Modifying the MQTT Node to use periodically changing passwords

#1

Hello,

I would like to connect to an MQTT Broker that periodically changes its access password. The standard implementation of the Node Red MQTT Node is not able to handle this "dynamic" change of passwords. I am planning to modify the source code of the MQTT Node to have an additional input message property (ie. "password") which can modify the password that is used by the MQTT client for the connection. Also, on reception of this message property, the modified MQTT Node would reconnect to the MQTT Broker. An additional output message would also be needed: an alert if the connection to the MQTT Broker is broken. Before I start the modification, I would like to ask your opinion if this approach is feasible.

Thanks,

1 Like
#2

If the broker changes it's password, how will a client be able to connect without the new password? Will the broker send the password out to all clients before it changes it's password? And if so, why change the password?

#3

No, it won't be able to connect.

Yes, it sends out an encrypted new password (decryption keys are stored locally).

This is the way this remote MQTT Broker works. Its working method is out of my control, but I still have to connect to it somehow...

#4

It seems a odd way to refresh credentials tbh. Why not just set up secure comms over ssl?

The approach is certainly feasible as on mqtt connection all you send is an object with props inside, it does seem odd though. Is there no way to influence the running of the broker at all?

1 Like
#5

No, unfortunately the company that runs this MQTT Broker doesn't want to change the behavior of its servers. Moreover, the MQTT connection is through secure websocket... so they seem a little bit too worried about security. Anyway, thanks for reassuring me that the approach is feasible.

#6

Just another thought - what if you have a client that is connected and it goes off line. While it is off line, the broker changes its password and sends it out. The client that is offline will not receive it.
Now the client comes back online and tries to connect but it has the old password.

You should be prepared for that case

#7

I forgot to mention that the new (encrypted) password is sent out by the server via e-mail, not MQTT, so it will receive it. (This is really a weird server!)

#8

So your clients have to receive an email and parse it and then re-establish their connection. Phew! I hope your clients are not small devices like a WeMos because that would be quite the project.

1 Like
#9

...This seems like an absolute nightmare.

#10

The clients are Raspberry PI-s with 2G/GPRS connection.

Yes, indeed it is. But I have no options, I need to solve it...

Anyway, in the long run, the solution could be to use Golang instead of Node-RED.

1 Like
#11

the only problem I see is Iā€™m not sure you can dynamically change the security settings of the Matt nodes