Re: [mosquitto-dev] externally generated passwords for broker not compat

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [mosquitto-dev] externally generated passwords for broker not compatible

From: Shan D <sdes.softdev@xxxxxxxxx>
Date: Mon, 10 Jul 2023 18:28:40 +0200
Delivered-to: mosquitto-dev@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/mosquitto-dev/>
List-help: <mailto:mosquitto-dev-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/mosquitto-dev>, <mailto:mosquitto-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/mosquitto-dev>, <mailto:mosquitto-dev-request@eclipse.org?subject=unsubscribe>

Hi Roger,

Thank you for getting back to me. I will give it a try as you suggested. Heads up, I opened an Issue regarding this topic on the eclipse/mosquitto repo.

If the replacement works out, I will close it with appropriate comments for someone that might stumble upon it.

Thanks,

Shan

On Mon, Jul 10, 2023 at 5:41 PM Roger Light via mosquitto-dev <mosquitto-dev@xxxxxxxxxxx> wrote:

Hi Shan,

passlib uses its self defined version of base64, described as "encode using shortened base64 format which omits padding & whitespace. uses custom ./ altchars."

https://passlib.readthedocs.io/en/stable/lib/passlib.utils.binary.html#passlib.utils.binary.ab64_encode

Mosquitto uses normal base64 encoding, hence why it will not accept this alternate encoding. If you replace the `.` with `+` I believe it should work.

Regards,

Roger

On Mon, 10 Jul 2023 at 09:36, Shan D via mosquitto-dev <mosquitto-dev@xxxxxxxxxxx> wrote:
Hi Roger and all,

I was playing around with the passlib python package which offers pbkdf2_sha512 encryption and I wanted to use the password generated from this function to generate users for mosquitto.

HOW TO GENERATE

from passlib.hash import pbkdf2_sha512
from secrets import token_bytes

digest = pbkdf2_sha512.using(salt=token_bytes(12), salt_size=12, rounds=101).hash('testing')

print(digest + '==') # this is required because checksum is only 86 chars long

this will generate something like:
$pbkdf2-sha512$101$RsfyboeO.Wmd2Qig$8fTVPoDsy87q9N9k52MlR9RcIF3N4SCFfft/kctp/..frxpRgBtfYhTuOrBt/clsKw83vkLvuxDka1JZCEE3hA==

we replace the first part with $7$ because that is how mosquitto understands which scheme the password hash is.

I found out that there is some inconsistency in mosquitto.

SCENARIO

Whenever there is a '.' character in the the password part of the hash or in the salt part, mosquitto discards the credentials outright.

Logs:

1678781554: Error: Unable to decode password salt for user test1, removing entry.

Is there something wrong from my part or is it a known observation about special characters in password hashes
_______________________________________________
mosquitto-dev mailing list
mosquitto-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/mosquitto-dev

_______________________________________________
mosquitto-dev mailing list
mosquitto-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/mosquitto-dev

Follow-Ups:
- Re: [mosquitto-dev] externally generated passwords for broker not compatible
  - From: Roger Light

References:
- [mosquitto-dev] externally generated passwords for broker not compatible
  - From: Shan D
- Re: [mosquitto-dev] externally generated passwords for broker not compatible
  - From: Roger Light

Prev by Date: Re: [mosquitto-dev] externally generated passwords for broker not compatible
Next by Date: [mosquitto-dev] [Question] How to set the response information property in the mosquitto broker configuration
Previous by thread: Re: [mosquitto-dev] externally generated passwords for broker not compatible
Next by thread: Re: [mosquitto-dev] externally generated passwords for broker not compatible
Index(es):
- Date
- Thread

Breadcrumbs