Logo

dev-resources.site

for different kinds of informations.

Securing MQTT: A Guide to Basic Authentication

Published at
10/2/2023
Categories
mqtt
auth
Author
sibelius
Categories
2 categories in total
mqtt
open
auth
open
Author
8 person written this
sibelius
open
Securing MQTT: A Guide to Basic Authentication

Instant Payments for IoT

Woovi wants to enable instant payments everywhere.
To make this possible for IoT devices, like vending machines, we are working on our infrastructure to make this integration easy and secure.

MQTT

After looking for an IoT messaging solution, we decided to use the standard MQTT.
It is lightweight and efficient, it uses Publish / Subscribe Architecture.
And it is securely enabled.
This enables us to send and receive messages from IoT related to payment events.

Adding basic authentication for the MQTT Server

MQTT server enables unauthenticated access, access over username and password, and also using auth plugins. You can read more about it here authentication-methods.

We are using mosquitto as our MQTT server.

For our basic use case, we only need 2 users, one to read and write on any topic, and another user that can only read.

This is our docker compose for mosquito as MQTT server

  mosquitto:
    image: eclipse-mosquitto:latest
    restart: always
    command: mosquitto -c /mosquitto/config/mosquitto.conf
    ports:
      - '1884:1883'
      - '8081:8080'
    volumes:
      - ./docker/mosquitto/mosquitto.conf:/mosquitto/config/mosquitto.conf
      - ./docker/mosquitto/acl.conf:/mosquitto/config/acl.conf
      - ./docker/mosquitto/passwd.txt:/mosquitto/config/passwd.txt
Enter fullscreen mode Exit fullscreen mode

mosquitto.conf

autosave_on_changes false
persistence true
persistence_location /mosquitto/data/
log_dest file /mosquitto/log/mosquitto.log
listener 1883
listener 8080
protocol websockets
password_file /mosquitto/config/passwd.txt
acl_file /mosquitto/config/acl.conf
allow_anonymous false
Enter fullscreen mode Exit fullscreen mode

acl.conf

user writer
topic readwrite #
user reader
topic read #
Enter fullscreen mode Exit fullscreen mode

passwd.txt

writer:***
reader:***
Enter fullscreen mode Exit fullscreen mode

mosquitto.conf provides configuration for the MQTT server,
allow_anonymous false will disable access unauthenticated access.

acl.conf describes read and write permissions for topics per user.

passwd.txt has the hashes of the passwords of the users, not the real passwords.

How to generate the passwd.txt?

Create a passwd.txt file with your users and passwords

writer:secret-writer
reader:secret-reader
Enter fullscreen mode Exit fullscreen mode

Run mosquitto_password CLI to generate the password hashes

mosquitto_passwd -U passwd.txt 
Enter fullscreen mode Exit fullscreen mode

In Summary

This guide shows how to set up basic authentication on a MQTT server using a password file.
For simple use cases, like a few users, this works well, but if you need more specific security needs you need to move to auth plugins to create users and manage ACL in a dynamic way.

Check auth plugin for more complex use cases.


Woovi
Woovi is a Startup that enables shoppers to pay as they like. Woovi provides instant payment solutions for merchants to accept orders to make this possible.

If you want to work with us, we are hiring!


Photo by Joshua Sortino on Unsplash

auth Article's
30 articles in total
Favicon
Wait, are we just handing over system access to the AI agents?
Favicon
Implementing Auth in .NET WebApi & SPAs: Why is it still so painful?
Favicon
Secure Your Nuxt 3 App
Favicon
Managing Auth State in react using useContext API
Favicon
How to Authenticate Users Codeigniter Shield
Favicon
How to decode a JWT
Favicon
Laravel 11 API Rest Auth with jwt-auth
Favicon
Announcement - Keycloak.AuthServices v2.0.0 is out 🎉!
Favicon
Generate magic tokens in Rails with generates_token_for
Favicon
Your organization has enabled or enforced SAML SSO ... you must re-authorize the OAuth Application `GitHub for VS Code`
Favicon
JWT Revokation
Favicon
Recent Security Vulnerability Detected in Clerk - Should You Roll Your Own Auth?
Favicon
User Management Unveiled: An Architectural Overview
Favicon
Compressing and Decompressing User Permissions with JavaScript
Favicon
Clerk Webhooks: Data Sync with Convex
Favicon
Simplifying Client-Side Authentication with Firebase and SvelteKit
Favicon
I Just Want Authentication To Work
Favicon
Setup User Auth for your Reflex app using local_auth
Favicon
How to Implement Passkey Authentication and Fine-Grained Authorization in JavaScript
Favicon
Authentication Workflows Overview
Favicon
Securing MQTT: A Guide to Basic Authentication
Favicon
Shopify Passkey Implementation Analyzed
Favicon
Apa itu Autentikasi: Definisi dan Jenis-jenis Autentikasi
Favicon
Best Practices for Authorization in Microservices
Favicon
Granular Permission Management with CASL Library
Favicon
Multi Auth System in Laravel Breeze #1
Favicon
Simplifying Authentication Integration For Developers With Authgear SDKs
Favicon
API Authentication Methods - Pros and Cons
Favicon
Authentication vs. Authorization
Favicon
Twitter API suspended? Here's how to fix it

Featured ones: