Closed killstrelok closed 1 year ago
loglevel: 5 log_rotate_count: 0 log_rotate_date: "" hosts: - localhost - 10.100.10.109 define_macro: 'TLS_CIPHERS': "HIGH:!aNULL:!eNULL:!3DES:@STRENGTH" 'TLS_OPTIONS': - "no_sslv3" - "no_tlsv1" - "no_tlsv1_1" - "cipher_server_preference" - "no_compression" c2s_ciphers: 'TLS_CIPHERS' s2s_ciphers: 'TLS_CIPHERS' c2s_protocol_options: 'TLS_OPTIONS' s2s_protocol_options: 'TLS_OPTIONS' listen: - port: 1883 ip: "::" module: mod_mqtt backlog: 1000 disable_sasl_mechanisms: - "X-OAUTH2" s2s_use_starttls: required auth_password_format: scram auth_method: - anonymous anonymous_protocol: both auth_use_cache: false acl: admin: user: - "" local: user_regexp: "" loopback: ip: - 127.0.0.0/8 - ::1/128 access_rules: local: allow: local c2s: deny: blocked allow: all announce: allow: admin configure: allow: admin muc_create: allow: local pubsub_createnode: allow: local trusted_network: allow: loopback api_permissions: "console commands": from: - ejabberd_ctl who: all what: "*" "admin access": who: access: allow: acl: loopback acl: admin oauth: scope: "ejabberd:admin" access: allow: acl: loopback acl: admin what: - "*" - "!stop" - "!start" "public commands": who: ip: 127.0.0.1/8 what: - status - connected_users_number shaper: normal: 1000 fast: 50000 shaper_rules: max_user_sessions: 10 max_user_offline_messages: 5000: admin 100: all c2s_shaper: none: admin normal: all s2s_shaper: fast modules: mod_adhoc: {} mod_admin_extra: {} mod_announce: access: announce mod_avatar: {} mod_blocking: {} mod_bosh: {} mod_caps: {} mod_carboncopy: {} mod_client_state: {} mod_configure: {} mod_disco: {} mod_echo: {} mod_fail2ban: {} mod_http_api: {} mod_last: {} mod_mqtt: {} mod_muc: access: - allow access_admin: - allow: admin access_create: muc_create access_persistent: muc_create access_mam: - allow default_room_options: mam: true mod_muc_admin: {} mod_offline: access_max_user_messages: max_user_offline_messages mod_ping: {} mod_pres_counter: count: 5 interval: 60 mod_privacy: {} mod_private: {} mod_pubsub: access_createnode: pubsub_createnode plugins: - flat - pep force_node_config: "eu.siacs.conversations.axolotl.*": access_model: open storage:bookmarks: access_model: whitelist mod_push: {} mod_push_keepalive: {} mod_roster: versioning: true mod_s2s_dialback: {} mod_shared_roster: {} mod_sic: {} mod_stream_mgmt: resend_on_timeout: if_offline mod_vcard: search: false mod_vcard_xupdate: {} mod_version: {}
Running: mosquitto_sub -h 10.100.10.109 -p 1883 -t test Results in:
Connection error: Connection Refused: not authorised.
in ejabberd logs I can see below
2023-02-01 12:32:47.463353+00:00 [info] (<0.869.0>) Accepted connection [::ffff:10.77.28.161]:36170 -> [::ffff:172.17.0.2]:1883 2023-02-01 12:32:47.464113+00:00 [debug] Got MQTT packet: #connect{proto_level = 4,will = undefined,clean_start = true,keep_alive = 60, client_id = <<"mosq-c59Qkbpk2XHHBUwUwI">>,username = <<>>, password = <<>>,will_properties = #{},properties = #{}} 2023-02-01 12:32:47.464791+00:00 [warning] Rejected MQTT connection from ::ffff:10.77.28.161: Authentication failed: Not authorized 2023-02-01 12:32:47.466788+00:00 [debug] Send MQTT packet: #connack{session_present = false,code = 'not-authorized',properties = #{}}
providing any username/password combo (made up completely) allows the client to connect and below can be seen in ejabberd logs:
2023-02-01 12:46:47.438401+00:00 [debug] Got MQTT packet: #connect{proto_level = 4,will = undefined,clean_start = true,keep_alive = 60, client_id = <<"mosq-HGkjEiY3btVGwxjthc">>, username = <<"thisisabug">>,password = <<"ithink">>, will_properties = #{},properties = #{}} 2023-02-01 12:46:47.440945+00:00 [info] Accepted MQTT authentication for thisisabug@localhost/mosq-HGkjEiY3btVGwxjthc by anonymous backend from ::ffff:10.77.28.161 2023-02-01 12:46:47.444547+00:00 [info] Opened MQTT session for thisisabug@localhost/mosq-HGkjEiY3btVGwxjthc from ::ffff:10.77.28.161 2023-02-01 12:46:47.444818+00:00 [debug] Setting MQTT keep-alive to 90 seconds 2023-02-01 12:46:47.445222+00:00 [debug] Send MQTT packet: #connack{session_present = false,code = success, properties = #{server_keep_alive => 60,session_expiry_interval => 0, shared_subscription_available => false, topic_alias_maximum => 100}} 2023-02-01 12:46:47.540689+00:00 [debug] Got MQTT packet: #subscribe{id = 1, filters = [{<<"test">>, #sub_opts{qos = 0,no_local = false, retain_as_published = false, retain_handling = 0}}], properties = #{},meta = #{}} 2023-02-01 12:46:47.541652+00:00 [debug] Send MQTT packet: #suback{id = 1,codes = ['granted-qos-0'],properties = #{}}
Since version 22.05 anonymous auth is broken for MQTT when client does not supply any credentials. It completely prevents users from connecting if they don't provide any (even fake) credentials. Last working version is 21.12.
Regards
Should be fixed by commit 1a6baf223c6b0b17a8d0492b7c22cf39fd1fcccc.
Environment
Configuration (only if needed): grep -Ev '^$|^\s*#' ejabberd.yml
Errors from error.log/crash.log
Running: mosquitto_sub -h 10.100.10.109 -p 1883 -t test Results in:
in ejabberd logs I can see below
providing any username/password combo (made up completely) allows the client to connect and below can be seen in ejabberd logs:
Bug description
Since version 22.05 anonymous auth is broken for MQTT when client does not supply any credentials. It completely prevents users from connecting if they don't provide any (even fake) credentials. Last working version is 21.12.
Regards