Mosquitto — User Access Configurations Setups

Editing mosquitto.conf File to Configure Simple Authentication— MQTT — Episode #02

Hi, let’s see first the mosquitto anonymous access communications. This post continues MQTT — Episode #01:)

In the end, we will force access to mosquitto's broker via login/password only.

Let us begin by not editing this file(I’m using mosquitto v 1.6.8):

C:\Program Files\mosquitto\mosquitto.conf

The mosquitto.conf is the configuration file for mosquitto. In this first configuration, a similar internal file will be loaded by mosquito broker automatically, and its default configuration authorizes anonymous access:/

In anonymous access, we will now up the default broker configuration, remember, without modification of mosquitto.conf :)

Here are the steps:

0° Step — Install mosquitto broker in your machine & reconfigure its service in Win10 so we can start & stop it manually;

Consider following this post:)

Preparing 3 Prompters Terminals

Open Three Terminals; type these commands in each one:

cd.. (2x)                       // go to c:/> directory
cd C:\Program Files\mosquitto   // change to mosquitto directory
cls                             // clear the screen;)

First, anonymous access:

Anonymous Acess

1° Step —Let’s run the server:

On Term1, in C:\Program Files\mosquitto\ directory, type:

mosquitto -v

2 Step — At others two terminals in sequence for sub & pub clients, type:

Term_2, For _sub, in C:\Program Files\mosquitto\ directory, type:

mosquitto_sub -h localhost -p 1883 -t temperature

Term_3, For _pub, in C:\Program Files\mosquitto\ directory, type:

mosquitto_pub -h localhost -p 1883 -t temperature -m 45

See the dump file in the admin broker terminal above. See that the clients are anonymous — this is very dangerous on the internet:/

1578781497: New client connected from ::1 as mosq-5eKhup3oVmPBaNaZnW (p2, c1, k60).

Simple Authentication Access

Now let’s fix anonymous access by setting a login/passwd connection.

Anonymous clients will be refused to connect.

For this, we will have to edit, as administrator credentials, the mosquitto.conf file. Here is the structure of it:

As you know, this file is located at system file, so we need to open this file in notepad++ editor like administrator:

To create a password file you need to use the mosquitto_passwd utility that comes with the client tools when installing the mosquitto broker.

To initialize the configuration of authenticated access, at Term_01, we will need to stop the server (ctrl + C) and use the command below to create passwordfile.pwd file that will be located at C:\Program Files\mosquitto directory; our administrator will be admin user and our password will be 123;

1º Step —On Term 1, on C:\Program Files\mosquitto\ directory, type:

mosquitto_passwd -c "C:\Program Files\mosquitto\passwordfile.pwd" admin

and hit <enter> and enter 2 x the chosen password (123);

This command creates passwordfile.pwd file and set as our administrator admin user, password 123;)

Your file for user configuration is ready at C:\ProgramFiles\mosquitto\ directory!

Admin is the name of our first and our main user;

2 ° Step — Go to C:\Program Files\mosquitto directory and see the file created there:

If we open this new file as text, passwordfile.pwd, we will see the admin user credentials:

admin:$6$sEorGWHKkOfEI8qJ$nxEMynuvKuguXqbYq7TWBsSAxEDon/MuK0pFo4Cm0yOK29m/I0yi6y3zFzuJeFXRT9DgyVVLDS/wO72CADlIaw==

3 °Step — Now open C:\Program Files\mosquitto\mosquitto.conf.

At line 651, uncomment it and set it to false, like this:

allow_anonymous false

4 °Step — Scrolling down enough until line 669, uncomment it and set it to the directory location of password file config, like this:

password_file "C:\Program Files\mosquitto\passwordfile.pwd"

Save the file and now start the server again.

5 °Step — At Terminal 1, type (run as Administrator, please):

<Ctrl + C>                             // To stop the server
mosquitto -c mosquitto.conf -v         // to run it with loaded file

This will break the connection of the anonymous client:

6°Step — Now let’s test if the admin user can subscribe topic:

At Terminal 2, type:

mosquitto_sub -h localhost -p 1883 -u admin -P 123 -t temperature

7°Step — Now let’s test if the admin user can publish to the same topic.

