Can't authenticate on mysql

[mariopraga]

I have created a user : 123456789 and a hash for password "testpassword" : PBKDF2$sha256$901$SALT$dc59c53d92f078d49b34

When i try to connect using : mosquitto_pub -h myIP -t '/base' -m 'test_topic' -u 123456789 -P testpassword I get an error :

Connection Refused: bad user name or password.
Error: The connection was refused.

The log of mosquitto daemon says :

1416769178: |-- mosquitto_auth_unpwd_check(123456789)
1416769178: |-- ** checking backend mysql
1416769178: |-- getuser(123456789) AUTHENTICATED=0 by none

Do you have any idea about my issue ?

[jpmens]

Did you solve #42 ?

Show me your configuration, and a SELECT from your MySQL table which describes this user, please.

[mariopraga]

Hi JP ,
The #42 is solved.

Please find bellow all info requested:

A. Query used in mosquitto.conf:
auth_opt_userquery SELECT pw FROM users WHERE username = '%s'

B. Mysql table name users data:

id = 1
username = 123456789
pw = PBKDF2$sha256$901$SALT$dc59c53d92f078d49b34
super = 0

C. php procedure used to generate the password :

D. mosquitto daemon log

1416854800: New connection from 93.50.87.166 on port 1883.
1416854800: |-- mosquitto_auth_unpwd_check(123456789)
1416854800: |-- ** checking backend mysql
1416854800: |-- getuser(123456789) AUTHENTICATED=0 by none

Thank you in advance.

[jpmens]

I'm assuming your PHP hash_pbkdf2 function is maybe not correct. Please try using the ./np utility which is part of mosquitto_auth_plug, and replace the pw in your database table by its output. For example, testpassword becomes PBKDF2$sha256$901$SPCW2NbWwYdk44fC$4acm8WxwC8l2ZuL3yBNUB7KpO12LxmKT.

FWIW, the characters "SALT" in your hashed string look very strange to me.

[mariopraga]

Thank you for your help and your prompt reply.
I confirm that the above string worked. Now I'm wondering how can I generate valid hash strings from php or java. I don't like the idea to be forced to use np utility in order to work with PBKDF2 standard.
Any idea ?

PS: I have used the string "SALT" for salt only for test.

[jpmens]

I honestly don't know, but you'll have to look around a bit for something that works. It's probably just your salt which is wrong, but I can't help you there.

[svrooij]

@jpmens it seams that this plugin (and the ./np program) use a different way to generate the hashes. I've tried 3 different solutions for generating the Sha256 hashes (because it is by default not supported in C#) all three created by differant people. They generate the same hash given the same input variables.

I tried generating an hash with the ./np program and then generate a hash with all the parameters copied. All three solutions give me the same hash. but these are different from the one generated with the ./np program. I also tried the default C# PBKDF2 function, but that only supports Sha1 (Which also doesn't work when put into the database)

Then I found this issue, that makes me wonder if it is not the php/c# implementation that is wrong but maybe their might be some issue with the way this plugin generates the hashes.

Can you point me in the right direction? As I made the following assumptions:

1. The password is converted to a byte array with the UTF8 encoding? I've tried ASCII, UTF7, UTF8, Unicode all without success.
2. The salt length is 12?
3. The salt are just 12 random generated chars?
4. When writing the hash string both the salt and the hash are base64 encoded?

[jpmens]

I cannot comment on the PHP or any of the other contributed functions.

We've been using np.c (with OpenSSL's PKCS5_PBKDF2_HMAC()) and the authentication plugin in production without any issues at all. Also, please don't make assumptions: the code is there to look at. In particular, pbkdf2-check.c shows how the checking is done.

1. We've tried ASCII only
2. Correct
3. RAND_bytes(saltbytes, SALTLEN);
4. see from here

[svrooij]

Based on the code I figured out what happens.
The normal implementation works as following:

1. Create a salt (byte array with random bytes)
2. Take the password (convert to byte array with UTF8 encoding)
3. Do the hashing with password and salt

The implementation ./np uses:

1. Create a salt (byte array with random chars)
2. Convert the salt to Base64
3. cast this base64 string as a byte array.
4. Take the password
5. Do the hashing with the password and the converted -> casted salt

If you to this on both sides of the comparison (when creating the hash and when validating) their won't be a problem. So in an installation where you created the hashes with ./np and validate them with this plugin, everything is ok. I recreated these steps in C# and i can now create the accepted hashes in C#.

[jpmens]

Glad you got it to work. :)

[mariopraga]

Thank you all for contribution on this issue.

[simonnilsson]

Hi, sorry for bumping an old issue but I was wondering why the plugin uses a non standard way of handling PBKDF2 passwords, I have a database that is handled with another application that already has users with PBKDF2 passwords but I'm unable to use them with this plugin.

[tmcdos]

For anyone who needs to implement this in PHP - here is a small snippet:

#!/usr/local/bin/php
<?php

function mqtt_hash($password, $salt = '', $algo = 'sha256', $iterations = 901, $key_len = 24, $salt_len = 12)
{
  if($salt=='') $salt = base64_encode(openssl_random_pseudo_bytes($salt_len));
  $key = base64_encode(openssl_pbkdf2($password, $salt, $key_len, $iterations, $algo));
	return sprintf("PBKDF2$%s$%d$%s$%s\n",
				$algo,
				$iterations,
				$salt,
				$key);
}

$password = trim($argv[1]);
if(function_exists('readline'))
{
  while($password=='')
  {
    $password = trim(readline('Enter password: '));
  }
}
else
{
  $handle = fopen ("php://stdin","r");
  while($password=='')
  {
    echo 'Enter password: ';
    $password = trim(fgets($handle));
    echo chr(10);
  }
  fclose($handle);
}

echo 'PBKDF2 password generator for Mosquitto auth plugin [https://github.com/jpmens/mosquitto-auth-plug]',chr(10);
echo 'Encoding password = ',$password,chr(10);
echo mqtt_hash($password),chr(10);
?>