How to securely store the password of Mosquitto as a client to RabbitMQ

[spotlesscoder]

Hello,

I have a configuration where Mosquitto connects to RabbitMQ (source of messages) as a client and acts like a bridge, sending them to another system.

I don't want to have the password of the rabbitmq user stored in the mosquitto.conf, which mosquitto makes use of to connect to rabbitmq.

As far as I undestood the documentation, the password_file option is only for the other way round (clients making a connection to mosquitto).

Is it possible to store the password, mosquitto uses to connect to the RabbitMQ, in a keychain? Or is there even a more secure alternative? (Note that I need to use this with mosquitto running in docker)

[spotlesscoder]

Also, the bridge configuration they gave me uses "username" and "password" options for both of the connections (from RabbitMQ and to external system)

This is quite confusing to me as the documentation (https://mosquitto.org/man/mosquitto-conf-5.html) only documents "user", "remote_username", "local_username", "remote_password" and "local_password" .. I'm not quite sure which of those are replaced by "username" and "password"

Maybe "username" is "local_username" for clients connecting to my mosquitto and "remote_username" for the connection I make to the source of the messages?

[karlp]

use appropriate file permissions on your config file?

[spotlesscoder]

The problem is that we might want to version the configuration files of our system using Git. We might risk that the password leaves the server by the config file with the password in it being commited and pushed to Git.