Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [mosquitto-dev] [DynamicSecurity] Clarification on Encrypted password generation

Hi all,

 I am back again as to ask what generally is the procedure to provision the Eclipse Broker initially when planning to use DynSec RBAC.

I am asking this because:
- I didn't have much luck generating the relevant hashes and salts using bash / openssl and it was more tedious than I expected
- I can an ephemeral docker container where I can run `mosquitto_ctrl dynsec init /mosquitto/config/dynamic-security.json admin` and it will generate the JSON file on my host filesystem (using volume mounts) however this only provide me an Admin User

What is standard practice when trying to setup RBAC for mosquitto at first "container-up"? Is it just creation of admin and then letting Cedalo Mgmt Center adding relevant users / groups / roles?

Thanks for your patience.


On Sat, Jun 18, 2022 at 1:01 PM Mikkel Kirkgaard Nielsen <miki@xxxxxxxxx> wrote:
Hello list,

On 17/06/2022 14.17, Roger Light wrote:
> On Fri, 17 Jun 2022 at 12:52, Shan D <sdes.softdev@xxxxxxxxx> wrote:
>> Can I find some documentation on how to encrypted password is created?
> It uses a PKCS#5 PBKDF2 hash function, with a sha512 digest and
> (currently) a 12 byte salt.

Maybe some help can be found from my older experiments generating
password entries compatible with mosquitto_passwd using PHP. The pre-v2
passwords, however, are only based on SHA512, post-v2 adds support for
an additional type with an added PBKDF2 step. It seems like the format
used in the JSON file is similar to the latter.

More details in my [blog post][1] and the [derived script][2].

PHP's [mappings to OpenSSL][3] should make the added PBKDF2 step
somewhat straightforward.

Another difference is that the [JSON file format stores the salt, hash
and iteration count separately][4] where mosquitto_passwd uses a
concatenated colon separated string (similar to [shadow][5]).



mosquitto-dev mailing list
To unsubscribe from this list, visit

Back to the top