DEV Community

Cover image for Securing MQTT: A Guide to Basic Authentication
Woovi profile image Sibelius Seraphini
Sibelius Seraphini for Woovi

Posted on

Securing MQTT: A Guide to Basic Authentication

#mqtt #auth

Instant Payments for IoT

Woovi wants to enable instant payments everywhere.
To make this possible for IoT devices, like vending machines, we are working on our infrastructure to make this integration easy and secure.

MQTT

After looking for an IoT messaging solution, we decided to use the standard MQTT.
It is lightweight and efficient, it uses Publish / Subscribe Architecture.
And it is securely enabled.
This enables us to send and receive messages from IoT related to payment events.

Adding basic authentication for the MQTT Server

MQTT server enables unauthenticated access, access over username and password, and also using auth plugins. You can read more about it here authentication-methods.

We are using mosquitto as our MQTT server.

For our basic use case, we only need 2 users, one to read and write on any topic, and another user that can only read.

This is our docker compose for mosquito as MQTT server

 mosquitto: image: eclipse-mosquitto:latest restart: always command: mosquitto -c /mosquitto/config/mosquitto.conf ports: - '1884:1883' - '8081:8080' volumes: - ./docker/mosquitto/mosquitto.conf:/mosquitto/config/mosquitto.conf - ./docker/mosquitto/acl.conf:/mosquitto/config/acl.conf - ./docker/mosquitto/passwd.txt:/mosquitto/config/passwd.txt
Enter fullscreen mode Exit fullscreen mode

mosquitto.conf

autosave_on_changes false persistence true persistence_location /mosquitto/data/ log_dest file /mosquitto/log/mosquitto.log listener 1883 listener 8080 protocol websockets password_file /mosquitto/config/passwd.txt acl_file /mosquitto/config/acl.conf allow_anonymous false
Enter fullscreen mode Exit fullscreen mode

acl.conf

user writer topic readwrite # user reader topic read #
Enter fullscreen mode Exit fullscreen mode

passwd.txt

writer:*** reader:***
Enter fullscreen mode Exit fullscreen mode

mosquitto.conf provides configuration for the MQTT server,
allow_anonymous false will disable access unauthenticated access.

acl.conf describes read and write permissions for topics per user.

passwd.txt has the hashes of the passwords of the users, not the real passwords.

How to generate the passwd.txt?

Create a passwd.txt file with your users and passwords

writer:secret-writer reader:secret-reader
Enter fullscreen mode Exit fullscreen mode

Run mosquitto_password CLI to generate the password hashes

mosquitto_passwd -U passwd.txt
Enter fullscreen mode Exit fullscreen mode

In Summary

This guide shows how to set up basic authentication on a MQTT server using a password file.
For simple use cases, like a few users, this works well, but if you need more specific security needs you need to move to auth plugins to create users and manage ACL in a dynamic way.

Check auth plugin for more complex use cases.

Woovi
Woovi is a Startup that enables shoppers to pay as they like. Woovi provides instant payment solutions for merchants to accept orders to make this possible.

If you want to work with us, we are hiring!

Photo by Joshua Sortino on Unsplash

Top comments (0)