Re: [mosquitto-dev] externally generated passwords for broker not compat

[Roger Light <roger@xxxxxxxxxx>]

Hi Shan,

passlib uses its self defined version of base64, described as "encode using shortened base64 format which omits padding & whitespace. uses custom ./ altchars."

https://passlib.readthedocs.io/en/stable/lib/passlib.utils.binary.html#passlib.utils.binary.ab64_encode

Mosquitto uses normal base64 encoding, hence why it will not accept this alternate encoding. If you replace the `.` with `+` I believe it should work.

Regards,

Roger

On Mon, 10 Jul 2023 at 09:36, Shan D via mosquitto-dev <mosquitto-dev@xxxxxxxxxxx> wrote:

Hi Roger and all, 

I was playing around with the passlib python package which offers pbkdf2_sha512 encryption and I wanted to use the password generated from this function to generate users for mosquitto.

HOW TO GENERATE

from passlib.hash import pbkdf2_sha512

from secrets import token_bytes

digest = pbkdf2_sha512.using(salt=token_bytes(12), salt_size=12, rounds=101).hash('testing')

print(digest + '==') # this is required because checksum is only 86 chars long

this will generate something like:

$pbkdf2-sha512$101$RsfyboeO.Wmd2Qig$8fTVPoDsy87q9N9k52MlR9RcIF3N4SCFfft/kctp/..frxpRgBtfYhTuOrBt/clsKw83vkLvuxDka1JZCEE3hA==

we replace the first part with $7$ because that is how mosquitto understands which scheme the password hash is.

I found out that there is some inconsistency in mosquitto.

SCENARIO

Whenever there is a '.' character in the the password part of the hash or in the salt part, mosquitto discards the credentials outright.

Logs:

   1678781554: Error: Unable to decode password salt for user test1, removing entry.

Is there something wrong from my part or is it a known observation about special characters in password hashes

_______________________________________________
mosquitto-dev mailing list
mosquitto-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/mosquitto-dev