mosquitto_passwd man page

Run in batch mode. This allows the password to be provided at the command line which can be convenient but should be used with care because the password will be visible on the command line and in command history.

Create a new password file. If the file already exists, it will be overwritten. If the filename is specified as a dash - then the output will be to stdout. This only really makes sense with -b.

Delete the specified user from the password file.

Choose the hash to use. Can be one of argon2id, sha512-pbkdf2, or sha512. Defaults to argon2id. The sha512 option is provided for creating password files for use with Mosquitto 1.6 and earlier.

This option can be used to upgrade/convert a password file with plain text passwords into one using hashed passwords. It will modify the specified file. It does not detect whether passwords are already hashed, so using it on a password file that already contains hashed passwords will generate new hashes based on the old hashes and render the password file unusable.

The password file to modify.

The username to add/update/delete.

The password to use when in batch mode.

By default, sensitive file with a path including a symbolic link will be refused to be loaded. Set this environment variable to any value to allow load files through symbolic links. Note that making use of this variable could expose you to symlink attacks and so it should only be used in cases where you are absolutely sure this is not a risk.