Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MQTT Broker 127.0.0.1 do not enforce authentication if specified #3198

Open
vphatfla opened this issue Jan 10, 2025 · 0 comments
Open

MQTT Broker 127.0.0.1 do not enforce authentication if specified #3198

vphatfla opened this issue Jan 10, 2025 · 0 comments
Labels
Status: Available No one has claimed responsibility for resolving this issue.

Comments

@vphatfla
Copy link

vphatfla commented Jan 10, 2025
edited
Loading

Problem Statement:

When mosquitto mqtt is running locally (bind to 127:0:0:1), it does not enforce authentication even though the config file explicitly says so.

Problem Details:

  • From migration document: https://mosquitto.org/documentation/migrating-to-2-0/
  • It is understandable that without explicitly specifying the listener 1893, mosquitto will automatically bind this to local loopback interface network and default allow_anonymous = true for faster development.
  • However, if the user explicitly specifies that allow_anonymous = false and password_file = ... then mosquitto should enforce the given auth configuration.

Version:

latest/stable:    2.0.20 2024-10-17 (904)   1MB -

OS Host:

Window 11, WSL2 Ubuntu

Configuration file:

allow_anonymous false
password_file /var/snap/mosquitto/common/pfile

Observation:

This allowed local clients(mosquitto_sub) to connect without the username and password, BUT refused connection from local clients who use wrong username and password!

Terminal OutPut:

sudo snap start mosquitto
Started.
➜  common mosquitto_sub -t 'test/topic'
^C%
➜  common mosquitto_sub -t 'test/topic' -u 'user1' -P '12345'
^C%
➜  common mosquitto_sub -t 'test/topic' -u 'user1' -P '1235'
Connection error: Connection Refused: not authorised.

Mosquitto logs:

2025-01-10T16:07:19-05:00 mosquitto.mosquitto[1862]: 1736543239: mosquitto version 2.0.20 running
2025-01-10T16:07:35-05:00 mosquitto.mosquitto[1862]: 1736543255: New connection from 127.0.0.1:38666 on port 1883.
2025-01-10T16:07:35-05:00 mosquitto.mosquitto[1862]: 1736543255: New client connected from 127.0.0.1:38666 as auto-64587741-8E31-7DB1-1720-37D20E7147E3 (p2, c1, k60). 
2025-01-10T16:07:40-05:00 mosquitto.mosquitto[1862]: 1736543260: Client auto-64587741-8E31-7DB1-1720-37D20E7147E3 disconnected.
2025-01-10T16:07:49-05:00 mosquitto.mosquitto[1862]: 1736543269: New connection from 127.0.0.1:44386 on port 1883.
2025-01-10T16:07:49-05:00 mosquitto.mosquitto[1862]: 1736543269: New client connected from 127.0.0.1:44386 as auto-A7B73041-E4B3-BA1E-4A6B-B7E5C6F76B47 (p2, c1, k60, u'user1').
2025-01-10T16:07:50-05:00 mosquitto.mosquitto[1862]: 1736543270: Client auto-A7B73041-E4B3-BA1E-4A6B-B7E5C6F76B47 disconnected.
2025-01-10T16:07:53-05:00 mosquitto.mosquitto[1862]: 1736543273: New connection from 127.0.0.1:44388 on port 1883.
2025-01-10T16:07:53-05:00 mosquitto.mosquitto[1862]: 1736543273: Client auto-39BFE5B3-B20E-06BB-04FD-CC9B7BF7D554 disconnected, not authorised.

Suggestion:

I believe this is a bug, not a feature :). It should not be too difficult to fix.
@github-actions github-actions bot added the Status: Available No one has claimed responsibility for resolving this issue. label Jan 10, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Status: Available No one has claimed responsibility for resolving this issue.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@vphatfla