[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
[mosquitto-dev] RFC: add listener_allow_anonymous
|
> In order to have authenticated access to my MQTT box from outside,
> I set allow_anonymous to 1. This does have the side effect that
> my local programs also need a 'dummy' username+password to authenticate.
> This dummy username+password is then usable from outside also.
>
> I addressed this by adding the patch below. It allows MQTT to be
> configured to allow anonymous connections from localhost, and
> authenicated connections from outside.
Today, I solved my issue differently by adding a 'listener_allow_anonymous'
config option. This is easier to add and the backward compatibility is simpler.
Since I typically use a TLS-enabled port for outside access and a
non-TLS port for local use, this fits my problem as well.
Is this a valuable thing to do? Is it right?
How else should I address my problem?
What do you think?
Kurt
--
commit 2abb81d1ff801a8ada53df0f4b635914aa384718
Author: Kurt Van Dijck <dev.kurt@xxxxxxxxxxxxxxxxxxxxxx>
Date: Tue Jun 6 13:01:09 2017
listener_allow_anonymous
This commit introduces a (per-listener) listener_allow_anonymous
option that controls what to do with anonymous connections.
For backward compatibility, this option is prefixed with 'listener_'
and the global 'allow_anonymous' is still in use, i.e. anonymous
connections are allowed if any of allow_anonymous and
listener_allow_anonymous are true.
Signed-off-by: Kurt Van Dijck <dev.kurt@xxxxxxxxxxxxxxxxxxxxxx>
diff --git a/man/mosquitto.conf.5.xml b/man/mosquitto.conf.5.xml
index e27fb58..dc13090 100644
--- a/man/mosquitto.conf.5.xml
+++ b/man/mosquitto.conf.5.xml
@@ -644,6 +644,18 @@
</listitem>
</varlistentry>
<varlistentry>
+ <term><option>listener_allow_anonymous</option> [ true | false ]</term>
+ <listitem>
+ <para>Boolean value that determines whether clients that
+ connect without providing a username are allowed to
+ connect. If set to <replaceable>false</replaceable>
+ then another means of connection should be created to
+ control authenticated client access. Defaults to
+ <replaceable>false</replaceable>.</para>
+ <para>Reloaded on reload signal.</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
<term><option>max_connections</option> <replaceable>count</replaceable></term>
<listitem>
<para>Limit the total number of clients connected for
diff --git a/src/conf.c b/src/conf.c
index 6edd705..efaeeec 100644
--- a/src/conf.c
+++ b/src/conf.c
@@ -1206,6 +1206,8 @@ int _config_read_file_core(struct mqtt3_config *config, bool reload, const char
_mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Error: Empty listener value in configuration.");
return MOSQ_ERR_INVAL;
}
+ }else if(!strcmp(token, "listener_allow_anonymous")){
+ if(_conf_parse_bool(&token, token, &cur_listener->allow_anonymous, saveptr)) return MOSQ_ERR_INVAL;
}else if(!strcmp(token, "local_clientid")){
#ifdef WITH_BRIDGE
if(reload) continue; // FIXME
diff --git a/src/mosquitto_broker.h b/src/mosquitto_broker.h
index 8d19790..982603d 100644
--- a/src/mosquitto_broker.h
+++ b/src/mosquitto_broker.h
@@ -79,6 +79,7 @@ struct _mqtt3_listener {
int client_count;
enum mosquitto_protocol protocol;
bool use_username_as_clientid;
+ bool allow_anonymous;
#ifdef WITH_TLS
char *cafile;
char *capath;
diff --git a/src/read_handle_server.c b/src/read_handle_server.c
index 2b9c8f5..a1d7903 100644
--- a/src/read_handle_server.c
+++ b/src/read_handle_server.c
@@ -399,7 +399,7 @@ int mqtt3_handle_connect(struct mosquitto_db *db, struct mosquitto *context)
password = NULL;
}
- if(!username_flag && db->config->allow_anonymous == false){
+ if(!username_flag && db->config->allow_anonymous == false && !context->listener->allow_anonymous){
_mosquitto_send_connack(context, 0, CONNACK_REFUSED_NOT_AUTHORIZED);
rc = 1;
goto handle_connect_error;
diff --git a/src/security_default.c b/src/security_default.c
index a1d3ec1..d989db7 100644
--- a/src/security_default.c
+++ b/src/security_default.c
@@ -714,7 +714,7 @@ int mosquitto_security_apply_default(struct mosquitto_db *db)
HASH_ITER(hh_id, db->contexts_by_id, context, ctxt_tmp){
/* Check for anonymous clients when allow_anonymous is false */
- if(!allow_anonymous && !context->username){
+ if(!allow_anonymous && !context->username && !context->listener->allow_anonymous){
context->state = mosq_cs_disconnecting;
do_disconnect(db, context);
continue;