Generating Mosquitto password hashes with Ansible
I had the need to generate a password file for Mosquitto with Ansible but couldn’t easily find the correct incantation elsewhere online. A bit of poking around in the source and experimenting yielded the following jinja2 template which I thought might be useful to share:
# {{ ansible_managed }}
{% for item in mqtt_accounts %}
{{ item.username }}:{{ item.password | password_hash('pbkdf2_sha512', item.salt) | replace('$pbkdf2-sha512$', '$7$') | replace('.', '+') }}==
{% endfor %}
The passlib pbkdf2_sha512 hash is very nearly the right format but for
two minor differences (handled by the replace() filters) and trailing ==
- The scheme identifier needs to be
$7instead of$pbkdf2-sha512 - Passlib’s implementation uses an adapted base64 encoding which uses
.in-place of the usual+and also omits padding that Mosquitto expects.
Note: The salt value needs to be exactly 12 characters long for Mosquitto to accept it.
30 December 2021