Re: [mosquitto-dev] [DynamicSecurity] Clarification on Encrypted passwor

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [mosquitto-dev] [DynamicSecurity] Clarification on Encrypted password generation

From: Shan D <sdes.softdev@xxxxxxxxx>
Date: Mon, 18 Jul 2022 21:35:42 +0200
Delivered-to: mosquitto-dev@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/mosquitto-dev/>
List-help: <mailto:mosquitto-dev-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/mosquitto-dev>, <mailto:mosquitto-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/mosquitto-dev>, <mailto:mosquitto-dev-request@eclipse.org?subject=unsubscribe>

Hi all,

I am back again as to ask what generally is the procedure to provision the Eclipse Broker initially when planning to use DynSec RBAC.

I am asking this because:

- I didn't have much luck generating the relevant hashes and salts using bash / openssl and it was more tedious than I expected

- I can an ephemeral docker container where I can run `mosquitto_ctrl dynsec init /mosquitto/config/dynamic-security.json admin` and it will generate the JSON file on my host filesystem (using volume mounts) however this only provide me an Admin User

What is standard practice when trying to setup RBAC for mosquitto at first "container-up"? Is it just creation of admin and then letting Cedalo Mgmt Center adding relevant users / groups / roles?

Thanks for your patience.

Regards,

Shan

On Sat, Jun 18, 2022 at 1:01 PM Mikkel Kirkgaard Nielsen <miki@xxxxxxxxx> wrote:

Hello list,

On 17/06/2022 14.17, Roger Light wrote:
> On Fri, 17 Jun 2022 at 12:52, Shan D <sdes.softdev@xxxxxxxxx> wrote:
>> Can I find some documentation on how to encrypted password is created?
> It uses a PKCS#5 PBKDF2 hash function, with a sha512 digest and
> (currently) a 12 byte salt.

Maybe some help can be found from my older experiments generating
password entries compatible with mosquitto_passwd using PHP. The pre-v2
passwords, however, are only based on SHA512, post-v2 adds support for
an additional type with an added PBKDF2 step. It seems like the format
used in the JSON file is similar to the latter.

More details in my [blog post][1] and the [derived script][2].

PHP's [mappings to OpenSSL][3] should make the added PBKDF2 step
somewhat straightforward.

Another difference is that the [JSON file format stores the salt, hash
and iteration count separately][4] where mosquitto_passwd uses a
concatenated colon separated string (similar to [shadow][5]).

--
Regards,
Mikkel

[1]:
https://mikini.dk/2017/01/generating-passwords-for-mosquitto-mqtt-broker-using-php
[2]:
https://git.sr.ht/~mikini/hometools/tree/master/item/mosquitto_passwd.php

[3]: https://www.php.net/manual/en/function.openssl-pbkdf2.php
[4]:
https://github.com/eclipse/mosquitto/blob/4ac8c0bcc34c8640e8c6a931e8e63ea4f250c6c7/plugins/dynamic-security/clients.c#L151-L191
[5]: https://linux.die.net/man/5/shadow
_______________________________________________
mosquitto-dev mailing list
mosquitto-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/mosquitto-dev

References:
- [mosquitto-dev] [DynamicSecurity] Clarification on Encrypted password generation
  - From: Shan D
- Re: [mosquitto-dev] [DynamicSecurity] Clarification on Encrypted password generation
  - From: Roger Light
- Re: [mosquitto-dev] [DynamicSecurity] Clarification on Encrypted password generation
  - From: Mikkel Kirkgaard Nielsen

Prev by Date: [mosquitto-dev] WebSocket Only listener
Next by Date: [mosquitto-dev] Implementing health check for containerized MQTT server application?
Previous by thread: Re: [mosquitto-dev] [DynamicSecurity] Clarification on Encrypted password generation
Next by thread: Re: [mosquitto-dev] [DynamicSecurity] Clarification on Encrypted password generation
Index(es):
- Date
- Thread

Breadcrumbs