search

processone / ejabberd

Robust, Ubiquitous and Massively Scalable Messaging Platform (XMPP, MQTT, SIP Server)
https://www.process-one.net/en/ejabberd/
Other
6.06k stars 1.51k forks source link

MQTT Connection refused #3988

Closed jcummings2 closed 1 year ago

jcummings2 commented 1 year ago

Before creating a ticket, please consider if this should fit the discussion forum better: https://github.com/processone/ejabberd/discussions

Environment

Configuration (only if needed): grep -Ev '^$|^\s*#' ejabberd.yml

```yaml loglevel: info log_rotate_count: 0 hosts: - localhost certfiles: - "/etc/ejabberd/ejabberd.pem" define_macro: 'TLS_CIPHERS': "HIGH:!aNULL:!eNULL:!3DES:@STRENGTH" 'TLS_OPTIONS': - "no_sslv3" - "no_tlsv1" - "no_tlsv1_1" - "cipher_server_preference" - "no_compression" c2s_ciphers: 'TLS_CIPHERS' s2s_ciphers: 'TLS_CIPHERS' c2s_protocol_options: 'TLS_OPTIONS' s2s_protocol_options: 'TLS_OPTIONS' listen: - port: 5222 ip: "::" module: ejabberd_c2s max_stanza_size: 262144 shaper: c2s_shaper access: c2s starttls_required: true protocol_options: 'TLS_OPTIONS' - port: 5223 ip: "::" module: ejabberd_c2s max_stanza_size: 262144 shaper: c2s_shaper access: c2s tls: true protocol_options: 'TLS_OPTIONS' - port: 5269 ip: "::" module: ejabberd_s2s_in max_stanza_size: 524288 - port: 5443 ip: "::" module: ejabberd_http tls: true protocol_options: 'TLS_OPTIONS' request_handlers: /api: mod_http_api /bosh: mod_bosh /ws: ejabberd_http_ws - port: 5280 ip: "::" module: ejabberd_http tls: true protocol_options: 'TLS_OPTIONS' request_handlers: /admin: ejabberd_web_admin /.well-known/acme-challenge: ejabberd_acme - port: 3478 ip: "::" transport: udp module: ejabberd_stun use_turn: true - port: 1883 ip: "::" module: mod_mqtt backlog: 1000 disable_sasl_mechanisms: - "digest-md5" - "X-OAUTH2" s2s_use_starttls: required auth_password_format: scram acl: admin: user: "admin1@localhost" local: user_regexp: "" loopback: ip: - 127.0.0.0/8 - ::1/128 access_rules: local: allow: local c2s: deny: blocked allow: all announce: allow: admin configure: allow: admin muc_create: allow: local pubsub_createnode: allow: local trusted_network: allow: loopback api_permissions: "console commands": from: - ejabberd_ctl who: all what: "*" "admin access": who: access: allow: - acl: loopback - acl: admin oauth: scope: "ejabberd:admin" access: allow: - acl: loopback - acl: admin what: - "*" - "!stop" - "!start" "public commands": who: ip: 127.0.0.1/8 what: - status - connected_users_number shaper: normal: rate: 3000 burst_size: 20000 fast: 200000 shaper_rules: max_user_sessions: 10 max_user_offline_messages: 5000: admin 100: all c2s_shaper: none: admin normal: all s2s_shaper: fast modules: mod_adhoc: {} mod_admin_extra: {} mod_announce: access: announce mod_avatar: {} mod_blocking: {} mod_bosh: {} mod_caps: {} mod_carboncopy: {} mod_client_state: {} mod_configure: {} mod_disco: {} mod_fail2ban: {} mod_http_api: {} mod_last: {} mod_mqtt: {} mod_muc: access: - allow access_admin: - allow: admin access_create: muc_create access_persistent: muc_create access_mam: - allow default_room_options: mam: true mod_muc_admin: {} mod_offline: access_max_user_messages: max_user_offline_messages mod_ping: {} mod_pres_counter: count: 5 interval: 60 mod_privacy: {} mod_private: {} mod_pubsub: access_createnode: pubsub_createnode plugins: - flat - pep force_node_config: "eu.siacs.conversations.axolotl.*": access_model: open storage:bookmarks: access_model: whitelist mod_push: {} mod_push_keepalive: {} mod_roster: versioning: true mod_s2s_dialback: {} mod_shared_roster: {} mod_sic: {} mod_stream_mgmt: resend_on_timeout: if_offline mod_stun_disco: {} mod_vcard: search: false mod_vcard_xupdate: {} mod_version: {} ```

Errors from error.log/crash.log

None in error.log but ejabberd.log has:

2023-02-09 10:22:39.136772-06:00 [info] <0.415.0>@ejabberd_listener:accept/7:273 (<0.587.0>) Accepted connection [::1]:35750 -> [::1]:1883
