PBKDF2 / mosquitto-auth-plug password hash compatibility question #203
Comments
|
Hi, @coldfire84 Thanks for your report. We will try to reproduce it |
After extra testing I can confirm that having password hash/ salt stored as 'hex' encoded does not fix the issue. Passport-local mongoose config (note hex encoding is used by default if an alternate is not supplied): EMQX config: |
|
Hi, @coldfire84 Sorry to tell you that you have to migrate your password data if you switch from mosquitto to emqx The emqx_auth_mongo saved password format like this: {"username" : "usera", "password" : "ec7860ccaddf01ab92a6fb65b088fef5b6f8227ac5e00932", "salt" : "ssalt" }
And the emqx_auth_mongo.conf related options should be: auth.mongo.auth_query.password_field = password,salt
auth.mongo.auth_query.password_hash = pbkdf2,sha256,901,24And the MQTT client should using the plain password connecting to the broker, i.g: |
Thanks for confirming.
I'd missed this :( - I'll have a look at the auth code and see if I can put together a PR for encoded salt based upon an option. Any ideas why this generated such a large error in the logs? |
This error should be caused by emqx_auth_mong.conf options configured error. We will supplement the documentation to show these options |
|
I'm running into the same issue here but with the MySQL authentication. @coldfire84 did you ever figure out a way to do this without having all of the users reset their passwords? |
|
@AlexGodbehere , I never figured it out. I adopted a different (and actively developed) Mosquitto Auto Plugin, so didn't have to change brokers in the end. |
|
Just figured out for Postgre SQL |
|
Hi @HJianBo ! I'm facing similar issue when trying to move from mosquitto-auth-plug to emqx. Could you give me some help to create the SQL query for this purpose? The hashed password is created in this way using PHP. define("PBKDF2_HASH_ALGORITHM", "sha256");
define("PBKDF2_ITERATIONS", 901);
define("PBKDF2_SALT_BYTE_SIZE", 12);
define("PBKDF2_HASH_BYTE_SIZE", 24);
define("SEPARATOR", "$");
define("TAG", "PBKDF2");
function create_hash($password) {
$salt = base64_encode(mcrypt_create_iv(PBKDF2_SALT_BYTE_SIZE, MCRYPT_DEV_URANDOM));
return TAG . SEPARATOR . PBKDF2_HASH_ALGORITHM . SEPARATOR . PBKDF2_ITERATIONS . SEPARATOR . $salt . SEPARATOR .
base64_encode(pbkdf2(
PBKDF2_HASH_ALGORITHM,
$password,
$salt,
PBKDF2_ITERATIONS,
PBKDF2_HASH_BYTE_SIZE,
true
));
}
function pbkdf2($algorithm, $password, $salt, $count, $key_length, $raw_output = false) {
$algorithm = strtolower($algorithm);
if(!in_array($algorithm, hash_algos(), true))
trigger_error('PBKDF2 ERROR: Invalid hash algorithm.', E_USER_ERROR);
if($count <= 0 || $key_length <= 0)
trigger_error('PBKDF2 ERROR: Invalid parameters.', E_USER_ERROR);
if (function_exists("hash_pbkdf2")) {
// The output length is in NIBBLES (4-bits) if $raw_output is false!
if (!$raw_output) {
$key_length = $key_length * 2;
}
return hash_pbkdf2($algorithm, $password, $salt, $count, $key_length, $raw_output);
}
$hash_length = strlen(hash($algorithm, "", true));
$block_count = ceil($key_length / $hash_length);
$output = "";
for($i = 1; $i <= $block_count; $i++) {
// $i encoded as 4 bytes, big endian.
$last = $salt . pack("N", $i);
// first iteration
$last = $xorsum = hash_hmac($algorithm, $last, $password, true);
// perform the other $count - 1 iterations
for ($j = 1; $j < $count; $j++) {
$xorsum ^= ($last = hash_hmac($algorithm, $last, $password, true));
}
$output .= $xorsum;
}
if($raw_output)
return substr($output, 0, $key_length);
else
return bin2hex(substr($output, 0, $key_length));
}This issues seem related emqx/emqx#1396 emqx/emqx#1394 I tried the SQL query suggested above and in this issues without success. I'm using MySQL. Best regards. |
|
Hi @zhongwencool! |
I'm looking to migrate my mosquitto/ mosquitto-auth-plug setup, using MongoDB for authentication. Ideally, I want to migrate across without having to get 1200+ users to reset their passwords.
The existing MQTT authentication plugin is very specific about password format, example from mosquitto-auth-plug docs below:
Password hashing on my back-end is configured to use sha256, with the following additional relevant settings:
I've configured my EMQX docker container as follows:
I'm unsure whether the encoding is causing issues, being set to base64? As per passport-local-mongoose config docs.
To date I cannot get the EMQX broker to authenticate any of my users. A super user account generates the following error in the emqx logs when trying to connect:
A non-super user account causes an error (sanitized with IP/ username/password removed):
Any help greatly appreciated.
The text was updated successfully, but these errors were encountered: