Anonymous authentication for MQTT requires username and password since ejabberd 22.05

[killstrelok]

Environment

• ejabberd version: 22.05 and later (23.01 is affected by this as well)
• Erlang version: N/A
• OS: Linux (Ubuntu 20.04)
• Installed from: docker image but same applies to official debs

Configuration (only if needed): grep -Ev '^$|^\s*#' ejabberd.yml

loglevel: 5
log_rotate_count: 0
log_rotate_date: ""
hosts:
  - localhost
  - 10.100.10.109
define_macro:
  'TLS_CIPHERS': "HIGH:!aNULL:!eNULL:!3DES:@STRENGTH"
  'TLS_OPTIONS':
    - "no_sslv3"
    - "no_tlsv1"
    - "no_tlsv1_1"
    - "cipher_server_preference"
    - "no_compression"
c2s_ciphers: 'TLS_CIPHERS'
s2s_ciphers: 'TLS_CIPHERS'
c2s_protocol_options: 'TLS_OPTIONS'
s2s_protocol_options: 'TLS_OPTIONS'
listen:
  -
    port: 1883
    ip: "::"
    module: mod_mqtt
    backlog: 1000
disable_sasl_mechanisms:
  - "X-OAUTH2"
s2s_use_starttls: required
auth_password_format: scram
auth_method:
  - anonymous
anonymous_protocol: both
auth_use_cache: false
acl:
  admin:
     user:
       - ""
  local:
    user_regexp: ""
  loopback:
    ip:
      - 127.0.0.0/8
      - ::1/128
access_rules:
  local:
    allow: local
  c2s:
    deny: blocked
    allow: all
  announce:
    allow: admin
  configure:
    allow: admin
  muc_create:
    allow: local
  pubsub_createnode:
    allow: local
  trusted_network:
    allow: loopback
api_permissions:
  "console commands":
    from:
      - ejabberd_ctl
    who: all
    what: "*"
  "admin access":
    who:
      access:
        allow:
          acl: loopback
          acl: admin
      oauth:
        scope: "ejabberd:admin"
        access:
          allow:
            acl: loopback
            acl: admin
    what:
      - "*"
      - "!stop"
      - "!start"
  "public commands":
    who:
      ip: 127.0.0.1/8
    what:
      - status
      - connected_users_number
shaper:
  normal: 1000
  fast: 50000
shaper_rules:
  max_user_sessions: 10
  max_user_offline_messages:
    5000: admin
    100: all
  c2s_shaper:
    none: admin
    normal: all
  s2s_shaper: fast
modules:
  mod_adhoc: {}
  mod_admin_extra: {}
  mod_announce:
    access: announce
  mod_avatar: {}
  mod_blocking: {}
  mod_bosh: {}
  mod_caps: {}
  mod_carboncopy: {}
  mod_client_state: {}
  mod_configure: {}
  mod_disco: {}
  mod_echo: {}
  mod_fail2ban: {}
  mod_http_api: {}
  mod_last: {}
  mod_mqtt: {}
  mod_muc:
    access:
      - allow
    access_admin:
      - allow: admin
    access_create: muc_create
    access_persistent: muc_create
    access_mam:
      - allow
    default_room_options:
      mam: true
  mod_muc_admin: {}
  mod_offline:
    access_max_user_messages: max_user_offline_messages
  mod_ping: {}
  mod_pres_counter:
    count: 5
    interval: 60
  mod_privacy: {}
  mod_private: {}
  mod_pubsub:
    access_createnode: pubsub_createnode
    plugins:
      - flat
      - pep
    force_node_config:
      "eu.siacs.conversations.axolotl.*":
        access_model: open
      storage:bookmarks:
        access_model: whitelist
  mod_push: {}
  mod_push_keepalive: {}
  mod_roster:
    versioning: true
  mod_s2s_dialback: {}
  mod_shared_roster: {}
  mod_sic: {}
  mod_stream_mgmt:
    resend_on_timeout: if_offline
  mod_vcard:
    search: false
  mod_vcard_xupdate: {}
  mod_version: {}

Errors from error.log/crash.log

Running: mosquitto_sub -h 10.100.10.109 -p 1883 -t test Results in:

Connection error: Connection Refused: not authorised.

in ejabberd logs I can see below

2023-02-01 12:32:47.463353+00:00 [info] (<0.869.0>) Accepted connection [::ffff:10.77.28.161]:36170 -> [::ffff:172.17.0.2]:1883
2023-02-01 12:32:47.464113+00:00 [debug] Got MQTT packet:
#connect{proto_level = 4,will = undefined,clean_start = true,keep_alive = 60,
         client_id = <<"mosq-c59Qkbpk2XHHBUwUwI">>,username = <<>>,
         password = <<>>,will_properties = #{},properties = #{}}
2023-02-01 12:32:47.464791+00:00 [warning] Rejected MQTT connection from ::ffff:10.77.28.161: Authentication failed: Not authorized
2023-02-01 12:32:47.466788+00:00 [debug] Send MQTT packet:
#connack{session_present = false,code = 'not-authorized',properties = #{}}

providing any username/password combo (made up completely) allows the client to connect and below can be seen in ejabberd logs:

2023-02-01 12:46:47.438401+00:00 [debug] Got MQTT packet:
#connect{proto_level = 4,will = undefined,clean_start = true,keep_alive = 60,
         client_id = <<"mosq-HGkjEiY3btVGwxjthc">>,
         username = <<"thisisabug">>,password = <<"ithink">>,
         will_properties = #{},properties = #{}}
2023-02-01 12:46:47.440945+00:00 [info] Accepted MQTT authentication for thisisabug@localhost/mosq-HGkjEiY3btVGwxjthc by anonymous backend from ::ffff:10.77.28.161
2023-02-01 12:46:47.444547+00:00 [info] Opened MQTT session for thisisabug@localhost/mosq-HGkjEiY3btVGwxjthc from ::ffff:10.77.28.161
2023-02-01 12:46:47.444818+00:00 [debug] Setting MQTT keep-alive to 90 seconds
2023-02-01 12:46:47.445222+00:00 [debug] Send MQTT packet:
#connack{session_present = false,code = success,
         properties = #{server_keep_alive => 60,session_expiry_interval => 0,
                        shared_subscription_available => false,
                        topic_alias_maximum => 100}}
2023-02-01 12:46:47.540689+00:00 [debug] Got MQTT packet:
#subscribe{id = 1,
           filters = [{<<"test">>,
                       #sub_opts{qos = 0,no_local = false,
                                 retain_as_published = false,
                                 retain_handling = 0}}],
           properties = #{},meta = #{}}
2023-02-01 12:46:47.541652+00:00 [debug] Send MQTT packet:
#suback{id = 1,codes = ['granted-qos-0'],properties = #{}}

Bug description

Since version 22.05 anonymous auth is broken for MQTT when client does not supply any credentials. It completely prevents users from connecting if they don't provide any (even fake) credentials. Last working version is 21.12.

Regards

[prefiks]

Should be fixed by commit 1a6baf223c6b0b17a8d0492b7c22cf39fd1fcccc.