转mosquitto auth plugin 编译配置
配置使用 mysql 作为 be (back end)
- 使用config.mk 配置编译参数
cp config.mk.in config.mk - 修改
安装 mysql
sudo apt-get install mysql-server libmysqlclient-dev
# Select your backends from this list
BACKEND_CDB ?= no
BACKEND_MYSQL ?= yes # 使用 mysql
BACKEND_SQLITE ?= no
BACKEND_REDIS ?= no
BACKEND_POSTGRES ?= no
BACKEND_LDAP ?= no
BACKEND_HTTP ?= no
BACKEND_JWT ?= no
BACKEND_MONGO ?= no
BACKEND_FILES ?= no
# Specify the path to the Mosquitto sources here
# MOSQUITTO_SRC = /usr/local/Cellar/mosquitto/1.4.12
MOSQUITTO_SRC =/mnt/g/cjc/workspace/mqtt/mosquitto # 指定mosquitto源码
# Specify the path the OpenSSL here
OPENSSLDIR = /usr
# Specify optional/additional linker/compiler flags here
# On macOS, add
# CFG_LDFLAGS = -undefined dynamic_lookup
# as described in https://github.com/eclipse/mosquitto/issues/244
#
# CFG_LDFLAGS = -undefined dynamic_lookup -L/usr/local/Cellar/openssl/1.0.2l/lib
# CFG_CFLAGS = -I/usr/local/Cellar/openssl/1.0.2l/include -I/usr/local/Cellar/mosquitto/1.4.12/include
CFG_LDFLAGS =
CFG_CFLAGS =
编译plugin
make
得到 auth-plug.so
编译 mosquitto
修改 mosquitto-mysql.conf
参考 mosquitto-auth-plug/examples/mosquitto-mysql.conf 中的 插件附加选项,增加到 mosquitto-mysql.conf 中
# 插件so路径
auth_plugin /mnt/g/cjc/workspace/mqtt/mosquitto-auth-plug/auth-plug.so
auth_opt_backends mysql
auth_opt_cdbname pwdb.cdb
auth_opt_host localhost
auth_opt_port 3306
auth_opt_dbname mqtttest
auth_opt_user root
auth_opt_pass root
# mysql 查询语句约定
auth_opt_userquery SELECT pw FROM users WHERE username = '%s'
auth_opt_superquery SELECT IFNULL(COUNT(*), 0) FROM users WHERE username = '%s' AND super = 1
auth_opt_aclquery SELECT topic FROM acls WHERE username = '%s'
# Usernames with this fnmatch(3) (a.k.a glob(3)) pattern are exempt from the
# module's ACL checking
AUTH_OPT_SUPERUSERS s*
mysql 建表
参考 mosquitto-auth-plug/examples/mysql.sql
测试,直接跑 mysql.sql 建测试表
mysql -uroot -p -Dmqtttest<./../mosquitto-auth-plug/examples/mysql.sql
mysql> show tables;
+--------------------+
| Tables_in_mqtttest |
+--------------------+
| acls |
| users |
+--------------------+
mysql> desc users;
+----------+--------------+------+-----+---------+----------------+
| Field | Type | Null | Key | Default | Extra |
+----------+--------------+------+-----+---------+----------------+
| id | int(11) | NO | PRI | NULL | auto_increment |
| username | varchar(25) | NO | UNI | NULL | |
| pw | varchar(128) | NO | | NULL | |
| super | int(1) | NO | | 0 | |
+----------+--------------+------+-----+---------+----------------+
4 rows in set (0.00 sec)
mysql> desc acls;
+----------+--------------+------+-----+---------+----------------+
| Field | Type | Null | Key | Default | Extra |
+----------+--------------+------+-----+---------+----------------+
| id | int(11) | NO | PRI | NULL | auto_increment |
| username | varchar(25) | NO | MUL | NULL | |
| topic | varchar(256) | NO | | NULL | |
| rw | int(1) | NO | | 1 | |
+----------+--------------+------+-----+---------+----------------+
4 rows in set (0.00 sec)
客户端依赖动态库
把 ./lib/libmosquitto.so.1 加入 /usr/lib 下
sudo cp lib/libmosquitto.so.1 /usr/lib/libmosquitto.so.1
运行测试
- 服务端
./src/mosquitto -c mosquitto.conf
1500565002: |-- *** auth-plug: startup
1500565002: |-- ** Configured order: mysql
1500565002: |-- }}}} MYSQL
- 客户端
it MUST return a single column only with the PBKDF2 password hash. A single '%s' in the query string is replaced by the username attempting to access the broker.
未往mysql正确插入数据情况(即未授权),连接将被backend拒绝
Connection Refused: not authorised.
Error: The connection was refused.
