mqtt security & acl in depth for mosquitto
TRANSCRIPT
![Page 1: MQTT security & ACL in Depth for Mosquitto](https://reader033.vdocuments.us/reader033/viewer/2022050614/5887d91e1a28abfb678b52ad/html5/thumbnails/1.jpg)
MQTT Security & ACLIn-Depth for Mosquitto
Eric HankinsonSoftware/Embedded/DevOps
![Page 2: MQTT security & ACL in Depth for Mosquitto](https://reader033.vdocuments.us/reader033/viewer/2022050614/5887d91e1a28abfb678b52ad/html5/thumbnails/2.jpg)
#AboutEric• Member of LeanDog’s Design & Delivery Studio• 18 years in IT - Sys Admin, Programming & Embedded• XP in Automotive, Banking, Finance, E-Learning, and
many others industries• Spare time learning is Electrical & Mechanical
Engineering. Why? Robots!• Twitter: @kumichou Blog: erichankinson.com
![Page 3: MQTT security & ACL in Depth for Mosquitto](https://reader033.vdocuments.us/reader033/viewer/2022050614/5887d91e1a28abfb678b52ad/html5/thumbnails/3.jpg)
The Thing
![Page 4: MQTT security & ACL in Depth for Mosquitto](https://reader033.vdocuments.us/reader033/viewer/2022050614/5887d91e1a28abfb678b52ad/html5/thumbnails/4.jpg)
The Problem Domain• Give students experience building an IoT
“device” with Mobile, Web & Infrastructure too!• Authenticate Users & Devices• Authorize Topic Pub/Sub from Users &
Devices• Single source of truth for user accounts
![Page 5: MQTT security & ACL in Depth for Mosquitto](https://reader033.vdocuments.us/reader033/viewer/2022050614/5887d91e1a28abfb678b52ad/html5/thumbnails/5.jpg)
The Parts…• Web App• Mobile App• Lampi device• Multiple Mosquitto Brokers• Multiple MQTT Client Services
![Page 6: MQTT security & ACL in Depth for Mosquitto](https://reader033.vdocuments.us/reader033/viewer/2022050614/5887d91e1a28abfb678b52ad/html5/thumbnails/6.jpg)
Django Web App• Host web interface for controlling devices• Manage authentication & authorization of
Users and Devices
![Page 7: MQTT security & ACL in Depth for Mosquitto](https://reader033.vdocuments.us/reader033/viewer/2022050614/5887d91e1a28abfb678b52ad/html5/thumbnails/7.jpg)
Mosquitto MQTT Brokers• Brokers in both the Cloud & on each
device• Cloud broker has the CRL• Cloud broker serves up MQTT traffic over
Web Sockets• Device broker manages multi-client traffic
![Page 8: MQTT security & ACL in Depth for Mosquitto](https://reader033.vdocuments.us/reader033/viewer/2022050614/5887d91e1a28abfb678b52ad/html5/thumbnails/8.jpg)
mosquitto auth plug• Provides a multi-provider backed way to
provide Authentication & Authorization of MQTT messaging
![Page 9: MQTT security & ACL in Depth for Mosquitto](https://reader033.vdocuments.us/reader033/viewer/2022050614/5887d91e1a28abfb678b52ad/html5/thumbnails/9.jpg)
Auth Calls from Mosquitto• REST calls from Mosquitto Auth Plug have
to be answered with HTTP Response Code of 200 or 403
![Page 10: MQTT security & ACL in Depth for Mosquitto](https://reader033.vdocuments.us/reader033/viewer/2022050614/5887d91e1a28abfb678b52ad/html5/thumbnails/10.jpg)
#lolwhut
![Page 11: MQTT security & ACL in Depth for Mosquitto](https://reader033.vdocuments.us/reader033/viewer/2022050614/5887d91e1a28abfb678b52ad/html5/thumbnails/11.jpg)
Bridging the Brokers
![Page 12: MQTT security & ACL in Depth for Mosquitto](https://reader033.vdocuments.us/reader033/viewer/2022050614/5887d91e1a28abfb678b52ad/html5/thumbnails/12.jpg)
Using TLS for Authentication• Using internal CA to generate Certs for
each broker• Must have common Root CA• Cert must not appear in CRL• Configuration can be confusing the first
time…
![Page 13: MQTT security & ACL in Depth for Mosquitto](https://reader033.vdocuments.us/reader033/viewer/2022050614/5887d91e1a28abfb678b52ad/html5/thumbnails/13.jpg)
TLS Endpoint on the Cloud
