File Authentication

Version: 3.1.1
License: Apache v2

The File Authentication Plugin is the first plugin, which adds the capability of client authentication to HiveMQ. In the case of this plugin the credentials consist of username and password and are read from a file.

Installation with Sample Configuration 

  • Follow the standard installation guide on the official HiveMQ documentation
  • Copy the supplied `fileAuthConfiguration.properties` and `credentials.properties` in the `conf` folder
  • Start/Restart HiveMQ
  • Use a MQTT client of your choice and provide username/password: hivemq-user1/user1

This sample installation shows a simple and quick way to get started with the plugin. Therefore the pre-configuration uses no hashing for the passwords and has predefined username/password combinations. If you are using this plugin in production a more secure setup is essential. The various configuration options are explained in the following.

Configuration Options 

The plugin can be configured with the fileAuthConfiguration.properties file, which needs to be placed in the `conf` folder in your HiveMQ home directory.

Property Name Default Value Description
filename credentials.properties This property specifies the name of the file, which contains the credentials of the users. Please notice that the file has to be in the plugins folder.
reloadCredentialsInterval.seconds 10 Returns the interval after which the credentials file is checked, if new credentials were added.
cachingTime.seconds 600 Maximum cache entry lifetime in seconds for failed and successful login credentials (changing this value resets the cache).
cacheSize 10000 Maximum amount of cached login credentials (changing this value resets the cache).
passwordHashing.enabled false Specifies if the password is stored in plaintext or as hash. If this is set to false all other configuration properties except filename and reloadCredentialsInterval.seconds are ignored.
passwordHashing.algorithm SHA-512 Here the hashing algorithm used during the creation of the passwords can be declared. HiveMQ is supporting all hashing algorithms provided by the Java Virtual Maschine (MD2, MD5, SHA, SHA-256, SHA-384, SHA-512). Recommended for use is SHA-256 and above, because the others are not considered secure.
passwordHashing.iterations 100 Customizes the number of hashing iterations used.
passwordHashingSalt.enabled true Configures if a salt has been used during the hash generation. If this is set to false the following options are ignored.
passwordHashingSalt.separationChar $ Defines the character used in the credential file to separate the salt from the hash.
passwordHashingSalt.isFirst true Specifies the order of hash and salt. If this is set to true, the salt is in front of the hash (salt$hash), if this option is false the salt is placed after the hash (hash$salt)

Credentials

The second file needed for the plugin to work successfully is the credentials file, which is a Java Property File. So in each line one username/password combination can be specified. Depending on the configuration options a line looks like one of the following:

username:plaintextpassword
username:hashedpassword
username:hashedpassword[separator][salt] 
username:[salt][separator]hashedpassword

It is not possible to specify different formats for passwords of different users in one file, therefore all lines must contain the same format.

Production-ready Configuration 

The displayed configuration shows a production-ready implementation, which uses SHA 512, 100 iterations and salting.

filename=credentials.properties
passwordHashing.enabled=true
passwordHashing.algorithm=SHA-512
passwordHashing.iterations=100
passwordHashingSalt.enabled=true
passwordHashingSalt.isFirst=true

Create and Modify the credential file

After having copied this configuration into the fileAuthConfiguration.properties, the credential file has to be improved, too. Now as hashing and salting is enabled the passwords have to be stored in same format.

This can be done easily with the supplied utility:

  • Make sure the fileAuthConfiguration.properties have your desired settings
  • Delete the provided credentials.properties
  • Start utility with:
    java -jar utility/file-authentication-plugin-utility-1.0.jar
  • Configure the utility with:
     configure --file path/to/fileAuthConfiguration.properties
  • Create as many user as you need with:
    addUser --username  --password  
  • Show all user:
    listUsers
  • Done!