MQTT without authentication

I want to secure MQTT with a username and password using the following steps, Greenbone with show it can’t initialize MQTT

sudo mosquitto_passwd -c /etc/mosquitto/passwd your-username
sudo vi /etc/mosquitto/conf.d/default.conf

Content of the config file

allow_anonymous false
password_file /etc/mosquitto/passwd

listener 1883 localhost

listener 8883
certfile /path/to/cert.pem
cafile /path/to/chain.pem
keyfile  /path/to/privkey.pem

listener 8083
protocol websockets
certfile /path/to/cert.pem
cafile /path/to/chain.pem
keyfile /path/to/privkey.pem

and if I want to add only lines below to the default config file it will fail

allow_anonymous false
password_file /etc/mosquitto/passwd

My question is how to make Greenbone understand that MQTT is using username and password

You can see this discussion which asks the similar question considering both Redis and MQTT. You would have to modify the source code of GVMD to supply the password to MQTT if you password protect the service.

However, you can further harden access to MQTT via SELinux instead of going through that trouble.

Thank you for your reply, Since the code is hardcoded, I am wondering why we are using mqtt_server_uri = localhost:1883 in /etc/openvas/openvas.conf why not make it dynamic so the application will understand the secure one for example mqtt_server_uri = USER:PASS@localhost:1883 instead of fixing it from GVMD code manage.c file.

That’s a good point. You can try to adjust that URL and it may work for authenticating MQTT. :thinking:

Sadly it’s hardcoded, and changing the parameter will not fix the issue, It will be great if this is changed in the source code, in the meantime I will try to edit the source code locally.

You could create a feature request on the repository over at GitHub for all components currently not supporting MQTT services using username and password: