Reputation: 65
mqtt broker - aclfile
I installed mosquitto on Debian 9
apt-get install mosquitto mosquitto-clients
did a Re-Start service mosquitto restart
tested it
mosquitto_pub -d -t My/Topic2 -m "Hello MQTT"
no error message
created a password
mosquitto_passwd -c /etc/mosquitto/passwd myUsername
created a aclfile
touch /etc/mosquitto/aclfile
nano /etc/mosquitto/aclfile
with this content:
# This affects access control for clients with no username.
topic read myTopic/#
# This only affects clients with username "myUsername".
user myUsername
topic myTopic/#
# This affects all clients.
pattern write $SYS/broker/connection/%c/state
insert the path to the acl_file to this file
nano /etc/mosquitto/mosquitto.conf
acl_file /etc/mosquitto/aclfile
password_file /etc/mosquitto/passwd
so the plan is that user "myUsername" can publish in "myTopic" and all other user including guests can only read.
I had this configuration already running on an other server but in this case something is wrong The 1st time I tested I forgot to add the password_file path to the mosquitto.conf and got the Error: Connection refused if I want so publish also if I want only to subscribe
OK I fixed this problem but now I can publish without username / password
and of corse I did the restart:
service mosquitto restart
So if I send
mosquitto_pub -d -t myTopic/test -m "Access denied is expected"
I get no error, looks like the messange is published
if I open a second shell (and also from a remote machine) I can subscribe
mosquitto_sub -d -t myTopic/test
but if I publish something to this topic nothing is received (Ping is working)
Any ideas for my 2 problems ?
PS: I am NO Linux professional so if you want more information please provide me with the correct information how to get this information
EDIT: if I use
ps -efc
this is the only entry with mosquitto
mosquit+ 736 1 TS 19 21:36 ? 00:00:02 /usr/sbin/mosquitto -c /etc/mosquitto/mosquitto.conf
in the log
nano /var/log/mosquitto/mosquitto.log
I get
ACL denying access to client with dangerous client id "mosqpub/7977-Debian-93-"
ACL denying access to client with dangerous client id "mosqpub/356-h2700629"
but regarding google this should be already fixed last year
I am using mosquitto version 1.4.10
Upvotes: 2
Views: 2260
Answers (2)
Reputation: 21374
Ran into the same issue and found out that it was about the / in the username/client-id. From https://github.com/eclipse/mosquitto/blob/5c45bc4e8407d94d29b39152b580d2b4cc8082e9/src/security.c#L609-L610:
/* Check whether the client id or username contains a +, # or / and if
* so deny access.
Removing the '/' made it work again.
Upvotes: 0
Reputation: 59751
When a user is not allowed to publish to a topic the publish will just silently fail. This is working as designed for MQTT (at least at MQTT v3.x).
You also probably need to add the allow_anonymous false if you want to prevent clients that do not pass a username/password.
To get the latest version of mosquitto, follow the instructions on https://mosquitto.org/download/ to install the correct ppa
Upvotes: 1
Related Questions
- Mosquitto with persitence as MQTT Forwarding Broker
- Run MQTT Broker in iOS
- Mosquitto broker : fully init?
- MQTT broker Mosquitto Error with TLS configuration
- Unable to connect to mosquitto broker server in mqtt-react
- How to run mosquitto mqtt broker on openshift online
- Connection to MQTT Broker
- MQTT RaspberryPi Broker
- Can't connect to mqtt broker
- MQTT with Mosquitto