Confused about MQTT users definition

samuelg0rd0n · July 20, 2024, 8:29pm

I’ve been using MQTT and Zigbee2MQTT on my HA for a couple of years now. When I set it up back then, I just followed some docs, I suppose, and it’s been working fine since then. Recently, I’ve been trying to run TeslaMate add-on. And since TeslaMate also uses MQTT, I had to start configuring it again and I discovered that I’m actually completely lost when it comes to how it all works.

In MQTT integration, I have a username “homeassistant” set.

Then I noticed that in /homeassistant/zigbee2mqtt/configuration.yaml I have a user “addons”:

Neither “homeassistant”, nor “addons” is defined in my HA users. Where do these users come from? Where are they defined? I tried to log in to MQTT with “addons” user in MQTT Explorer and it works indeed. I can’t try “homeassistant” because I don’t even know the password. (It can’t be revealed in the MQTT integration.)

And while configuring TeslaMate, I added this to Mosquitto broker add-on configuration. Username “mqtt” and password “mqttpwd”. It was actually not there before.

Also, I created a user through HA Settings → People → Users with the same username “mqtt” and password “mqttpwd”. And this user is of course also working in MQTT Explorer.

My questions are:

How is it possible that the Zigbee2MQTT integration is working when I have username “homeassistant” set in the MQTT integration but “addons” user in Zigbee2MQTT configuration?
Where do these users come from? Where are they defined?
Where is the correct place I should define the users for MQTT? MQTT add-on? Or HA users through UI? I’m just confused.

Edwin_D · July 20, 2024, 8:42pm

You can define users in the MQTT addon, but the addon also alows Home Assistant users to login. (It uses HA as an identity provider). It is your choice, I believe Home Assistant users are preferred when used for addons and integrations. There’s information on it in the MQTT addon documentation.

samuelg0rd0n · July 21, 2024, 6:40am

But what are those users “homeassistant” and “addons”? I don’t have any of these users in HA Settings. Are these some kind of default users? I tried googling but there’s no such thing as default username, apart from “root”.

Edwin_D · July 21, 2024, 7:03am

So…if they are not from Home assistant, they must be defined in the broker itself. Check the Mosquitto configuration.

samuelg0rd0n · July 21, 2024, 7:07am

I posted a screenshot from MQTT add-on configuration in my original post. There was only one user “mqtt” but since I had this user also defined in HA settings, I removed it and my MQTT settings now looks like this, it’s empty:

I was also searching for some text configuration files, like configuration.yaml but there’s nothing related to MQTT. Or at least I don’t know where exactly to look.

FloatingBoater · July 21, 2024, 10:52am

Here’s a wakthrough with a direct link to the HASS MQTT settings to define a local user:

The MQTT add-on used to ignore (possibly blacklist) HASS users and credentials.
I’ve had a lot more success defining users in the add-on.

Use a MQTT tool like https://mqtt-explorer.com/ to check what credentials connect to Mosquitto. This is a great way of seeing how MQTT really works, and maintenance like removing retained configuration messages.

If this helps, this post!

samuelg0rd0n · July 21, 2024, 7:24pm

I’m sorry but this wasn’t particularly helpful What I don’t understand is where is MQTT getting those two users “homeassistant” and “addons” since they are defined neither in add-on configuration nor as HASS users. And yet, they do work in MQTT Explorer (at least “addons”, I couldn’t try “homeassistant” because I don’t know the password).

FloatingBoater · July 21, 2024, 7:31pm

Have you read the documentation?

For the internal Home Assistant ecosystem, we register homeassistant and addons, so these may not be used as user names.

The script that generates the homeassistant and addons credentials is here:

github.com

home-assistant/addons/blob/583a62a69fa92ca8fdf9a2f298270a50bb3663a1/mosquitto/rootfs/etc/cont-init.d/mosquitto.sh

#!/usr/bin/with-contenv bashio
# ==============================================================================
# Configures mosquitto
# ==============================================================================
readonly ACL="/etc/mosquitto/acl"
readonly PW="/etc/mosquitto/pw"
readonly SYSTEM_USER="/data/system_user.json"
declare cafile
declare certfile
declare discovery_password
declare keyfile
declare password
declare service_password
declare ssl
declare username

# Read or create system account data
if ! bashio::fs.file_exists "${SYSTEM_USER}"; then
  discovery_password="$(pwgen 64 1)"
  service_password="$(pwgen 64 1)"

This file has been truncated. show original

samuelg0rd0n · July 21, 2024, 8:29pm

No, I read this documentation MQTT - Home Assistant Thank you for this one on GitHub, that actually helped. So MQTT add-on is creating automatically these users.

But for example in the script there are paths /etc/mosquitto/*. I don’t have this folder on my system. Also, I still don’t know where are these users defined or how do I change their passwords, if that’s even possible. But I’ll try to google a bit more tomorrow.

FloatingBoater · July 21, 2024, 9:22pm

You do have /etc/mosquitto/*, but it’s in a different container than the one can login to.

HASS and HAOS isolate add-ons into separate containers. Unless you enable HAOS developer mode, there’s no way into add-on by design. You routinely only get SSH access into the HASS VM with standard limited permissions.

There is a separate move to make add-on config more accessible for edits and backups, but I didn’t see Mosquito when I checked my own system suggesting the MQTT addon-on hasn’t implemented this (yet).

FloatingBoater · July 22, 2024, 2:01pm

Here’s an interesting detail about the config of the Mosquitto MQTT Add-On and backups - a full backup is a TAR archive containing a full backup of the add-on confg, which includes ALL credentials.

Make a full backup of HASS
Download the backup.tar file
Expand the backup.tar file (easy on a Linux system, may need tar support)
Extract the core_mosquitto.tar.gz file and expand it.
- options.json contains the GUI options (including the credentials - like tasmota/ChangeThisPasword in my linked example)
- system_user.json contains the “system” account credentials, namely homeassistant and addons with long passwords.

Note the user/passwords are in clear, and are not hashed nor salted so this method can obtain ALL MQTT creds as you wanted. Note the very long length of the passwords - not very crackable (depending on the initial generation PRNG entropy, natch).

This could give a way to change the system user passwords - backup / edit the backup / restore. Long-winded, but might just work.

If this helps, this post!

samuelg0rd0n · July 22, 2024, 7:24pm

Wow, thank you very very much. I would have never thought of this by myself. You were right. I found both passwords there. I already knew the “addons” one (it matched ) and I could save the “homeassistant” to my password manager too.

mahnunchik · September 18, 2024, 8:04pm

I’ve faced with the similar question:

[Mosquitto] How to find passwords for `homeassistant` and `addons` users? · Issue #3765 · home-assistant/addons · GitHub
How to find passwords for `homeassistant` or `addons` users? · Issue #132 · hassio-addons/addon-mqtt-io · GitHub

I think at least documentation has to be updated…