mosquitto icon indicating copy to clipboard operation
mosquitto copied to clipboard
verified publisher icon eclipse

Client id "namespaces"

Open oholsen opened this issue 4 years ago • 6 comments

We have clients in multiple environments connecting via mTLS with use_identity_as_username. Each environment has a unique certificate and username and is granted exclusive access to a topic prefix given by the username. Client ids are explicitly prefixed with the username as a client id "namespace" per environment. Is there a way to avoid DoS from a compromised environment that maliciously use client ids from other environments? For example, one could configure an automatic client id prefix on the server involving the username, e.g. auto_id_prefix "%u-". This would also save us configuring this for every client.

oholsen avatar Oct 20 '21 13:10 oholsen

I don't think there is a config option (just yet at least) for it, but i have made a similar feature request to enable plugins doing this client-id scoping / prefixing sort of thing.

https://github.com/eclipse/mosquitto/issues/2033

would this help? maybe a step on the way at least.

Daedaluz avatar Oct 20 '21 14:10 Daedaluz

Yes, this comment is spot on:

This would also allow for some sort of client id scoping by just prefixing the client id with something related to user during the authentication step. Two users could use the client id "myclient" since they'd end up with "user1-myclient" and "user2-myclient".

Although, as you point out, the mosquitto_set_clientid function is just a step on the way. An alternative config parameter to supporting "%u" in auto_id_prefix is username_id_prefix <true|false>. Or are you proposing to we implement a plugin for that part using the mosquitto_set_clientid function?

oholsen avatar Oct 21 '21 06:10 oholsen

I'm guessing you are using the dynamic security plugin. One could either adapt that one or simply make your own. Maybe making your own in this case is probably a bit overkill, but generally i feel like unless the standard way does exactly what you need it to in an efficient enough way, a custom solution is probably best.

integration with another system get a bit simpler with a custom plugin eg: no need to create additional users, just use those you already have elsewhere in a database somewhere.

also, forcefully disconnecting clients which no longer needs to be connected (or allowed) is nice.

I haven't used the dynamic security plugin much, so i don't know exactly what it's capable of or not.

Does it throw out connections after certificate expiration?

Daedaluz avatar Oct 21 '21 08:10 Daedaluz

We have not used any plugin so far, just the standard mTLS configuration in mosquitto with use_identity_as_username. Ideally, there would be a standard configuration option to achieve this, but we are open to implement a plugin.

oholsen avatar Oct 21 '21 10:10 oholsen

should point out though: even if you go down the custom plugin route, it's still an open suggestion - no version out there with the implementation yet unless you compile the broker yourself and add the function.

Daedaluz avatar Oct 21 '21 11:10 Daedaluz

This is something I keep meaning to come back to for 2.1, but it keeps slipping down the agenda. The dynsec plugin doesn't consider anything to do with client certificates. Perhaps it should, but that's maybe a different proposal to this issue.

I quite like the username_id_prefix <true|false> option - but perhaps having it as a plugin would be better, I'm not sure.

ralight avatar Oct 27 '21 18:10 ralight