mosquitto icon indicating copy to clipboard operation
mosquitto copied to clipboard

Published 20 hours ago verified publisher icon eclipse

Ship mosquitto_passwd separately or part of client package maybe?

Open andreas-ibm opened this issue 1 year ago • 4 comments

When running mosquitto as part of a containerised environment, it is handy to be able to generate the password file outside the container running mosquitto. At the moment the only way to get mosquitto_passwd is through installing the entire broker, which kinda defeats the containerised approach... If only there was a package with just the _passwd utility, or with in the client package then it would make life easier (yes, that possible needs to be aimed at Debian maintainers etc).

Is there a way to generate the password hashes in a scriptable, standalone way? I noticed openssl passwd -6 can generate the "old" style passwords, but I really would prefer PBKDF2 hashes :-)

andreas-ibm avatar Oct 03 '23 12:10 andreas-ibm

Maybe just use:

$ docker exec mosquitto mosquitto_passwd -b /mosquitto/pwfile/pwfile someuser somepassword

where /mosquitto/pwfile/pwfile is the path associated with the password_file directive in your mosquitto.conf, as in:

password_file /mosquitto/pwfile/pwfile

If you want to prepare an offline password file then you can use the same approach to create one by adding the -c flag when you define the first user:

$ docker exec mosquitto mosquitto_passwd -c -b /mosquitto/pwfile/myfile firstuser firstpassword

and then you can go back to the original command syntax:

$ docker exec mosquitto mosquitto_passwd -b /mosquitto/pwfile/myfile seconduser secondpassword

If passwords turning up in your history log bothers you then you have two choices:

  1. Put a space before the docker, as in:

    $  docker exec mosquitto mosquitto_passwd -b /mosquitto/pwfile/myfile thirduser thirdpassword

    That leading space prevents the command from going into the history.

  2. Use interactive mode by adding the -it flags to the docker exec command, and omitting both the -b flag and the password argument from the mosquitto_passwd command:

    $ docker exec -it mosquitto mosquitto_passwd /mosquitto/pwfile/myfile fourthuser
Password: 
Reenter password:

Paraphraser avatar Oct 14 '23 00:10 Paraphraser

But I don't have docker, this is running on a remote kubernetes instance.

andreas-ibm avatar Oct 16 '23 14:10 andreas-ibm

Hi Andreas,

We had a discussion about standalone password file generation (in pre-PBKDF2 times) on the mailing list prompted by a similar need.

I did some work on a PHP implementation (see initial response to the ml question) and ended up doing a rudimentary PHP script for the, then solely supported, SHA512 based algorithm.

You can find it at my tools repository (GPL-3.0-or-later): https://git.sr.ht/~mikini/hometools/tree/master/item/mosquitto_passwd.php.

There's also a bit about it, and some more recent thoughts on PBKDF2 support, on my blog: Generating passwords for Mosquitto MQTT broker using PHP.

Regards, Mikkel

mikini avatar Mar 28 '24 09:03 mikini

Thanks Mikkel,

cool, that's helpful... I guess I should be able to make an OpenSSL based on quite trivially too!

cheers, Andreas

andreas-ibm avatar Mar 28 '24 09:03 andreas-ibm