Clients won't connect with passwords generated from mosquitto_passwd when appending to existing password file

[saper-2]

Hello,

The problem:
I have problem with connecting clients that have passwords generated in 2.0.2 mosquitto version that have been appended to existing passwd file.

Description:
(I've been doing tests while writing this issue)
I have build mosquitto 2.0.2 from source (tar.gz) and installed on server (the new-server). Then I copied passwd & config from my old-server (running mosquitto 1.6.10).

All old clients connects fine. If I generate (and append it to existing file) on new-server new user & password:
mosquitto_passwd -H sha512 -b /etc/mosquitto/passwd newcli NewCliPass
for new client - new client won't connect (I get info in client: connection refused).

All my passwords are sha512 (from 1.6.10). New one are in sha512-pbkdf2 already. For testing where I copy password to old server I used sha512.

But if I run on old-server mosquitto_password, copy generated password from it, and then I append this password (the line) in new-server mosquitto/passwd - the client can connect just fine.

If I create in 2.0.2 new file (e.g. in home dir): mosquitto_passwd -c -H sha512 -b test.psw newcli NewCliPass .
And then I copy the user&password line to old-server and new-server it works.
But if I append next user to the test file mosquitto_passwd -c -H sha512 -b test.psw newcli2 NewCliPass2 The user2&pass2 won't work (after ofc copying the new line to main mosquitto/passwd file).

Summary:
So here is my conclusion: passwords generated and "appended" from old 1.6.10 works , while passwords generated and "appended" in 2.0.2 won't work (but the password from newly created file works).

(Maybe I have something wrongly set up, but I'm pretty sure this is not the source of problem.)

Configurations:
New server: PC - Debian 10.7 (4.19.0-13-amd64 #1 SMP Debian 4.19.160-2 (2020-11-28) x86_64 GNU/Linux)

Old server: Raspberry Pi - Debian 10.4 (4.19.118-v7+ #1311 SMP Mon Apr 27 14:21:24 BST 2020 armv7l GNU/Linux)

Here is my config:

# File: /etc/mosquitto/mosquitto.conf
# Place your local configuration in /etc/mosquitto/conf.d/

pid_file /var/run/mosquitto/mosquitto.pid

persistence true
persistence_location /var/lib/mosquitto/

log_timestamp_format %Y-%m-%dT%H:%M:%S
log_dest file /var/log/mosquitto/mosquitto.log

listener 1883
socket_domain ipv4

include_dir /etc/mosquitto/conf.d

# File: /etc/mosquitto/conf.d/00_auth.conf
# require clinets to log-in
allow_anonymous false
# set password file
password_file /etc/mosquitto/passwd

Log /var/log/mosquitto/mosquitto.log :

2020-12-15T20:57:16: New connection from 192.168.2.26:55392 on port 1883.
2020-12-15T20:57:16: Sending CONNACK to 192.168.2.26 (0, 5)
2020-12-15T20:57:16: Client <unknown> disconnected, not authorised.

Final test on new-server:
Example outputs from mosquitto_passwd (I'm aware that salt change in password), I especially used twice the same password - newcli connect ok, while newcli2 won't connect.

root@newserv:~ # mosquitto_passwd -c -b test.psw newcli NewCliPass
root@newserv:~ # mosquitto_passwd -b test.psw newcli2 NewCliPass
root@newserv:~ # cat test.psw
newcli:$7$101$1I5ggBiyFoqGvR0X$iQ1jcNUsCUg9XROhZj7sqjddqTE+FnoWbqwhvhgzkgOtTGzOdAtNxmBAKC0nT6MwlUu79KvLsyo9cdNY/vvduw==
newcli2:$7$101$WPY8U+h2kg/+2Rv1$17nf0Ww88Rw74BG064XYnFaLnkpSwM0LLqOyRIC1hlzqxQMbXbL56K/8BX2DPCrEH+7G6s4tByhrPPsJkb5uyA==

[ralight]

You've been hit by #1949 I'm afraid. This is fixed in 2.0.3 which is just released.

[ralight]

Thanks for providing so much detail by the way, it would've been very helpful had this not already been solved.

[saper-2]

I am sooo lucky 😅 build again...

@ralight I'm dev too (I code for win netFW, AVR MCUs, STM32) so I know the more data the more easier for devs find the problem.

Thank you for fixing this.