[mosquitto-dev] RFC: add listener_allow

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

[mosquitto-dev] RFC: add listener_allow_anonymous

From: Kurt Van Dijck <dev.kurt@xxxxxxxxxxxxxxxxxxxxxx>
Date: Tue, 6 Jun 2017 14:57:34 +0200
Delivered-to: mosquitto-dev@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/private/mosquitto-dev>
List-help: <mailto:mosquitto-dev-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/mosquitto-dev>, <mailto:mosquitto-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/options/mosquitto-dev>, <mailto:mosquitto-dev-request@eclipse.org?subject=unsubscribe>
User-agent: Mutt/1.5.22 (2013-10-16)

> In order to have authenticated access to my MQTT box from outside,
> I set allow_anonymous to 1. This does have the side effect that
> my local programs also need a 'dummy' username+password to authenticate.
> This dummy username+password is then usable from outside also.
> 
> I addressed this by adding the patch below. It allows MQTT to be
> configured to allow anonymous connections from localhost, and
> authenicated connections from outside.

Today, I solved my issue differently by adding a 'listener_allow_anonymous'
config option. This is easier to add and the backward compatibility is simpler.

Since I typically use a TLS-enabled port for outside access and a
non-TLS port for local use, this fits my problem as well.

Is this a valuable thing to do? Is it right?
How else should I address my problem?
What do you think?

Kurt
--

commit 2abb81d1ff801a8ada53df0f4b635914aa384718
Author: Kurt Van Dijck <dev.kurt@xxxxxxxxxxxxxxxxxxxxxx>
Date:   Tue Jun 6 13:01:09 2017

    listener_allow_anonymous
    
    This commit introduces a (per-listener) listener_allow_anonymous
    option that controls what to do with anonymous connections.
    For backward compatibility, this option is prefixed with 'listener_'
    and the global 'allow_anonymous' is still in use, i.e. anonymous
    connections are allowed if any of allow_anonymous and
    listener_allow_anonymous are true.
    
    Signed-off-by: Kurt Van Dijck <dev.kurt@xxxxxxxxxxxxxxxxxxxxxx>

diff --git a/man/mosquitto.conf.5.xml b/man/mosquitto.conf.5.xml
index e27fb58..dc13090 100644
--- a/man/mosquitto.conf.5.xml
+++ b/man/mosquitto.conf.5.xml
@@ -644,6 +644,18 @@
 					</listitem>
 				</varlistentry>
 				<varlistentry>
+					<term><option>listener_allow_anonymous</option> [ true | false ]</term>
+					<listitem>
+						<para>Boolean value that determines whether clients that
+							connect without providing a username are allowed to
+							connect. If set to <replaceable>false</replaceable>
+							then another means of connection should be created to
+							control authenticated client access.  Defaults to
+							<replaceable>false</replaceable>.</para>
+						<para>Reloaded on reload signal.</para>
+					</listitem>
+				</varlistentry>
+				<varlistentry>
 					<term><option>max_connections</option> <replaceable>count</replaceable></term>
 					<listitem>
 						<para>Limit the total number of clients connected for
diff --git a/src/conf.c b/src/conf.c
index 6edd705..efaeeec 100644
--- a/src/conf.c
+++ b/src/conf.c
@@ -1206,6 +1206,8 @@ int _config_read_file_core(struct mqtt3_config *config, bool reload, const char
 						_mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Error: Empty listener value in configuration.");
 						return MOSQ_ERR_INVAL;
 					}
+				}else if(!strcmp(token, "listener_allow_anonymous")){
+					if(_conf_parse_bool(&token, token, &cur_listener->allow_anonymous, saveptr)) return MOSQ_ERR_INVAL;
 				}else if(!strcmp(token, "local_clientid")){
 #ifdef WITH_BRIDGE
 					if(reload) continue; // FIXME
diff --git a/src/mosquitto_broker.h b/src/mosquitto_broker.h
index 8d19790..982603d 100644
--- a/src/mosquitto_broker.h
+++ b/src/mosquitto_broker.h
@@ -79,6 +79,7 @@ struct _mqtt3_listener {
 	int client_count;
 	enum mosquitto_protocol protocol;
 	bool use_username_as_clientid;
+	bool allow_anonymous;
 #ifdef WITH_TLS
 	char *cafile;
 	char *capath;
diff --git a/src/read_handle_server.c b/src/read_handle_server.c
index 2b9c8f5..a1d7903 100644
--- a/src/read_handle_server.c
+++ b/src/read_handle_server.c
@@ -399,7 +399,7 @@ int mqtt3_handle_connect(struct mosquitto_db *db, struct mosquitto *context)
 			password = NULL;
 		}
 
-		if(!username_flag && db->config->allow_anonymous == false){
+		if(!username_flag && db->config->allow_anonymous == false && !context->listener->allow_anonymous){
 			_mosquitto_send_connack(context, 0, CONNACK_REFUSED_NOT_AUTHORIZED);
 			rc = 1;
 			goto handle_connect_error;
diff --git a/src/security_default.c b/src/security_default.c
index a1d3ec1..d989db7 100644
--- a/src/security_default.c
+++ b/src/security_default.c
@@ -714,7 +714,7 @@ int mosquitto_security_apply_default(struct mosquitto_db *db)
 	
 	HASH_ITER(hh_id, db->contexts_by_id, context, ctxt_tmp){
 		/* Check for anonymous clients when allow_anonymous is false */
-		if(!allow_anonymous && !context->username){
+		if(!allow_anonymous && !context->username && !context->listener->allow_anonymous){
 			context->state = mosq_cs_disconnecting;
 			do_disconnect(db, context);
 			continue;

Follow-Ups:
- Re: [mosquitto-dev] RFC: add listener_allow_anonymous
  - From: Roger Light
- Re: [mosquitto-dev] RFC: add listener_allow_anonymous
  - From: Karl Palsson

References:
- [mosquitto-dev] RFC: Extend allow_anonymous from localhost only
  - From: Kurt Van Dijck

Prev by Date: [mosquitto-dev] Problem running Mosquitto with Hono
Next by Date: Re: [mosquitto-dev] Problem running Mosquitto with Hono
Previous by thread: [mosquitto-dev] RFC: Extend allow_anonymous from localhost only
Next by thread: Re: [mosquitto-dev] RFC: add listener_allow_anonymous
Index(es):
- Date
- Thread

Breadcrumbs