Tunneling MQTT over SSH

Tunnel image from http://www.imageafter.com/

One approach that can be used to secure protocols that do not have native encryption is to tunnel them over a known secure protocol.

This can be a VPN protocol like IPSec or it can be a secure general purpose protocol like HTTPS/TLS or SSH.

In this post, we will discuss tunneling MQTT over SSH in a simple and a more advanced configuration.

What is SSH?
SSH is a great protocol that is essentially a drop-in replace for many older, insecure protocols.

For example, SSH can(should) replace telnet, FTP, rlogin, rsh, rcp, etc, etc. It's like the secure Swiss Army knife of protocols.

Simple Configuration with Interactive Password
For the most basic implementation of SSH tunneling all you need is SSH installed on both devices.  The end with the service that you want to connect to must offer the SSH service and you need an SSH client on the end you wish to connect from.  You will also, obviously need an account on the server side.

Once you have this and have tested that the basic functionality works, we will need to set up the tunnel.  For this section we will assume that you are using the default ports for SSH (22) and MQTT (1883).  We will also need to select another port for the local tunnel endpoint - let's use 22883 (which is officially unassigned (IANA) yet, you should check your local machine first to make sure it is not in use (i.e., netstat -an)).

Now we need to enter only one command to set this up:

ssh -f -L 22883:127.0.0.1:1883 SSHusername@MQTT -N

'-f' means to fork into the background.
'-L' means to do a local tunnel.
'22883' is our local port number.
'127.0.0.1' is the destination host from the perspective of the tunnel destination.
'1883' is the MQTT port on the destination server.
'SSHusername' is the username that you use to login to the MQTT server's SSH service.
'MQTT' is the name or IP address of the MQTT server.
'-N' tells ssh not to run a command on the remote server.

You will be prompted for your password (for the SSH connection).

Now, if you connect to MQTT from this system using the localhost address and a port of 22883 like this:

mosquitto_sub -h 127.0.0.1 -p 22883 -u dan -P password -t 'test/#'

You will connect to the MQTT broker on your MQTT server - but this time over a secure (encrypted and authenticated) SSH connection.

The problem with what we have so far it that we need to be at the client to set up the tunnel - which is fine if it is our PC - but if it is a server, we probably need a solution that doesn't need an interactive password - but one that also does not sacrifice security.  This is what we will look at next.

Configuration to Support Key-based Authentication
SSH supports a wide variety of authentication natively and many more via the PAM (plugable authentication) interface.  We are going to enable the public/private key based authentication so that we can login to our MQTT server over SSH without providing a password - or leaving a password stored in plain-text.

Since our purpose here is to make this work in an unattended manner, we will not give a passphrase for our private key - keep in mind that this can lead to security problems - do not re-use this key for other purposes/servers and apply additional server side controls.

To generate our key, on the client side, run:

ssh-keygen

Then accept the defaults. If you want a passphrase - this would be the time to add one. Now run:

ssh-copy-id username@host

This copies your key into the .ssh/authorized_keys file.

If you didn't enter a passphrase - as I mentioned before - you'll want to provide additional security on the server side.

Some of those additional server-side controls might be to lock down what logins that use this key can do.  To do this, you can go to the server and edit the .ssh/authorized_keys file adding some options to the beginning of it:

from="192.168.1.*",no-pty,permitopen="127.0.0.1:1883",command="/bin/false" ssh-rsa AAAAB....

This limits logins to the 192.168.1.x network, declines to assign a pty, limits the forwarding to the localhost on the MQTT port, and runs the command "/bin/false" on login.  The point here being to lock down what the passwordless key can do to those things that you want that key to do anyway (no interactive logins, no sftp logins, no tunneling to other servers, no reusing the key on other servers, etc.   The ssh/sshd man pages have more information on other settings that may be useful for enhancing your security.

Once this is all done and you are satisfied with the security - just go back and run your ssh comand from above and you will not be prompted for a password (unless you set a key passphrase).  Now you should be able to use the tunnel as before, but with no password required.

Mosquitto on the PogoPlug

Pretend this is a Mosquitto...

Updated: Fixed the Makefile for the clients so they install to /usr.  Added links to the files and to the source package.

I got a PogoPlug this afternoon - the master plan being that all my gizmos talk to a broker on a low power computer of some sort - and this super cheap computer + an unused 8GB thumb drive seemed perfect.

The PogoPlug - in case you didn't click through - is a little linux computer intended to be "Your personal cloud" and allow you to share a USB drive via the Internet.  Which seems pretty cool.

For my purposes - it is a > $35 computer with 4 USB ports and Gig Ethernet.

So, after following these directions:  http://archlinuxarm.org/platforms/armv6/pogoplug-provideov3 and a couple issues (buggy udev and initscripts - a bit scary when ssh quit working a couple times*) I got ArchLinuxARM installed on this (a pretty well-paved path).

Next, I went looking for mosquitto for this in a "pacman" archive.  There was one there, but it was marked as "orphaned" (http://aur.archlinux.org/packages.php?ID=51571), so I updated this to install the bright and shiny 0.15 version that Roger just released the other day (http://mosquitto.org/download/).

