MQTT builtin user or create one?

johnsnow · July 30, 2024, 1:53am

The default mqtt configuration uses the homeassistant user, what are the pros/cons of using the builtin user vs creating a new user just for mqtt?

My concern with creating a user for mqtt is that it will be able to login to Home Assistant, meaning with a Nabu Casa subscription that user could login remotely. I was reading some threads that said even if local only option is selected it still allows you to login if the token is cached.

You also cannot setup 2FA for that account because then other services will not work.

Maybe I’m not understanding something?

I’m assuming the built in homeassistant user cannot login web interface?

FloatingBoater · July 30, 2024, 10:16am

Hi,
There’s a lot going on with the MQTT broker internal credentials, however it is in the documentation :

Quote:

For the internal Home Assistant ecosystem, we register homeassistant and addons, so these may not be used as user names.

For a short answer, define your own MQTT users (as the “system” accounts won’t work). Here’s a wakthrough with a direct link to the HASS MQTT settings to define a local user:

If you want the gory detail, I link to the source code where the Add-On generated “system” accounts are created, and how to extract their credentials here:

If this helps, this post!

johnsnow · July 30, 2024, 7:13pm

Thank you for this, I’ve created a user in the mqtt broker config but its not clear to me how to hash the password?

pw -p “foo” where do you run that?

FloatingBoater · July 30, 2024, 8:15pm

You don’t hash/salt creds - either the Add-On reads the config and credentials as-is, or on installation, the Add-On generates system credentials in the install script.

johnsnow · July 30, 2024, 8:20pm

In the document it states you can hash the password

you can also optionally set a password value using the hashed password obtained from the pw command (which is present inside the Mosquitto container). If doing so, you must also specify password_pre_hashed: true alongside the username and password values:

FloatingBoater · July 30, 2024, 9:03pm

I salute your op sec (data at rest), but remember that unless you are using certificates, MQTT is cleartext (data in flight).

I can only suggest follow that document, as this is the first time I’ve heard of pre-hashing - sorry.

Reporting back on what hash process worked might help someone else though!

johnsnow · July 30, 2024, 9:11pm

Thanks I try, its actually in the first document you linked. They provide the steps but not how to connect to the container.

FloatingBoater · July 30, 2024, 9:17pm

That’s the bit which I don’t get - HAOS + HASS deliberately lock-down access with separate containers (unless you’re in dev mode) and I’ve just checked the HASS container doesn’t have pw (separate from the MQTT add-on container…).

/usr/bin/cryptpw does exist, so I wonder if that might work (the hash is rather long though).

FloatingBoater · July 30, 2024, 9:22pm

cryptpw != pw as they have different options.

johnsnow · July 30, 2024, 9:58pm

Go to Settings, Add-ons, Add-ons Store (bottom right), search “ssh”, click “Advanced SSH & Web Terminal”, click Install. Turn OFF the Protection Mode option, and start the add-on. Click Open Web UI or hit Terminal in the left hand menu. Run the following command: docker exec -it addon_core_mosquitto /bin/bash .