2023-02-09 10:22:39.138578-06:00 [warning] <0.587.0>@mod_mqtt_session:log_disconnection/2:1362 Rejected MQTT connection from ::1: Authentication failed: Not authorized

Bug description

Following the installation instructions and the MQTT Guide, I cannot connect to the MQTT server. Calling

mosquitto_sub -u user1@localhost -P Pass -t "test/1" -d -v

On the raspberry pi itself has the output:

Client (null) sending CONNECT
Client (null) received CONNACK (5)
Connection error: Connection Refused: not authorised.
Client (null) sending DISCONNECT

I saw issue #3593 but no suggestion there helped. I also do not really want anonymous authentication.

prefiks commented 1 year ago

But you have user1@localhost registered with password Pass? I just tested this with recent version and it just worked as long i provided correct user/pass

jcummings2 commented 1 year ago

But you have user1@localhost registered with password Pass? I just tested this with recent version and it just worked as long i provided correct user/pass

Yes, I added the user with:

ejabberdctl register user1 localhost Pass

as instructed in the MQTT guide.

prefiks commented 1 year ago

Could you try set ejabberd logging to debug level and see what it logs when you try that again? (You can do it by calling ejabberdctl set_loglevel debug, you can switch it back with ejabberdctl set_loglevel info)

jcummings2 commented 1 year ago

Could you try set ejabberd logging to debug level and see what it logs when you try that again? (You can do it by calling ejabberdctl set_loglevel debug, you can switch it back with ejabberdctl set_loglevel info)

Certainly, the relevant lines in ejabberd.log are:

2023-02-10 06:10:11.619060-06:00 [info] <0.415.0>@ejabberd_listener:accept/7:273 (<0.1587.0>) Accepted connection [::1]:35284 -> [::1]:1883
2023-02-10 06:10:11.620399-06:00 [debug] <0.1587.0>@mod_mqtt_session:handle_info/2:240 Got MQTT packet:
#connect{proto_level = 4,will = undefined,clean_start = true,keep_alive = 60,
         client_id = <<>>,username = <<"user1@localhost">>,
         password = <<"Pass">>,will_properties = #{},properties = #{}}
2023-02-10 06:10:11.622841-06:00 [warning] <0.1587.0>@mod_mqtt_session:log_disconnection/2:1362 Rejected MQTT connection from ::1: Authentication failed: Not authorized
2023-02-10 06:10:11.623688-06:00 [debug] <0.1587.0>@mod_mqtt_session:do_send/2:871 Send MQTT packet:
#connack{session_present = false,code = 'not-authorized',properties = #{}}
prefiks commented 1 year ago

Could you also execute ejabberdctl check_password user1 localhost Pass; echo $?

jcummings2 commented 1 year ago

Could you also execute ejabberdctl check_password user1 localhost Pass; echo $?

Yes. I also ran it with the wrong password to give further evidence the correct password is being used:

# ejabberdctl check_password user1 localhost Pass; echo $?
0
# ejabberdctl check_password user1 localhost Pass2; echo $?
Error: false
1
prefiks commented 1 year ago

Strange stuff, one more thing could you start debug console (with ejabberdctl debug) and type ejabberd_auth:check_password_with_authmodule(<<"user1">>, <<>>, <<"localhost">>, <<"Pass">>). in that and see what it returns? You can close console after that with ctrl+c twice.

jcummings2 commented 1 year ago

Strange stuff, one more thing could you start debug console (with ejabberdctl debug) and type ejabberd_auth:check_password_with_authmodule(<<"user1">>, <<>>, <<"localhost">>, <<"Pass">>). in that and see what it returns? You can close console after that with ctrl+c twice.

Yes

Erlang/OTP 23 [erts-11.1.8] [source] [smp:4:4] [ds:4:4:10] [async-threads:1]

Eshell V11.1.8  (abort with ^G)
(ejabberd@localhost)1> ejabberd_auth:check_password_with_authmodule(<<"user1">>, <<>>, <<"localhost">>, <<"Pass">>).
{true,ejabberd_auth_mnesia}
prefiks commented 1 year ago

I really don't know what's happening here then, this is pretty much code that mqtt calls to authenticate user. I test that with a bit newer version, but i don't think there is anything in it that should affect it...