Problem Statement:
When mosquitto mqtt is running locally (bind to 127:0:0:1), it does not enforce authentication even though the config file explicitly says so.
Problem Details:
- From migration document: https://mosquitto.org/documentation/migrating-to-2-0/
- It is understandable that without explicitly specifying the
listener 1893, mosquitto will automatically bind this to local loopback interface network and default allow_anonymous = true for faster development.
- However, if the user explicitly specifies that
allow_anonymous = false and password_file = ... then mosquitto should enforce the given auth configuration.
Version:
latest/stable: 2.0.20 2024-10-17 (904) 1MB -
OS Host:
Configuration file:
allow_anonymous false
password_file /var/snap/mosquitto/common/pfile
Observation:
This allowed local clients(mosquitto_sub) to connect without the username and password, BUT refused connection from local clients who use wrong username and password!
Terminal OutPut:
sudo snap start mosquitto
Started.
➜ common mosquitto_sub -t 'test/topic'
^C%
➜ common mosquitto_sub -t 'test/topic' -u 'user1' -P '12345'
^C%
➜ common mosquitto_sub -t 'test/topic' -u 'user1' -P '1235'
Connection error: Connection Refused: not authorised.
Mosquitto logs:
2025-01-10T16:07:19-05:00 mosquitto.mosquitto[1862]: 1736543239: mosquitto version 2.0.20 running
2025-01-10T16:07:35-05:00 mosquitto.mosquitto[1862]: 1736543255: New connection from 127.0.0.1:38666 on port 1883.
2025-01-10T16:07:35-05:00 mosquitto.mosquitto[1862]: 1736543255: New client connected from 127.0.0.1:38666 as auto-64587741-8E31-7DB1-1720-37D20E7147E3 (p2, c1, k60).
2025-01-10T16:07:40-05:00 mosquitto.mosquitto[1862]: 1736543260: Client auto-64587741-8E31-7DB1-1720-37D20E7147E3 disconnected.
2025-01-10T16:07:49-05:00 mosquitto.mosquitto[1862]: 1736543269: New connection from 127.0.0.1:44386 on port 1883.
2025-01-10T16:07:49-05:00 mosquitto.mosquitto[1862]: 1736543269: New client connected from 127.0.0.1:44386 as auto-A7B73041-E4B3-BA1E-4A6B-B7E5C6F76B47 (p2, c1, k60, u'user1').
2025-01-10T16:07:50-05:00 mosquitto.mosquitto[1862]: 1736543270: Client auto-A7B73041-E4B3-BA1E-4A6B-B7E5C6F76B47 disconnected.
2025-01-10T16:07:53-05:00 mosquitto.mosquitto[1862]: 1736543273: New connection from 127.0.0.1:44388 on port 1883.
2025-01-10T16:07:53-05:00 mosquitto.mosquitto[1862]: 1736543273: Client auto-39BFE5B3-B20E-06BB-04FD-CC9B7BF7D554 disconnected, not authorised.
Suggestion:
I believe this is a bug, not a feature :). It should not be too difficult to fix.
Problem Statement:
When mosquitto mqtt is running locally (bind to 127:0:0:1), it does not enforce authentication even though the config file explicitly says so.
Problem Details:
listener 1893, mosquitto will automatically bind this to local loopback interface network and defaultallow_anonymous = truefor faster development.allow_anonymous = falseandpassword_file = ...then mosquitto should enforce the given auth configuration.Version:
OS Host:
Configuration file:
Observation:
This allowed local clients(
mosquitto_sub) to connect without the username and password, BUT refused connection from local clients who use wrong username and password!Terminal OutPut:
Mosquitto logs:
Suggestion:
I believe this is a bug, not a feature :). It should not be too difficult to fix.