Mosquito without auth

Ben_Barker · December 10, 2021, 6:08pm

Hi,
I have just installed home assistant on a pi using the OS image file.
I have installed Mosquitto via the UI, however the log shows me:

Socket error on client , disconnecting.
1639159576: New connection from 192.168.1.31 on port 1883.

Looking into this, it appears that mosquito is not allowing unauthenticated connections - but my attempts so far to disable authentication have failed. Any ideas?

mobile.andrew.jones · December 10, 2021, 6:09pm

I’m pretty sure that the addon uses home assistant users for authentication. So the easiest thing for you to do - is add a new Home Assistant user specifically for mqtt.

Ben_Barker · December 10, 2021, 6:12pm

I had assumed the issue here was that devices were trying to connect to mosquito and having their connections refused. Unfortunately not all of my devices support authentication, which isn’t generally a problem on a closed network…I know I can configure standalone mosquito to allow unathenticated connections. But so far I haven’t managed it with HA:

certfile: fullchain.pem
customize:
active: false
folder: mosquitto
keyfile: privkey.pem
logins:
require_certificate: false
anonymous: true

mobile.andrew.jones · December 10, 2021, 6:20pm

Create /share/mosquitto/acl.conf with the contents:

acl_file /share/mosquitto/accesscontrollist

Create /share/mosquitto/accesscontrollist with the contents:

topic readwrite #

Restart the addon, it should now allow anyone to read and write to the broker without authentication.

github.com

home-assistant/addons/blob/bb22dd2609ce7460ef36f6c03893190106ab0874/mosquitto/DOCS.md

# Home Assistant Add-on: Mosquitto broker

## Installation

Follow these steps to get the add-on installed on your system:

1. Navigate in your Home Assistant frontend to **Supervisor** -> **Add-on Store**.
2. Find the "Mosquitto broker" add-on and click it.
3. Click on the "INSTALL" button.

## How to use

The add-on has a couple of options available. To get the add-on running:

1. Start the add-on.
2. Have some patience and wait a couple of minutes.
3. Check the add-on log output to see the result.

Create a new user for MQTT via your Home Assistant's frontend **Configuration** -> **Users (manage users)** , (i.e. not on Mosquitto's **Configuration** tab).
Notes:

This file has been truncated. show original

and

For more information.

Ben_Barker · December 10, 2021, 6:38pm

Thanks - I tried the above, along with this suggestion (very similar to yours):

Bizzarely, I do now get a single device connecting. However, all other devices - including HA itself connecting from localhost, are rejected

[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] mosquitto.sh: executing... 
[18:25:11] INFO: SSL is not enabled
[cont-init.d] mosquitto.sh: exited 0.
[cont-init.d] nginx.sh: executing... 
[cont-init.d] nginx.sh: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
[18:25:12] INFO: Starting NGINX for authentication handling...
[18:25:12] INFO: Starting mosquitto MQTT broker...
1639160712: mosquitto version 1.6.12 starting
1639160712: |-- *** auth-plug: startup
[18:25:13] INFO: Successfully send discovery information to Home Assistant.
[18:25:13] INFO: Successfully send service information to the Supervisor.
1639160712: Config loaded from /etc/mosquitto/mosquitto.conf.
1639160712: Loading plugin: /usr/share/mosquitto/auth-plug.so
1639160712:  ├── Username/password checking enabled.
1639160712:  ├── TLS-PSK checking enabled.
1639160712:  └── Extended authentication not enabled.
1639160712: Opening ipv4 listen socket on port 1883.
1639160712: Opening ipv6 listen socket on port 1883.
1639160712: Opening websockets listen socket on port 1884.
1639160712: Warning: Mosquitto should not be run as root/administrator.
1639160712: mosquitto version 1.6.12 running
1639160712: New connection from 127.0.0.1 on port 1883.
1639160712: Socket error on client <unknown>, disconnecting.
1639160748: New client connected from 192.168.1.153 as OTGW2C:F4:32:57:D8:CD (p2, c1, k15).
1639160782: New connection from 192.168.1.48 on port 1883.
401: Unauthorized1639160782: Socket error on client <unknown>, disconnecting.

mobile.andrew.jones · December 10, 2021, 6:50pm

Because you are using an ACL file, any device now that has a username and password, either needs to be connecting anonymously - or there needs to be a line in the ACL file for that user:

user device-username
topic readwrite #

If the user does not exist in the ACL file, then it will be rejected.

Ben_Barker · December 10, 2021, 7:06pm

Interesting.
Most of my devices are Tasmota. Setting a blank username and password via the Tasmota web UI for does not work - they reset to their (non blank) defaults. However, disabling both at the command line:

MqttUser 0
MqttPasswqord 0

Does allow the devices to connect.

This workaround works in that case - once I have configured all the devices.
I know if this was a standalone install of mosquitto, I could enable anonymous logins, at which point mosquitto would simply ignore any auth - and let clients connect whatever credentials they passed. Is this something that can be enabled when using the HA installed mosquito?

mobile.andrew.jones · December 10, 2021, 7:12pm

A default standalone install of Mosquitto does not have any auth enabled by default, you have to run a bundled tool in order to add users and passwords to (standalone) Mosquitto. If you attempt to connect with a username that does not exist, it will still reject the connection. It’s not really anonymous as such - it just doesn’t have any users configured out-of-the-box.

Ben_Barker · December 10, 2021, 7:16pm

Ah thanks.
I have just run a script to blank all my MQTT device credentials, which has done the trick.

It would be nice were there a way to run HA mosquito such that it would accept any connections, whether auth was provided or not - which I did have working with my standalone install, but there may be good reasons this is not possible, and for now all is working!

Thanks for your help with this one, and have a good weekend!

mobile.andrew.jones · December 10, 2021, 7:18pm

I may not be correct when it comes to how it handles usernames being passed to it on a default install, it’s been a while. I know that I have to Google just to remember how to add a new user to it haha.

Sympapa · April 30, 2022, 9:28am

I have the same problem.
Communication between anonymous clients running on different servers and mosquitto broker on HA is not working.

github.com/home-assistant/addons

Mosquitto broker allows connections from devices without credentials

opened 08:32PM - 26 Jun 21 UTC

closed 02:19AM - 23 Oct 21 UTC

Heisenberg2980

add-on: mosquitto stale

## The problem  Mosquitto broker allows connections from devices without credentials even the anonymous option is set to false in the settings. ## Environment  - Add-on with the issue: Mosquitto broker - Add-on release with the issue: 6.0.1 - Last working add-on release (if known): - Operating environment (OS/Supervised): Hassio core-2021.6.6 ## Problem-relevant configuration  ```yaml logins: - username: ************* password: ************* customize: active: true folder: mosquitto certfile: fullchain.pem keyfile: privkey.pem require_certificate: false anonymous: false ``` ## Traceback/Error logs  The log shows the connection is accepted even no user is provided ```txt 2021-06-26T19:17:51: New client connected from 192.168.0.41 as ***name removed*** (p2, c1, k10). ``` ## Additional information

This method did not solve the problem.

This custom addon solved.

Can anyone come up solution for this problem on an existing addon?

sqrl · May 4, 2022, 9:12pm

I can second that.

I have some clients in my network, that do not support mqtt auth. My setup was working fine but suddenly anonymous login is not working anymore.

santorcuato · May 5, 2022, 11:36am

I’m in that situation when trying to update (in HA as add on) from 6.0.2 to 6.1.1.

I just rolled back and everything works again.

It seems that the new auth version rejects unknown clients…