![Page 14: MQTT security & ACL in Depth for Mosquitto](https://reader033.vdocuments.us/reader033/viewer/2022050614/5887d91e1a28abfb678b52ad/html5/thumbnails/14.jpg)
Lampi Broker Connection• Now Lampi needs to be able to Authenticate
itself via TLS certificate chain• Mosquitto checks you at the door, no valid TLS
cert, no entry!• Used the MAC Address of Lampi as the
Common Name in the TLS Cert. Helpful later• OpenSSL errors are so not helpful…
![Page 15: MQTT security & ACL in Depth for Mosquitto](https://reader033.vdocuments.us/reader033/viewer/2022050614/5887d91e1a28abfb678b52ad/html5/thumbnails/15.jpg)
Lampi TLS Bridge to Cloud
![Page 16: MQTT security & ACL in Depth for Mosquitto](https://reader033.vdocuments.us/reader033/viewer/2022050614/5887d91e1a28abfb678b52ad/html5/thumbnails/16.jpg)
Configuring the Auth plug
![Page 17: MQTT security & ACL in Depth for Mosquitto](https://reader033.vdocuments.us/reader033/viewer/2022050614/5887d91e1a28abfb678b52ad/html5/thumbnails/17.jpg)
Django App Routing• Some routes were configured to only
answer on loopback device• This could be done in Nginx (web server)
or via Python code
![Page 18: MQTT security & ACL in Depth for Mosquitto](https://reader033.vdocuments.us/reader033/viewer/2022050614/5887d91e1a28abfb678b52ad/html5/thumbnails/18.jpg)
Auth plug Configuration
![Page 19: MQTT security & ACL in Depth for Mosquitto](https://reader033.vdocuments.us/reader033/viewer/2022050614/5887d91e1a28abfb678b52ad/html5/thumbnails/19.jpg)
What about Web Sockets?
![Page 20: MQTT security & ACL in Depth for Mosquitto](https://reader033.vdocuments.us/reader033/viewer/2022050614/5887d91e1a28abfb678b52ad/html5/thumbnails/20.jpg)
Mosquitto Web Sockets
![Page 21: MQTT security & ACL in Depth for Mosquitto](https://reader033.vdocuments.us/reader033/viewer/2022050614/5887d91e1a28abfb678b52ad/html5/thumbnails/21.jpg)
Why Reuse the Mosquitto Cert?• It was for convenience• LetsEncrypt wasn’t ready yet• Use the same TLS Cert for Nginx Web
proxy with Web Sockets configuration
![Page 22: MQTT security & ACL in Depth for Mosquitto](https://reader033.vdocuments.us/reader033/viewer/2022050614/5887d91e1a28abfb678b52ad/html5/thumbnails/22.jpg)
Web Sockets Authentication• We needed a simple way to identify a
Django user through the Mosquito connection
• Settled on using the Django Auth Token UUID as the username for the Auth & Pub/Sub calls
![Page 23: MQTT security & ACL in Depth for Mosquitto](https://reader033.vdocuments.us/reader033/viewer/2022050614/5887d91e1a28abfb678b52ad/html5/thumbnails/23.jpg)
Auth Calls from Mosquitto• REST calls from Mosquitto Auth Plug have
to be answered with HTTP Response Code of 200 or 403
![Page 24: MQTT security & ACL in Depth for Mosquitto](https://reader033.vdocuments.us/reader033/viewer/2022050614/5887d91e1a28abfb678b52ad/html5/thumbnails/24.jpg)
Django Auth Responses• Leveraged model of User to Device to
determine if a User had specific access to Pub/Sub specific topics for their devices only
• Mosquitto only does ACL check(s) when a message is published, not on initial client connection!
![Page 25: MQTT security & ACL in Depth for Mosquitto](https://reader033.vdocuments.us/reader033/viewer/2022050614/5887d91e1a28abfb678b52ad/html5/thumbnails/25.jpg)
Just scratching the surface!
![Page 26: MQTT security & ACL in Depth for Mosquitto](https://reader033.vdocuments.us/reader033/viewer/2022050614/5887d91e1a28abfb678b52ad/html5/thumbnails/26.jpg)
Debugging Headache
![Page 27: MQTT security & ACL in Depth for Mosquitto](https://reader033.vdocuments.us/reader033/viewer/2022050614/5887d91e1a28abfb678b52ad/html5/thumbnails/27.jpg)
ERIC HANKINSON@kumichou erichankinson.com leandog.com