密码使用 PBKDF2 存储
A user's password is stored as a PBKDF2 hash in the back-end. An example "password" is a string with five pieces in it, delimited by $
, inspired by this.
Note that the salt
by default will be taken as-is (thus it will not be base64 decoded before the validation). In case your own implementation uses the raw bytes when hashing the password and base64 is only used for display purpose, compile this project with the -DRAW_SALT
flag (you could add this in the config.mk
file to CFG_CFLAGS
).
pw 格式:
image.png
- 使用auth plugin 提供的 np 工具生成密码
np 工具使用加密算法,明文把组合随机生成的salt,用 sha256作为hash函数, 迭代次数901 次的 PBKDF2 生成了 hashed password, 返回拼接格式的字符串
mysql数据库pw存储拼接后的密码, auth-plugin 从根据 username从表里查询得到拼接后的密码(包括了 salt,interations, hashfunction),并提取出salt,用用户 password 计算 hashed password 进行比对鉴权。
$ ./np
Enter password:12345
Re-enter same password:12345
PBKDF2$sha256$901$IV/rAqUxT519iO+K$4pe0utPHFZnKpJTASyP0Ann5Nwx5yqZY
往 mysql mqtttest 表中添加 user, pw="PBKDF2$sha256$901$IV/rAqUxT519iO+K$4pe0utPHFZnKpJTASyP0Ann5Nwx5yqZY"
update users set pw="PBKDF2$sha256$901$ubLO1LjWJ0+Gpedp$lpPza0X4dDntdrc5qTqyuRVtIvpLx1N2" where id=7;添加 acl 记录
insert into acls values(13,'cjc','cjc/rw',2);
| 13 | cjc | cjc/rw | 2 |
测试 订阅
./mosquitto_sub -t "cjc/rw" -u "cjc" -P "12345"测试发布
./mosquitto_pub -t "cjc/rw" -m "hello" -u "cjc" -P "12345"服务端输出
1500569102: Sending CONNACK to mosqsub|1240-ra1z (0, 0)
1500569102: Received SUBSCRIBE from mosqsub|1240-ra1z
1500569102: cjc/rw (QoS 0)
1500569102: Sending SUBACK to mosqsub|1240-ra1z
1500569112: |-- mosquitto_auth_unpwd_check(cjc)
1500569112: |-- ** checking backend mysql
1500569112: |-- getuser(cjc) AUTHENTICATED=1 by mysql
1500569112: Sending CONNACK to mosqpub|1241-ra1z (0, 0)
1500569112: |-- mosquitto_auth_acl_check(..., mosqpub|1241-ra1z, cjc, cjc/rw, MOSQ_ACL_WRITE)
1500569112: |-- mysql: topic_matches(cjc/rw, cjc/rw) == 1
1500569112: |-- aclcheck(cjc, cjc/rw, 2) trying to acl with mysql
1500569112: |-- aclcheck(cjc, cjc/rw, 2) AUTHORIZED=1 by mysql
1500569112: |-- Cached [1C2BBC255AB58D79DE677B3078E31D74C900A74D] for (mosqpub|1241-ra1z,cjc,2)
1500569112: Received PUBLISH from mosqpub|1241-ra1z (d0, q0, r0, m0, 'cjc/rw', ... (5 bytes))
1500569112: |-- mosquitto_auth_acl_check(..., mosqsub|1240-ra1z, cjc, cjc/rw, MOSQ_ACL_READ)
1500569112: |-- mysql: topic_matches(cjc/rw, cjc/rw) == 1
1500569112: |-- aclcheck(cjc, cjc/rw, 1) trying to acl with mysql
1500569112: |-- aclcheck(cjc, cjc/rw, 1) AUTHORIZED=1 by mysql
1500569112: |-- Cached [AD78C641352E6B2001205F385A3D612C609D6739] for (mosqsub|1240-ra1z,cjc,1)
1500569112: Sending PUBLISH to mosqsub|1240-ra1z (d0, q0, r0, m0, 'cjc/rw', ... (5 bytes))
np 密码生成算法与实现
https://github.com/manolodd/pbkdf2-mosquitto
https://github.com/jpmens/mosquitto-auth-plug/tree/master/contrib/python3
https://github.com/jpmens/mosquitto-auth-plug/issues/44
- Create a salt (byte array with random chars)
- Convert the salt to Base64
- cast this base64 string as a byte array.
- Take the password
- Do the hashing with the password and the converted -> casted salt
链接:https://www.jianshu.com/p/df5ce786781b
转mosquitto auth plugin 编译配置的更多相关文章
- Spring boot中自动编译配置
MAVEN自动编译配置 热部署功能 <dependency> <groupId>org.springframework.boot</groupId> <art ...
