gt-rail / rosauth Goto Github PK

how use this tool , i think that is very useful.
thankyou

Could you release rosauth for Lunar? I've tested that it works and that that debian packages built. I'm trying to release the rospilot package for Lunar, which depends on this. Thanks!

Could you release rosauth for ROS Melodic? I've tested it, and it seems like everything builds and all tests pass. Thanks!

Would you release rosauth on noetic? I am waiting to release rosbridge_suite

To resolve run dependency of rosbridge in hydro

Could you release rosauth for Kinetic? I tested it and it seems to be working fine with no changes

It's your friendly, neighborhood package-release-poker. Could we get a release of this package for Galactic to support a Galactic release of rosbridge_suite?

I'm setting up a rosbridge websocket that should authenticate the clients to harden security. The rosbridge already comes with authentication mechanism, which points to this project.

Here I face the first problem, it's very difficult to find information about how the authentication is performed or how should this service be used. After some digging I found this issue that explained a bit of how this works. (#3)
Still it's unclear to me how exactly to construct the authentication request, there's no information regarding which digest the MAC should be, or which message is MAC calculated for. After further digging by looking into the source code, it seems that the digest is SHA-512 and the message is the concatenation of secret and values from the authentication request.

With this knowledge I tried to authenticate by calling /authenticate manually using the following setup.
secret:
f1JlG2fNnJIHgjnL

request:
client: '' dest: '' rand: 'random' t: {secs: 0, nsecs: 0} level: '' end: {secs: 0, nsecs: 0}

The MAC should therefore be the SHA-512 digest of f1JlG2fNnJIHgjnLrandom00, which is
01C0D1F9FB2E945DFE8E19F66072BFC2115518E81D805BCBA6F427D94995181D6725DF71B74C536B1CC43D5133E1CEB81999DA2AA2768CA20363DFB6797B941E

Complete call to the service is
rosservice call /authenticate "mac: '01C0D1F9FB2E945DFE8E19F66072BFC2115518E81D805BCBA6F427D94995181D6725DF71B74C536B1CC43D5133E1CEB81999DA2AA2768CA20363DFB6797B941E' client: '' dest: '' rand: 'random' t: {secs: 0, nsecs: 0} level: '' end: {secs: 0, nsecs: 0}"

But the service returns
authenticated: False

Any help or suggestions will be appreciated
Thanks in advance

Looks like this package is a dependency for releasing https://github.com/RobotWebTools/rosbridge_suite/ to Foxy. Could we get a release of this package for Foxy? Looks like @dirk-thomas did the last ROS2 release.

https://github.com/GT-RAIL/rosauth/blob/develop/src/ros_mac_authentication.cpp#L29 ensures that the parameter path of the secret is always the same. However, usually private node parameters are kept in the namespace of the node which is now not possible (unless you call the node ros_mac_authentication).

What about using the local nodehandle to perform the parameters lookup?

Currently rosauth implements Hash(secret | message) which is vunerable to a length extension attack https://en.wikipedia.org/wiki/HMAC

Typically you'd want Hash(secret | hash(secret | message))

Gazebo is running with use_sim_time true. However, my roslibjs client is not connected to the /clock topic which makes it impossible to authenticate the roslibjs client. It would be nice if we could make the time delta check configurable (instead of harcoded 5 https://github.com/GT-RAIL/rosauth/blob/develop/src/ros_mac_authentication.cpp#L68) so I can work around this.

What do you think?

I ran into some issues compiling the rosauth package. The include file "rosauth.h" is missing during compilation, which can be fixed by restarting catkin_make 3 - 4 times in a row.
Adding explicit dependencies on gencpp for the test target fixes this issue for me.
Please see #8 for further details

We (OSRF) would like to contribute a ROS 2 port of this package. Commonly we prefer to create a ros2 branch in the upstream repository in order to keep the code as close as possible to the ROS 1 code and ease porting of patches between the branches.

I just wanted to check if the maintainers of this repo would be open to this? This could either be done by creating a ros2 branch for us and we create PRs or (if you would be comfortable with giving us write access) we could move forward on this without requiring your attention for future PRs (we would still go through PRs).

Otherwise we would need to create a fork of the repo (which is more difficult to discover and sometime unclear to users which repo to use).