I’ve been using MQTT and Zigbee2MQTT on my HA for a couple of years now. When I set it up back then, I just followed some docs, I suppose, and it’s been working fine since then. Recently, I’ve been trying to run TeslaMate add-on. And since TeslaMate also uses MQTT, I had to start configuring it again and I discovered that I’m actually completely lost when it comes to how it all works.
In MQTT integration, I have a username “homeassistant” set.
Neither “homeassistant”, nor “addons” is defined in my HA users. Where do these users come from? Where are they defined? I tried to log in to MQTT with “addons” user in MQTT Explorer and it works indeed. I can’t try “homeassistant” because I don’t even know the password. (It can’t be revealed in the MQTT integration.)
And while configuring TeslaMate, I added this to Mosquitto broker add-on configuration. Username “mqtt” and password “mqttpwd”. It was actually not there before.
Also, I created a user through HA Settings → People → Users with the same username “mqtt” and password “mqttpwd”. And this user is of course also working in MQTT Explorer.
My questions are:
How is it possible that the Zigbee2MQTT integration is working when I have username “homeassistant” set in the MQTT integration but “addons” user in Zigbee2MQTT configuration?
Where do these users come from? Where are they defined?
Where is the correct place I should define the users for MQTT? MQTT add-on? Or HA users through UI? I’m just confused.
You can define users in the MQTT addon, but the addon also alows Home Assistant users to login. (It uses HA as an identity provider). It is your choice, I believe Home Assistant users are preferred when used for addons and integrations. There’s information on it in the MQTT addon documentation.
But what are those users “homeassistant” and “addons”? I don’t have any of these users in HA Settings. Are these some kind of default users? I tried googling but there’s no such thing as default username, apart from “root”.
I posted a screenshot from MQTT add-on configuration in my original post. There was only one user “mqtt” but since I had this user also defined in HA settings, I removed it and my MQTT settings now looks like this, it’s empty:
I was also searching for some text configuration files, like configuration.yaml but there’s nothing related to MQTT. Or at least I don’t know where exactly to look.
Here’s a wakthrough with a direct link to the HASS MQTT settings to define a local user:
The MQTT add-on used to ignore (possibly blacklist) HASS users and credentials.
I’ve had a lot more success defining users in the add-on.
Use a MQTT tool like https://mqtt-explorer.com/ to check what credentials connect to Mosquitto. This is a great way of seeing how MQTT really works, and maintenance like removing retained configuration messages.
I’m sorry but this wasn’t particularly helpful What I don’t understand is where is MQTT getting those two users “homeassistant” and “addons” since they are defined neither in add-on configuration nor as HASS users. And yet, they do work in MQTT Explorer (at least “addons”, I couldn’t try “homeassistant” because I don’t know the password).
No, I read this documentation MQTT - Home Assistant Thank you for this one on GitHub, that actually helped. So MQTT add-on is creating automatically these users.
But for example in the script there are paths /etc/mosquitto/*. I don’t have this folder on my system. Also, I still don’t know where are these users defined or how do I change their passwords, if that’s even possible. But I’ll try to google a bit more tomorrow.
You do have /etc/mosquitto/*, but it’s in a different container than the one can login to.
HASS and HAOS isolate add-ons into separate containers. Unless you enable HAOS developer mode, there’s no way into add-on by design. You routinely only get SSH access into the HASS VM with standard limited permissions.
Here’s an interesting detail about the config of the Mosquitto MQTT Add-On and backups - a full backup is a TAR archive containing a full backup of the add-on confg, which includes ALL credentials.
Make a full backup of HASS
Download the backup.tar file
Expand the backup.tar file (easy on a Linux system, may need tar support)
Extract the core_mosquitto.tar.gz file and expand it.
options.json contains the GUI options (including the credentials - like tasmota/ChangeThisPasword in my linked example)
system_user.json contains the “system” account credentials, namely homeassistant and addons with long passwords.
Note the user/passwords are in clear, and are not hashed nor salted so this method can obtain ALL MQTT creds as you wanted. Note the very long length of the passwords - not very crackable (depending on the initial generation PRNG entropy, natch).
This could give a way to change the system user passwords - backup / edit the backup / restore. Long-winded, but might just work.
Wow, thank you very very much. I would have never thought of this by myself. You were right. I found both passwords there. I already knew the “addons” one (it matched ) and I could save the “homeassistant” to my password manager too.