Ship mosquitto_passwd separately or part of client package maybe?

[andreas-ibm]

When running mosquitto as part of a containerised environment, it is handy to be able to generate the password file outside the container running mosquitto. At the moment the only way to get mosquitto_passwd is through installing the entire broker, which kinda defeats the containerised approach...
If only there was a package with just the _passwd utility, or with in the client package then it would make life easier (yes, that possible needs to be aimed at Debian maintainers etc).

Is there a way to generate the password hashes in a scriptable, standalone way? I noticed openssl passwd -6 can generate the "old" style passwords, but I really would prefer PBKDF2 hashes :-)

[Paraphraser]

Maybe just use:

$ docker exec mosquitto mosquitto_passwd -b /mosquitto/pwfile/pwfile someuser somepassword

where /mosquitto/pwfile/pwfile is the path associated with the password_file directive in your mosquitto.conf, as in:

password_file /mosquitto/pwfile/pwfile

If you want to prepare an offline password file then you can use the same approach to create one by adding the -c flag when you define the first user:

$ docker exec mosquitto mosquitto_passwd -c -b /mosquitto/pwfile/myfile firstuser firstpassword

and then you can go back to the original command syntax:

$ docker exec mosquitto mosquitto_passwd -b /mosquitto/pwfile/myfile seconduser secondpassword

If passwords turning up in your history log bothers you then you have two choices:

1. Put a space before the docker, as in:

   $  docker exec mosquitto mosquitto_passwd -b /mosquitto/pwfile/myfile thirduser thirdpassword
   

   That leading space prevents the command from going into the history.

2. Use interactive mode by adding the -it flags to the docker exec command, and omitting both the -b flag and the password argument from the mosquitto_passwd command:

   $ docker exec -it mosquitto mosquitto_passwd /mosquitto/pwfile/myfile fourthuser
   Password: 
   Reenter password: 
   

[andreas-ibm]

But I don't have docker, this is running on a remote kubernetes instance.

[mikini]

Hi Andreas,

We had a discussion about standalone password file generation (in pre-PBKDF2 times) on the mailing list prompted by a similar need.

I did some work on a PHP implementation (see initial response to the ml question) and ended up doing a rudimentary PHP script for the, then solely supported, SHA512 based algorithm.

You can find it at my tools repository (GPL-3.0-or-later): https://git.sr.ht/~mikini/hometools/tree/master/item/mosquitto_passwd.php.

There's also a bit about it, and some more recent thoughts on PBKDF2 support, on my blog: Generating passwords for Mosquitto MQTT broker using PHP.

Regards,
Mikkel

[andreas-ibm]

Thanks Mikkel,

cool, that's helpful... I guess I should be able to make an OpenSSL based on quite trivially too!

cheers,
Andreas