Mosquitto Ghost Users

I was preparing to setup remote access for my Home Assistant instance. As such I wanted to make sure all my accounts had strong passwords. So I changed the password on the account I was using for MQTT access. After doing so and updating my devices with the new password, none of my devices could connect to the broker anymore . Further testing showed that creating a new HA user worked fine for MQTT access. I thought this was strange so I dug deeper, here is what I found.

Changing the password in HA for a user breaks its ability to be used with Mosquitto.

Deleting the user and creating a new one with the same name does not work. It seems like Mosquitto keeps a list of users that is separate from the HA users. I am aware I can create users in the Mosquitto configuration page that will only work with Mosquitto, but it does say I can just use the HA users instead and most reading I have done seems to imply the HA users are the preferred method. On my setup, I never created any users in the Mosquitto configuration page.

Its almost like Mosquitto watches for HA users, grabs their details and puts it in some difficult to access (aka not part of the config page) file, but does not respect when user accounts change their passwords or get deleted/recreated. So the accounts become unusable for MQTT if the password changes or the account gets deleted and then later recreated.

I did the following:
created a test user
used MQTT Spy to connect to Mosquitto with its credentials to verify it was working
deleted the test user
reconnected using Spy with the credentials of the deleted user and it still worked. this might have
been just a timing thing, possibly if I waited a while Mosquitto would have saw the user was
deleted and denied the connection
restarted HA
attempted to reconnected using Spy with the credentials of the deleted user and it failed
recreated the deleted user with the same username and password
attempted to reconnected using Spy with the credentials of the deleted/recreated user and it failed
restarted HA, tried again, failed, rebooted HA tried again, failed.

I also did basically the same as the above but with a different fresh test user and instead of deleting the user, all i did was changed the users password and had the same results.

I am guessing that uninstalling/re-installing Mosquitto will solve this issue, and that’s not a big deal to do, but I’m guessing that if I knew where the Mosquitto files were stored I would probably find a file someplace with these orphan/ghost user entries and could delete them.

Or maybe I am just entirely off base and there is a specific way I should be changing the passwords when I want them to work with Mosquitto lol.
Let me know your thoughts!

I also just realized the simplest work around to this… Just create a new user for MQTT access with a username I’ve not used before and a strong password.

I’m pretty sure the Mosquitto add-on will lookup the user in the Home Assistant config/.storage registry, most likely the auth file. So no, deleting the addon and reinstalling it will probably not help.

Did you restart the add-on after updating the HA user password?

It could be that these users are not correctly updated in the auth file when you edit the passwords. e.g. I have numerous ‘system-admin’ users left over from previous installs, but am not brave enough to delete them.

Be extremely careful editing this file (or any .storage file). Make a backup, move it off the system. Things can go horribly wrong if you miss one comma in the json config.

If you believe this is a bug you can open a new issue here:

The insight is appreciated! I may go over and report it as a bug after I do more testing to make sure its not just me doing something wrong.

I will take a look at the auth file out of curiosity, but I’m not going to edit it. The workaround of just creating a new user that has never existed before with a strong password is perfectly workable for my situation, so I don’t feel the need to “fix” this.

As to your question, I never went into the add-on and told it to restart, but I did tell HA to restart then used Spy to connect again and failed, then told HA to reboot (HA is installed on a laptop as the only OS running) and used Spy to connect and failed again. I had assumed that restarting and rebooting HA would have the same effect as restarting the add-on in addition to clearing out any other odd dust bunnies in HA.

Restarting Home Assistant does not restart add-ons. They keep running in their own docker containers. Only the Home Assistant service restarts.

Rebooting the host machine restarts all containers (HA and add-ons) but this is a drastic measure that should not be required. Just try restarting the add-on after making auth changes.

Good to know, i am pretty new to Home Assistant, thanks for the info!