Open up MQTTExplorer (or whatever external mqtt browser you prefer), and login to mosquitto using the test123 account. Full access!
This is not a sensible security policy. Teenagers like to mess with stuff, if your kids have a HA login, then can really do some damage (accidentally, or not).
I know this can be fixed by adding active: true to the mosquitto addon config, but it really shouldn’t be required; HA should not allow HA users to access mqtt; the only user to have access should be configured in the plugin, imho.
Yes, I know that I can use ACL and I do, but my point is, I shouldn’t really have to because protecting against internal network attacks should be the default security option here.
All the people who don’t want to manage users would disagree with you. That’s why it was made the way it was. It used to be like what you describe but there were so many configuration questions that it moved that direction. So now, it’s up to you to control the security.
In v6.0 mosquitto changed the defaults so anonymous logins were no longer allowed by default, previously they were. They also recommended not allowing that because not requiring a login is insecure, obviously.
So when the mosquitto addon updated to v6.0 of the broker anonymous login support was turned off and disabled. Since it was decided the addon should follow mosquittos guidance and require this really basic level of security.
There was a pretty large backlash. Turns out quite a lot of users were using that and not using authentication at all. There’s still issues opened about it. There’s also now a number of forks running around where people made their own version of the addon with auth disabled so they could keep doing that.
So yea, I don’t agree. And I think there’s a lot of users that also don’t agree, possibly most. If a lot of users consider auth at all too much of a burden, I bet a lot more consider managing separate auth just for Mqtt far too much. What you’re suggesting is also a big breaking change so there would have to be very strong reasoning to justify that.
I get it. I do have a list of logins in the Mqtt addon and my own acl list to manage access. But I’m very certain I am in the minority and I don’t think the defaults should cater to users like me.