environment variables have been processed as I mentioned in an inline comment.

@brainstorm brainstorm requested a review from jubeormk1 March 16, 2026 21:30
@brainstorm
Copy link
Owner Author

brainstorm commented Mar 16, 2026

The board starts and the wifi is up but I cannot reach by ping or ssh ssh-stamp. We need to review what has changed.

Weird, I just tested now and seems to work fine? A few checkpoints needed here:

  1. Start with espflash erase-flash, just to make sure we start from known pre-conditions.
  2. Make sure you delete the old hostkey from your ~/.ssh/known_hosts before re-flashing the device.
  3. Does echo $SSH_STAMP_PUBKEY show an ed25519 pubkey before running ssh -o SendEnv=SSH_STAMP_PUBKEY zssh@192.168.4.1?
  4. Before all that, do you "forget ssh-stamp access point on your client" and input the wireless PSK and does it connect alright?

This is what I'm seeing on my machine at the time of writing this on this branch as-is:

image

jubeormk1
jubeormk1 reviewed Mar 16, 2026
View reviewed changes
src/espressif/net.rs
tcp_socket
}

pub async fn wifi_ssid(config: &'static SunsetMutex<SSHStampConfig>) -> String<63> {
Copy link
Collaborator

@jubeormk1 jubeormk1 Mar 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

While you have it fresh in your mind, could you add doc comments for what this function and wifi_up does? They retrieve the wifi_password and wifi_ssid from config.

Would it be reasonable defining these functions as part of config or you rather have them here because they are part of espressif configuration requirements?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jubeormk1 jubeormk1 jubeormk1 requested changes

@Autofix Autofix Autofix left review comments

@mmalenic mmalenic Awaiting requested review from mmalenic

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@brainstorm @jubeormk1 @Autofix