Anonymous logins removed from Mosquitto Add-on

[DCSBL]

Describe the issue you are experiencing

I have some wifi devices that can connect to a MQTT broker, but they do not provide a way to set an username/password nor they have one. Because of this I get this error:

1661075134: Sending CONNACK to ::ffff:192.168.5.152 (0, 5)
1661075134: Client <unknown> closed its connection.
error: received null username or password for unpwd check

After looking around a bit, I saw that this PR removed support for anonymous logins, why?

Why can't we just add the allow_anonymous true config in the customise part? Or is it not as easy as it seems?

What type of installation are you running?

Home Assistant OS

Which operating system are you running on?

Home Assistant Operating System

Which add-on are you reporting an issue with?

Mosquitto broker

What is the version of the add-on?

6.1.2

Steps to reproduce the issue

1. Rewritten a DNS record so the device tries to make a connection to the Mosquitto add-on
2. Saw that the device was able to connect
3. Saw that the device was not able to authenticate, connection was disconnected.

logins: []
require_certificate: false
certfile: fullchain.pem
keyfile: privkey.pem
customize:
  active: true
  folder: mosquitto

# acl.conf
allow_anonymous true
acl_file /share/mosquitto/accesscontrollist

# accesscontrollist
topic readwrite #

Anything in the Supervisor logs that might be useful for us?

No response

Anything in the add-on logs that might be useful for us?

...
1661075508: Sending CONNACK to ::ffff:192.168.5.152 (0, 5)
1661075508: Client <unknown> closed its connection.
error: received null username or password for unpwd check
1661075524: Sending CONNACK to ::ffff:192.168.5.152 (0, 5)
1661075524: Client <unknown> closed its connection.
1661075528: New connection from 172.30.32.2:39318 on port 1883.
1661075528: Client <unknown> closed its connection.
error: received null username or password for unpwd check
1661075540: Sending CONNACK to ::ffff:192.168.5.152 (0, 5)
1661075540: Client <unknown> closed its connection.
error: received null username or password for unpwd check
1661075556: Sending CONNACK to ::ffff:192.168.5.152 (0, 5)
1661075556: Client <unknown> closed its connection.
error: received null username or password for unpwd check
...

Additional information

No response

[mdegat01]

Support for anonymous logins was removed as it is a bad security practice. This is the same reason mosquitto itself went from defaulting to allowing anonymous logins to defaulting to not allowing them. That was also when the addon made the change.

If you really need them you will have to set up your own broker. This addon won't work for you.

[DCSBL]

Why is it enforced by this add-on and not configurable?

[doug62]

Thanks for clarifying - since Anonymous is officially removed I can now stop wasting my time on this and use a different broker, very unfortunate.

[atamgp]

christ!

I spend a week trying to make this work.
@mdegat01 If you choose to do this, also state it in the addon documentation?
Now you only refer to the man page making everyone assume all features are supported....

[atamgp]

@DCSBL has a good point.... it's up to the user

[DCSBL]

@atamgp easy... you are talking to volunteers. Open a PR to change the documentation yourself if you have issues.

Anyway, I was able to fix my situation with the use the (quite new) EMQX addon. This broker is highly configurable. https://github.com/hassio-addons/addon-emqx

[atamgp]

you're right, I did not mean it offensive :)
will take a look at emqx, thanks for the suggestion.

[s0170071]

has this been fixed ? I really love anonymous for my home IoT.

[nickm324]

has this been fixed ? I really love anonymous for my home IoT.

Its not broken, they removed anonymous on purpose.

[Write]

@atamgp easy... you are talking to volunteers. Open a PR to change the documentation yourself if you have issues.

Anyway, I was able to fix my situation with the use the (quite new) EMQX addon. This broker is highly configurable. https://github.com/hassio-addons/addon-emqx

High, did you find a way to use certificate ? I need it for meross_lan support : https://github.com/bytespider/Meross/wiki/MQTT

[dturner]

There is one perfectly legitimate use case for anonymous logins: debugging.

Removing this feature just makes it more difficult to debug MQTT issues.

[DCSBL]

Use EMQX, you can do the same and have full control over all your settings.

[mrmiles156]

How is this done in EMQX? is it something to do with the ACL file?

[dturner]

Use EMQX, you can do the same and have full control over all your settings.

Yeah, I actually ended up just using DietPi/Mosquitto directly. My point was that disabling anonymous logins is, in my opinion, a fairly arrogant decision which is likely to drive people away from Home Assistant. If anonymous logins were such an enormous security issue then it should be up to the Mosquitto authors to disable it, not Home Assistant.

[SomeFixItDude]

The library I use on my MCU doesn't support anything but anonymous. This should be an option, please reconsider.

[kerryland]

Use EMQX, you can do the same and have full control over all your settings.

Yeah, I actually ended up just using DietPi/Mosquitto directly. My point was that disabling anonymous logins is, in my opinion, a fairly arrogant decision which is likely to drive people away from Home Assistant. If anonymous logins were such an enormous security issue then it should be up to the Mosquitto authors to disable it, not Home Assistant.

Absolutely an arrogant decision, but that's not unusual.

My favourite part is that the alternative broker, EMQX, which allows for unauthorised clients, is provided by the same developer who removed unauthorised clients from the Mosquitto addon.

Fingers crossed he doesn't do the same to EMQX addon!

[badbl0cks]

There is one perfectly legitimate use case for anonymous logins: debugging.

Removing this feature just makes it more difficult to debug MQTT issues.

Debugging is exactly what brought me here! Pulling my hair out wondering why anonymous access wasn't working until I found this issue.

Very unfortunate to have this option (allow_anonymous true) force-disabled when it's already not the default, and modifying Mosquitto to silently ignore any configuration to modify this behavior. Doubly unfortunate to not have it documented at all in the addon's documentation after multiple people confess to wasting time unnecessarily; I will try to submit a quick PR for that once I have time.

Guess my only alternative is to migrate to EMQX, but I hear Mosquitto is more stable, so guess I will migrate back after I am done debugging.

[kerryland]

Guess my only alternative is to migrate to EMQX, but I hear Mosquitto is more stable, so guess I will migrate back after I am done debugging.

The switch to EMQX was utterly painless. I've had no problems at all with it.

[antst]

It is still ridiculous, from my point of view. Proper security practice would be disable anonymous by default but still provide option to enable, like mosquitto does.
Otherwise it is kind of strange situation, where, despite the fact that mosquito fits the bill perfectly, I need to either install EMQX, or install broker somewhere else, killing whole concept of haos approach. Or maintain my own version of add-on...

[DCSBL]

Can we end this discussion, please?

https://boyter.org/posts/the-three-f-s-of-open-source/