Below are the files for this.  Keep in mind that I've never done this sort of packaging before - so be gentle. :)

They seem to work - at least they did for me - no guarantees though.  If you want to use them, copy them to a dir on your PogoPlug (assuming you have the dev environment installed already ('pacman -S kernel26-headers file base-devel abs python')), then as a non-root user, run 'makepkg -s' in the dir with these 2 files.  This will compile and build the pacman archive.  Then as root, run 'pacman -U mosquitto-0.15-1-arm.pkg.tar.xz' which will install this archive.

The benefits to installing like this is that you can now use pacman to manage (install, remove, etc) this package and don't end up with orphan files all over.

There is a repository for sharing this sort of thing at http://aur.archlinux.org/index.php - I haven't uploaded it yet - might be cool to have it up there though.

But it all works!  My Netduino is talking to Mosquitto on my PogoPlug!  :)

* If anyone wants to do this - let me know and I'll try to document the speed-bumps and the fixes.

# This is the PKGBUILD for mosquitto, an MQTT broker and example clients
# Maintainer: Gordon JC Pearce 
# Edits for 0.15 by Dan Anderson 
#

pkgname=mosquitto
pkgver=0.15
pkgrel=1
epoch=
pkgdesc="An MQTT broker and clients"
arch=(i686 x86_64 arm)
url="http://mosquitto.org/"
optdepends=('python: python support')
license=('BSD')
source=(http://mosquitto.org/files/source/$pkgname-$pkgver.tar.gz config.patch)
md5sums=('7ae0ac38f1f379578ab5530e5dc7269e'
         '2fd36955e7b5fe071e0a3e38e25ed46a')

build() {
  cd "$srcdir/$pkgname-$pkgver"
  patch -p1 < $srcdir/config.patch
  make
}

package() {
  cd "$srcdir/$pkgname-$pkgver"
  make DESTDIR="$pkgdir/" install
  install -Dm644 COPYING $pkgdir/usr/share/licenses/$pkgname/COPYING
}

# vim:set ts=2 sw=2 et:

And here is the config.patch file referenced above.

--- mosquitto-0.15/config.mk    2012-02-07 01:08:00.000000000 -0600
--- mosquitto-0.15/config.mk    2012-02-07 01:08:00.000000000 -0600
+++ mosquitto-0.15/config.mk.edit       2012-02-07 01:08:26.000000000 -0600
@@ -24,6 +24,6 @@ MSGMERGE=msgmerge
 MSGFMT=msgfmt
 DOCBOOK2MAN=docbook2man.pl

-prefix=/usr/local
+prefix=/usr
 mandir=${prefix}/share/man
 localedir=${prefix}/share/locale

--- mosquitto-0.15/client/Makefile      2012-02-05 03:13:24.000000000 -0600
+++ mosquitto-0.15/client/Makefile.edit 2012-02-07 22:54:00.000000000 -0600
@@ -2,7 +2,7 @@ CC=cc
 CFLAGS=-I../lib -Wall -ggdb
 LDFLAGS=-L../lib ../lib/libmosquitto.so.0
 INSTALL=install
-prefix=/usr/local
+prefix=/usr

 .PHONY: all install uninstall clean

Since copy/pasting these will mess with the md5 sums, here are links:
http://dananderson.us/pogo/PKGBUILD
http://dananderson.us/pogo/config.patch
Or both in a "source package"
http://dananderson.us/pogo/mosquitto-0.15-1.src.tar.gz
(Install with 'makepkg -s' then 'pacman -U mosquitto-0.15-1-arm.pkg.tar.xz')

I posted this to the AUR:  https://aur.archlinux.org/packages.php?ID=51571

Review: "The IDA Pro Book: The Unofficial Guide to the World's Most Popular Disassembler" by Chris Eagle; No Starch Press

Review:  This is _the_ manual you need if you use IDA Pro for fun or profit.  It covers a wide range of information ranging from disassembly basics to writing plugins for IDA.  It provides sufficient detail without the tedious extraneous information you often have to dig through in technical books.

IDA is one of those tools that you can use for a long time and still miss a lot of the functionality that it has.  Chris does a masterful job of illuminating these features (as well as the pieces everyone uses) with good examples and an appropriate level of detail. 

There is a very well done map to this book in the "Introduction" before chapter one - this enables readers of any level of experience to focus.  But, I found that there was value to reading all of the sections anyway.

The accompanying website is well done and provides the examples, a small errata and additional references. (http://idabook.com)

This may go without saying, but you should have access to IDA PRO to get the full value from this book.  This edition is less applicable to the freeware version than the last edition was (although I'd still probably recommend it for anyone using IDA).

Bottom line:  If you use (or plan to use) IDA PRO - buy this book.

http://shop.oreilly.com/product/9781593272890.do

Disclosure: I was provided with a free PDF copy of this book by O'Reilly as a part of their "Blogger Review Program" program.  (http://www.oreillynet.com/oreilly/bloggers/)