Embedded MQTT broker does not require password with default config


I am using the embedded MQTT broker in the default configuration:


The documentation states that the API key is used as the default password. However, I am able to connect to the MQTT server (read and write) without providing any credentials.

Is this a bug or am I missing something?

I’ve just spent 6 hours working on my own MQTT set up on my RasPi Home Assistant server.

I have two suspicions for your situation.

  1. Alternate MQTT Server.
    On my installation there was a Mosquitto server running by default.
    Can you run
    ps aux | grep mos
    and if you see a line like:
    mosquit ... usr/sbin/mosquitto -c /etc/mosquitto/mosquitto.conf
    then you have a second server running with a different configuration eslsewhere.

  2. You have not disabled anonymous subscription with the
    allow-anonymous: false flag.

Sorry for replying so late.

I am absolutely certain that I never installed an alternative MQTT server.

I am using the embedded broker in its default configuration as described in the docs. I took a look at the code and it is setting the allow-anonymous flag based on whether the API password is empty or not. To be absolutely sure I added a debug log output which prints the generated config.
As expected allow-anonymous is set to false:
{'plugins': ['auth_anonymous', 'auth_file'], 'listeners': {'default': {'max-connections': 50000, 'bind': '', 'type': 'tcp'}, 'ws-1': {'bind': '', 'type': 'ws'}}, 'auth': {'password-file': '/tmp/tmp5hslodwa', 'allow-anonymous': False}}

I have no idea why I am still able to connect without any authentication. I even checked the network packets using Wireshark and there is definitely no username and no password transmitted.
Can you or somebody else reproduce the problem with the default (empty) mqtt configuration?

Hey, I can reproduce it on my HA instance as well. I’ve installed the latest version 0.49 using Hassbian on my Raspberry Pi 3.

Has anybody found a solution to this?