Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Empty password file authenticates all clients #1545
I have found that if I specify an empty password file in my configuration file, all username-password pairs connect successfully to the broker.
I'm using the fixes branch of mosquitto, tagged v1.6.8
password.txt exists, but is empty.
I can send and received messages with the mosquitto_sub and mosquitto_pub clients using any username password combination (including empty strings, but not anonymous clients), whereas I expected that every connection would be refused as unauthorised, based on the mosquitto.conf manpage
I haven't been able to find any mention in the docs or discussions that this behaviour is by design. I've also had a look for similar issues it the github repo, but didn't find anything. Apologies ahead of time if I've missed something or this is a duplicate.