search

eclipse / mosquitto

Eclipse Mosquitto - An open source MQTT broker
https://mosquitto.org
Other
8.92k stars 2.37k forks source link

Ship mosquitto_passwd separately or part of client package maybe? #2915

Open andreas-ibm opened 11 months ago

andreas-ibm commented 11 months ago

When running mosquitto as part of a containerised environment, it is handy to be able to generate the password file outside the container running mosquitto. At the moment the only way to get mosquitto_passwd is through installing the entire broker, which kinda defeats the containerised approach... If only there was a package with just the _passwd utility, or with in the client package then it would make life easier (yes, that possible needs to be aimed at Debian maintainers etc).

Is there a way to generate the password hashes in a scriptable, standalone way? I noticed openssl passwd -6 can generate the "old" style passwords, but I really would prefer PBKDF2 hashes :-)

Paraphraser commented 11 months ago

Maybe just use:

$ docker exec mosquitto mosquitto_passwd -b /mosquitto/pwfile/pwfile someuser somepassword

where /mosquitto/pwfile/pwfile is the path associated with the password_file directive in your mosquitto.conf, as in:

password_file /mosquitto/pwfile/pwfile

If you want to prepare an offline password file then you can use the same approach to create one by adding the -c flag when you define the first user:

$ docker exec mosquitto mosquitto_passwd -c -b /mosquitto/pwfile/myfile firstuser firstpassword

and then you can go back to the original command syntax:

$ docker exec mosquitto mosquitto_passwd -b /mosquitto/pwfile/myfile seconduser secondpassword

If passwords turning up in your history log bothers you then you have two choices:

  1. Put a space before the docker, as in:

    $  docker exec mosquitto mosquitto_passwd -b /mosquitto/pwfile/myfile thirduser thirdpassword

    That leading space prevents the command from going into the history.

  2. Use interactive mode by adding the -it flags to the docker exec command, and omitting both the -b flag and the password argument from the mosquitto_passwd command:

    $ docker exec -it mosquitto mosquitto_passwd /mosquitto/pwfile/myfile fourthuser
Password: 
Reenter password:
andreas-ibm commented 11 months ago

But I don't have docker, this is running on a remote kubernetes instance.

mikini commented 5 months ago

Hi Andreas,

We had a discussion about standalone password file generation (in pre-PBKDF2 times) on the mailing list prompted by a similar need.

I did some work on a PHP implementation (see initial response to the ml question) and ended up doing a rudimentary PHP script for the, then solely supported, SHA512 based algorithm.

You can find it at my tools repository (GPL-3.0-or-later): https://git.sr.ht/~mikini/hometools/tree/master/item/mosquitto_passwd.php.

There's also a bit about it, and some more recent thoughts on PBKDF2 support, on my blog: Generating passwords for Mosquitto MQTT broker using PHP.

Regards, Mikkel

andreas-ibm commented 5 months ago

Thanks Mikkel,

cool, that's helpful... I guess I should be able to make an OpenSSL based on quite trivially too!

cheers, Andreas