Mosquitto MQTT - how to stop mosquitto_sub from subscribing to everything at will

406 views
Skip to first unread message

Shrouk Khan

unread,
Dec 12, 2016, 5:59:21 AM12/12/16
to MQTT
Hi guys,
I am trying to build a mqtt system based on mosquitto. I am using certificate based authentication. However, it seems like anyone who is authenticated can subscribe to anything.

for example:

 mosquitto_sub --cafile /etc/mosquitto/ca.crt --cert /etc/mosquitto/client2.crt --key /etc/mosquitto/client2.key -h ubuntu -p 1883 -t '#' -v 

I am trying to stop this. 
It seems mosquitto_auth_acl_check  from mosquitto_plugin.h is not called when mosquitto_sub tries to subscribe.

i went through the mosquitto.conf and didnt find anything specific to stop this behavior ( acl file seems to be not used when certificate based authentication is used ) . is there anything I can do to stop someone from subscribing to a topic while using the certificate?


Karl Palsson

unread,
Dec 12, 2016, 6:17:13 AM12/12/16
to mq...@googlegroups.com

Being able to subscribe to # doesn't mean you'll get all
messages. You need to actually experiment with this.

If you use acls to only allow your clients access to
"somewhere/something/elsewhere" they can still _subscribe_ to "#"
, but they'll only get what they're allowed.

If it helps, think of "#" not as "everything" but "everything
you're allowed access to"

Sincerely,
Karl Palsson
signature.asc

Shrouk Khan

unread,
Dec 12, 2016, 6:57:40 AM12/12/16
to MQTT
Hi karl,
thankyou for the reply. unfortunately, it is mosquitto_sub subcribing at # is indeed able to see everything. for example:

mosquitto_sub --cafile /etc/mosquitto/ca.crt --cert /etc/mosquitto/client2.crt --key /etc/mosquitto/client2.key -h ubuntu -p 1883 -t '#' -v 
c/2/b/3/p/3/rt/13/r/490 32


here the part `c/2/b/3/p/3/rt/13/r/490 32` is coming from a client publish ( mosquitto_pub --cafile /etc/mosquitto/ca.crt --cert /etc/mosquitto/client.crt --key /etc/mosquitto/client.key -h ubuntu -p 1883 -t c/2/b/3/p/3/rt/13/r/xxxx -m 32 -q 1 ).

so, my problem still stands. How do I stop someone listening at `#` ? I feel like there is something very obvious in mosquitto.conf that i am missing.

khan

Karl Palsson

unread,
Dec 12, 2016, 9:02:06 AM12/12/16
to mq...@googlegroups.com

Shrouk Khan <shrou...@gmail.com> wrote:
> Hi karl,
> thankyou for the reply. unfortunately, it is mosquitto_sub
> subcribing at # is indeed able to see everything. for example:
>
> mosquitto_sub --cafile /etc/mosquitto/ca.crt --cert
> /etc/mosquitto/client2.crt --key /etc/mosquitto/client2.key -h
> ubuntu -p 1883 -t '#' -v c/2/b/3/p/3/rt/13/r/490 32


Then you haven't actually implemented ACLs yet.

Cheers,
Karl P
signature.asc
Reply all
Reply to author
Forward
0 new messages