Empty password file authenticates all clients

[timothy-godfrey]

Hello!

I have found that if I specify an empty password file in my configuration file, all username-password pairs connect successfully to the broker.

I'm using the fixes branch of mosquitto, tagged v1.6.8

mosquitto.conf:

per_listener_settings true  

listener 9006
protocol mqtt
require_certificate false
password_file /etc/mosquitto/conf.d/password.txt
allow_anonymous false

password.txt exists, but is empty.

I can send and received messages with the mosquitto_sub and mosquitto_pub clients using any username password combination (including empty strings, but not anonymous clients), whereas I expected that every connection would be refused as unauthorised, based on the mosquitto.conf manpage

If allow_anonymous is set to false, only users defined in this file will be able to connect.

I haven't been able to find any mention in the docs or discussions that this behaviour is by design. I've also had a look for similar issues it the github repo, but didn't find anything. Apologies ahead of time if I've missed something or this is a duplicate.

Thanks!

[ralight]

This has always been implemented as "only carry out authentication checks if usernames are defined", but thinking about that is counter intuitive. I've just pushed a fix for that.

[ralight]

And I forgot to say - thanks for reporting this.

[timothy-godfrey]

Thanks for the quick update!

Quick tests show expected behaviour.