MQTT builtin user or create one?

The default mqtt configuration uses the homeassistant user, what are the pros/cons of using the builtin user vs creating a new user just for mqtt?

My concern with creating a user for mqtt is that it will be able to login to Home Assistant, meaning with a Nabu Casa subscription that user could login remotely. I was reading some threads that said even if local only option is selected it still allows you to login if the token is cached.

You also cannot setup 2FA for that account because then other services will not work.

Maybe I’m not understanding something?

I’m assuming the built in homeassistant user cannot login web interface?

Hi,
There’s a lot going on with the MQTT broker internal credentials, however it is in the documentation :

Quote:

For the internal Home Assistant ecosystem, we register homeassistant and addons, so these may not be used as user names.

For a short answer, define your own MQTT users (as the “system” accounts won’t work). Here’s a wakthrough with a direct link to the HASS MQTT settings to define a local user:

If you want the gory detail, I link to the source code where the Add-On generated “system” accounts are created, and how to extract their credentials here:

If this helps, :heart: this post!

1 Like

Thank you for this, I’ve created a user in the mqtt broker config but its not clear to me how to hash the password?

pw -p “foo” where do you run that?

You don’t hash/salt creds - either the Add-On reads the config and credentials as-is, or on installation, the Add-On generates system credentials in the install script.

In the document it states you can hash the password

you can also optionally set a password value using the hashed password obtained from the pw command (which is present inside the Mosquitto container). If doing so, you must also specify password_pre_hashed: true alongside the username and password values:

I salute your op sec (data at rest), but remember that unless you are using certificates, MQTT is cleartext (data in flight). :slight_smile:

I can only suggest follow that document, as this is the first time I’ve heard of pre-hashing - sorry.

Reporting back on what hash process worked might help someone else though!

Thanks I try, its actually in the first document you linked. They provide the steps but not how to connect to the container.

That’s the bit which I don’t get - HAOS + HASS deliberately lock-down access with separate containers (unless you’re in dev mode) and I’ve just checked the HASS container doesn’t have pw (separate from the MQTT add-on container…).

/usr/bin/cryptpw does exist, so I wonder if that might work (the hash is rather long though).

cryptpw != pw as they have different options.

Go to Settings, Add-ons, Add-ons Store (bottom right), search “ssh”, click “Advanced SSH & Web Terminal”, click Install. Turn OFF the Protection Mode option, and start the add-on. Click Open Web UI or hit Terminal in the left hand menu. Run the following command: docker exec -it addon_core_mosquitto /bin/bash .