At Terminal 3, type (run as Administrator, please):

mosquitto_pub -h localhost -p 1883 -u admin -P 123 -t temperature -m 45

And there you have it! no more anonymous user!

1578789217: New client connected from ::1 as mosq-EEOo25jUO0f6IGxaTP  (p2, c1, k60, u'admin').

In the next MQTT episode, let’s use ACL (Access Control List).

Thanks and bye, for now, o/

Download All Files For This Project

MQTT Related Posts

01# Episode — Mosquitto — Intro To MQTT — It is Suitable for the Internet of Things Applications — MQTT

02# Episode — Mosquitto — User Access Configurations Setups — Editing mosquitto.conf File to Configure SSL Authentications — MQTT (this one)

03# Episode — Mosquitto — Mosquitto — ACLs — Wildcards & ACL — access control lists — MQTT

04# Episode — Mosquitto — MQTT QoS — How To Set QoS at Mosquitto Broker — MQTT

05# Episode — Mosquitto — Bulletproof TLS & SSL Mosquitto — How To Set Up Mosquitto Broker/Client Keys & Certificates — MQTT

06# Episode — Mosquitto — Mosquitto Bridge — How To Bridge Two Mosquitto Brokers — MQTT

07…be tuned for the upcoming post about MQTT and IoT o/

References & Credits

Eclipse Mosquitto™ An open source MQTT broker

Microgênios — Treinamento em Sistemas Embarcados — Microchip Regional Partner — Microchip Certified Brazilian Training Education Company & a Simplício-Owned enterprise o/

Notes About mosquitto

- After installation and every PC restart, the mosquitto program starts automatically;

- Mosquitto runs as a service and operates in the background;

- If a new configuration is made in mosquitto it is common to STOP and START the mosquitto MQTT service;

- Through shell, it is possible to reconfigure mosquitto without restarting the service;

- The clients are constatlly sending PING to the server, that respond at about each 60 seconds intervals (); follow an extract:

1578781078: Sending PINGRESP to mosq-nSDsiy1MZKG4ShY5D0
1578781138: Received PINGREQ from mosq-nSDsiy1MZKG4ShY5D0

- This is because HTPP protocol, which mosquitto is under, tends to disconnect the clients;

Sintaxe

Notes About This Post

Daemon (computing)

From Wikipedia, the free encyclopedia

In multitasking computer operating systems, a daemon (/ˈdiːmən/ or /ˈdeɪmən/)[1] is a computer program that runs as a background process, rather than being under the direct control of an interactive user. Traditionally, the process names of a daemon end with the letter d, for clarification that the process is in fact a daemon, and for differentiation between a daemon and a normal computer program. For example, syslogd is the daemon that implements the system logging facility, and sshd is a daemon that serves incoming SSH connections. (from https://en.wikipedia.org/wiki/Daemon_(computing))

Review

All commands in this post: [Open 3 terminals as Administrator]

Subtitles: [terminal number/file] command description

For Anonymous access:

[1][2][3] cd C:\Program Files\mosquitto     
[1][2][3] cls
[1] mosquitto -v
[2] mosquitto_sub -h localhost -p 1883 -t temperature
[3] mosquitto_pub -h localhost -p 1883 -t temperature -m 45

For Secure Access:
[1] mosquitto_passwd -c C:\ProgramFiles\mosquitto\passwordfile.pwd admin

[mosquitto.conf] allow_anonymous false
[mosquitto.conf] password_file C:\Program Files\mosquitto\passwordfile.pwd

[1] mosquitto -c mosquitto.conf -v
[2] mosquitto_sub -h localhost -p 1883 -u admin -P 123 -t temperature
[3] mosquitto_pub -h localhost -p 1883 -u admin -P 123 -t temperature -m 45