The default mqtt configuration uses the homeassistant user, what are the pros/cons of using the builtin user vs creating a new user just for mqtt?
My concern with creating a user for mqtt is that it will be able to login to Home Assistant, meaning with a Nabu Casa subscription that user could login remotely. I was reading some threads that said even if local only option is selected it still allows you to login if the token is cached.
You also cannot setup 2FA for that account because then other services will not work.
Maybe I’m not understanding something?
I’m assuming the built in homeassistant user cannot login web interface?
Hi,
There’s a lot going on with the MQTT broker internal credentials, however it is in the documentation :
Quote:
For the internal Home Assistant ecosystem, we register homeassistant and addons, so these may not be used as user names.
For a short answer, define your own MQTT users (as the “system” accounts won’t work). Here’s a wakthrough with a direct link to the HASS MQTT settings to define a local user:
If you want the gory detail, I link to the source code where the Add-On generated “system” accounts are created, and how to extract their credentials here:
You don’t hash/salt creds - either the Add-On reads the config and credentials as-is, or on installation, the Add-On generates system credentials in the install script.
In the document it states you can hash the password
you can also optionally set a password value using the hashed password obtained from the pw command (which is present inside the Mosquitto container). If doing so, you must also specify password_pre_hashed: true alongside the username and password values:
That’s the bit which I don’t get - HAOS + HASS deliberately lock-down access with separate containers (unless you’re in dev mode) and I’ve just checked the HASS container doesn’t have pw (separate from the MQTT add-on container…).
/usr/bin/cryptpw does exist, so I wonder if that might work (the hash is rather long though).
Go to Settings, Add-ons, Add-ons Store (bottom right), search “ssh”, click “Advanced SSH & Web Terminal”, click Install. Turn OFF the Protection Mode option, and start the add-on. Click Open Web UI or hit Terminal in the left hand menu. Run the following command: docker exec -it addon_core_mosquitto /bin/bash .