HJianBo
commented
4 years ago Hi, @coldfire84 Thanks for your report. We will try to reproduce it
Open coldfire84 opened 4 years ago
HJianBo
commented
4 years ago Hi, @coldfire84 Thanks for your report. We will try to reproduce it
coldfire84
commented
4 years ago I'm unsure whether the encoding is causing issues, being set to base64? As per passport-local-mongoose config docs.
After extra testing I can confirm that having password hash/ salt stored as 'hex' encoded does not fix the issue. Passport-local mongoose config (note hex encoding is used by default if an alternate is not supplied):
saltlen: 32
keylen: 512
digestAlgorithm: 'sha512'
iterations: 25000EMQX config:
-e EMQX_AUTH__MONGO__AUTH_QUERY__PASSWORD_HASH="pbkdf2,sha512,25000,512"Hi, @coldfire84 Sorry to tell you that you have to migrate your password data if you switch from mosquitto to emqx
The emqx_auth_mongo saved password format like this:
{"username" : "usera", "password" : "ec7860ccaddf01ab92a6fb65b088fef5b6f8227ac5e00932", "salt" : "ssalt" }password field is an encrypted password saved with hex stringsalt field is a plain string onlyAnd the emqx_auth_mongo.conf related options should be:
auth.mongo.auth_query.password_field = password,salt
auth.mongo.auth_query.password_hash = pbkdf2,sha256,901,24And the MQTT client should using the plain password connecting to the broker, i.g:
mosquitto_sub -u usera -P abcde -t t -dSorry to tell you that you have to migrate your password data if you switch from mosquitto to emqx
Thanks for confirming.
salt field is a plain string only
I'd missed this :( - I'll have a look at the auth code and see if I can put together a PR for encoded salt based upon an option.
Any ideas why this generated such a large error in the logs?
HJianBo
commented
4 years ago Any ideas why this generated such a large error in the logs?
This error should be caused by emqx_auth_mong.conf options configured error. We will supplement the documentation to show these options
Ekion-1
commented
3 years ago I'm running into the same issue here but with the MySQL authentication. @coldfire84 did you ever figure out a way to do this without having all of the users reset their passwords?
coldfire84
commented
3 years ago @AlexGodbehere , I never figured it out. I adopted a different (and actively developed) Mosquitto Auto Plugin, so didn't have to change brokers in the end.
ihmgsm
commented
2 years ago Just figured out for Postgre SQL SELECT encode(decode(substring(pw, 36, 32), 'base64'), 'hex') AS password_hash, substring(pw, 19, 16) AS salt FROM mqtt_users where username = ${username} LIMIT 1
FernandoGarcia
commented
1 year ago Hi @HJianBo !
I'm facing similar issue when trying to move from mosquitto-auth-plug to emqx.
Could you give me some help to create the SQL query for this purpose?
The hashed password is created in this way using PHP.
define("PBKDF2_HASH_ALGORITHM", "sha256");
define("PBKDF2_ITERATIONS", 901);
define("PBKDF2_SALT_BYTE_SIZE", 12);
define("PBKDF2_HASH_BYTE_SIZE", 24);
define("SEPARATOR", "$");
define("TAG", "PBKDF2");
function create_hash($password) {
$salt = base64_encode(mcrypt_create_iv(PBKDF2_SALT_BYTE_SIZE, MCRYPT_DEV_URANDOM));
return TAG . SEPARATOR . PBKDF2_HASH_ALGORITHM . SEPARATOR . PBKDF2_ITERATIONS . SEPARATOR . $salt . SEPARATOR .
base64_encode(pbkdf2(
PBKDF2_HASH_ALGORITHM,
$password,
$salt,
PBKDF2_ITERATIONS,
PBKDF2_HASH_BYTE_SIZE,
true
));
}
function pbkdf2($algorithm, $password, $salt, $count, $key_length, $raw_output = false) {
$algorithm = strtolower($algorithm);
if(!in_array($algorithm, hash_algos(), true))
trigger_error('PBKDF2 ERROR: Invalid hash algorithm.', E_USER_ERROR);
if($count <= 0 || $key_length <= 0)
trigger_error('PBKDF2 ERROR: Invalid parameters.', E_USER_ERROR);
if (function_exists("hash_pbkdf2")) {
// The output length is in NIBBLES (4-bits) if $raw_output is false!
if (!$raw_output) {
$key_length = $key_length * 2;
}
return hash_pbkdf2($algorithm, $password, $salt, $count, $key_length, $raw_output);
}
$hash_length = strlen(hash($algorithm, "", true));
$block_count = ceil($key_length / $hash_length);
$output = "";
for($i = 1; $i <= $block_count; $i++) {
// $i encoded as 4 bytes, big endian.
$last = $salt . pack("N", $i);
// first iteration
$last = $xorsum = hash_hmac($algorithm, $last, $password, true);
// perform the other $count - 1 iterations
for ($j = 1; $j < $count; $j++) {
$xorsum ^= ($last = hash_hmac($algorithm, $last, $password, true));
}
$output .= $xorsum;
}
if($raw_output)
return substr($output, 0, $key_length);
else
return bin2hex(substr($output, 0, $key_length));
}This issues seem related https://github.com/emqx/emqx/issues/1396 https://github.com/emqx/emqx/issues/1394
I tried the SQL query suggested above and in this issues without success.
I'm using MySQL.
Best regards.
FernandoGarcia
commented
1 year ago Hi @zhongwencool! Could you give me some help with this issue? Thanks in advance.
I'm looking to migrate my mosquitto/ mosquitto-auth-plug setup, using MongoDB for authentication. Ideally, I want to migrate across without having to get 1200+ users to reset their passwords.
The existing MQTT authentication plugin is very specific about password format, example from mosquitto-auth-plug docs below:
Password hashing on my back-end is configured to use sha256, with the following additional relevant settings:
I've configured my EMQX docker container as follows:
I'm unsure whether the encoding is causing issues, being set to base64? As per passport-local-mongoose config docs.
To date I cannot get the EMQX broker to authenticate any of my users. A super user account generates the following error in the emqx logs when trying to connect:
A non-super user account causes an error (sanitized with IP/ username/password removed):
Any help greatly appreciated.