- 【内核】linux2.6版本内核编译配置选项(二)
目录 Linux2.6版本内核编译配置选项(一):http://infohacker.blog.51cto.com/6751239/1203633 Linux2.6版本内核编译配置选项(二):http ...
- 【eclipse插件开发实战】Eclipse插件开发4——插件JDE、PDE开发方式及plugin.xml配置文件结构
Eclipse插件开发4--插件JDE.PDE开发方式及plugin.xml配置文件结构 开发方式分为:java开发环境JDE开发插件的方式和插件开发环境PDE开发插件方式. 插件通过添加到预定义的扩 ...
- 转载:Centos7 从零编译配置Memcached
序言 Memcached 是一个高性能的分布式内存对象缓存系统,用于动态Web应用以减轻数据库负载.它通过在内存中缓存数据和对象来减少读取数据库的次数,从而提高动态.数据库驱动网站的速度. Memca ...
- [原创]Centos7 从零编译配置Memcached
序言 Memcached 是一个高性能的分布式内存对象缓存系统,用于动态Web应用以减轻数据库负载.它通过在内存中缓存数据和对象来减少读取数据库的次数,从而提高动态.数据库驱动网站的速度. Memca ...
- Centos7-mqtt消息中间件mosquitto的安装和配置
在以前发布的博客"菜鸟是如何打造智能家居系统的"文章最后我提到了使用MQTT协议作为云平台和设备之间的通信协议以达到消息传递的实时性,手机的消息推送也大多基于这种平台,首先搬来一段 ...
- Fast RCNN 训练自己数据集 (1编译配置)
FastRCNN 训练自己数据集 (1编译配置) 转载请注明出处,楼燚(yì)航的blog,http://www.cnblogs.com/louyihang-loves-baiyan/ https:/ ...
- 大型项目使用Automake/Autoconf完成编译配置
http://www.cnblogs.com/xf-linux-arm-java-android/p/3590770.htmlhttp://blog.csdn.net/zengraoli/articl ...
- CentOS6.5 Nginx优化编译配置[续]
继续上文CentOS6.5 Nginx优化编译配置本文记录有关Nginx系统环境的一些细节设置,有关Nginx性能调整除了配置文件吻合服务器硬件之前就是关闭不必要的服务.磁盘操作.文件描述符.内核调整 ...
随机推荐
- js中进行金额计算 parseFloat 会产生精度问题
在js中进行以元为单位进行金额计算时 使用parseFloat会产生精度问题 var price = 10.99;var quantity = 7;var needPay = parseFloat(p ...
- Ubuntu 16.04安装cuda7.5 GCC
http://www.linuxidc.com/Linux/2017-01/139320.htm 在介绍Ubuntu 16.04安装 CUDA7.5开始前,先辨析几个概念GPU.NVIDIA.NVID ...
- Visual Studio的工程结构解析
废话不多说,首先查看下一个简单的sln文件结构 Microsoft Visual Studio Solution File, Format Version 11.00 # Visual Studio ...
- OpenCV学习(6) 文件和Mat之间的数据交换
有时候为了便于调试算法,我们需要从文本文件或二进制文件中读取数据,并把数据放到相应的矩阵中去.我们通常可以通过下面的函数实现. 1.从二进制文件中读取数据. 新建一个txt文 ...
- 数学图形(2.2)N叶结
上一节讲的三叶结,举一反三,由三可到无穷,这一节讲N叶结 再次看下三叶结的公式: x = sin(t) + 2*sin(2*t)y = cos(t) - 2*cos(2*t) 将其改为: x = si ...
- Informatica 常用组件Source Qualifier之二 默认查询
2 默认查询 对于关系源,PowerCenter Server 将在运行会话时为每个源限定符转换生成查询.对于每个在映射中使用的源列,默认查询均为 SELECT 语句.也就是说,PowerCenter ...
- Pycharm 2018 激活 亲测有效
下载 https://share.weiyun.com/5NVc5U3 并将 JetbrainsCrack-3.1-release-enc.jar 放置到 pycharm安装目录的\bin目录下( ...
- 百度、淘宝、腾讯三大巨头HTML页面有何高招?
众所周知用html5新增标签布局不光可以使页面更具有可读性,也能使代码更清晰规范,但是兼容性成为了首要的问题,如何解决也是问题的关键. [兼容HTML5方案] 百度贴吧,百度图片的实现: <!- ...
- qt study 元对象,属性和反射编程
所谓反射,就是指对象成员的自我检查,使用反射编程(reflective programming),就可以编写出通用的操作,可以对具有不同结构的类进行操作. QMetaObject 元对象模式,描述一个 ...
- git/github运用
了解git和svn很久了,但是一直没有拿来做过版本控制管理,虽然svn有用到过,但是觉得还是运用git的比较多吧,尤其github. Git术语 ...