Today we are going to learn how to password protect our mosquitto mqtt broker. As a result no one else will connect to your broker and will be able to read your messages if the proper authentication is not provided. If you have a mosquitto broker and you want to protect its access with a user and password keep reading.
Note: This procedure is written for mosquitto version 1.x. If you are using mosquitto version 2, do not forget to read the update at the end of the post.
Firstly, you will need to locate the configuration file, usually named ‘mosquitto.conf’. Depending of your operating system it will be at different locations. Usual locations are, for Windows ‘C:\Program Files\mosquitto\mosquitto.conf’, for macOS it uses to be ‘/usr/local/opt/mosquitto/etc/mosquitto/mosquitto.conf’ and for Linux ‘/etc/mosquitto/mosquitto.conf’. These locations may differ depending your operating system flavour. If you installed mosquitto as a docker container, configuration file should be at ‘/mosquitto/config/mosquitto.conf’ inside the container. To enter the container console you can use this command:
docker exec -it mosquitto sh
We explained how to install mosquitto with docker-compose as part of a Home Assistant stack in our post Home Assistant install with docker-compose. Also, to run a single mosquitto container, you can use a command like the one below.
docker run -d --name test_mosquitto -p 1883:1883 eclipse-mosquitto
Create user/password file
Secondly, a file with the proper users and passwords should be created. Your mosquitto install provides the command mosquitto_passwd to generate this file. If running on docker the command should be available from within the container. Use this command to create the file:
mosquitto_passwd -c <path>/mqtt_passwd <user>
This will ask you for a password and will create the file mqtt_passwd in <path> with the user <user> and the password you provided in a hashed form. Adjust <path> and <user> to your needs. Be sure this file can be read by the user mosquitto runs. If you are adding a new user to an existing password file, you can omit the ‘-c’ parameter.
Configure mosquitto to use the password file
To make our broker use our password file, open the configuration file mosquitto.conf, and add the following lines. You could also add these lines in a separate file included in the mosquitto config with the include_dir directive.
allow_anonymous false password_file <path>/mqtt_passwd
Then restart your broker. This will prevent anonymous access and instead will use the password file provided. You can check it with your favorite mqtt client.
Update for mosquitto version 2
There are some changes in mosquitto version 2 that are needed to take into account to configure authentication in your broker. Listeners now require authentication to be configured, so you need to declare them and configure proper authentication.
In conclusion, to mimic our previous config we will need to change it to:
# authenticated listener listener 1883 password_file <path>/m_passwd
There is no need to set allow_anonymous to false as it is now the default. Here you have the official migration guide from mosquitto.