PSK Authentication
Pre-Shared Key (PSK) authentication is a method of authentication that relies on a pre-shared key for identity verification. Using the PSK authentication method, both the client and EMQX must pre-share the same key before establishing a secured connection. The pre-shared key is then used to encrypt and decrypt data in establishing the TLS connection between the client and EMQX and in subsequent communications. With the PSK authentication enabled, the client and EMQX can authenticate each other and establish a secure connection without the need for certificates or certificate authorities.
This page introduces how to enable PSK authentication in EMQX.
Create a file
data/psk_file.txtin any directory, containing the identity and secret value of the pre-shared key.TIP
The secret value can be any string, but its length must correspond to the selected cipher. For example, if the cipher is TLS_PSK_WITH_AES_128_CBC_SHA, the secret must be 128 bits long.
bash# One data per line, in the format of PSKIdentity:SharedSecret emqx_c:BA0DB2A3448345A3A13A91C2ADA44778 emqx_a:A6FC9EDF62864125AAE7658BEAE6170CAdd the
psk_authenticationconfiguration group in theemqx.confconfiguration file.bashpsk_authentication { enable = true init_file = "data/psk_file.txt" }Configure the SSL listener in the
emqx.confconfiguration file. Modify thelisteners.ssl.defaultgroup by adding the following options.ssl_options.versions: Removetlsv1.3support, sincetlsv1.3version configuration suppresses PSK ciphers.ssl_options.ciphers: Configure to use PSK cipher suits.
TIP
If the
RSA-PSKcipher suites are used, theRSAcertificate is still required, see RFC4279 for details.bashlisteners.ssl.default { acceptors = 4 bind = 8883 ssl_options { ciphers = ["RSA-PSK-AES256-GCM-SHA384","RSA-PSK-AES256-CBC-SHA384","RSA-PSK-AES128-GCM-SHA256","RSA-PSK-AES128-CBC-SHA256","RSA-PSK-AES256-CBC-SHA","RSA-PSK-AES128-CBC-SHA"] versions = ["tlsv1.2", "tlsv1.1", "tlsv1"] } }