2022-02-21
md
The Mosquitto MQTT Broker in Raspberry Pi OS (Bullseye)
<-3. Installing the mosquitto MQTT Broker in Home Automation System on a Raspberry Pi

Here's another change that appeared with the January 2022 Bullseye version of Raspberry Pi OS: the Mosquitto package was updated to version 2.0.11. To be more accurate this was an "upstream" change in Debian 11 (code name "bullseye"). While the new version of the MQTT broker now handles version 5.0 of the protocol in addition to versions 3.1 and 3.1.1 as before, its default behaviour is no longer the same. This would break my home automation system based on Domoticz which communicates with many IoT devices using MQTT messages.

Of course, I lost time searching in all the wrong places for the reason why my lazmqttc utility was not able to connect to a Mosquitto 2.0.11 broker running in a test environment. The smart thing would have been to start by looking at the Eclipse Mosquitto document Migrating from 1.x to 2.0 which clearly explains that two changes had been made:

Not only that, but the short document also provides solutions which, in my case, was to create a local configuration file, /etc/mosquitto/conf.d/local.conf, but I could have just as easily added the following to the global configuration file /etc/mosquitto/mosquitto.conf.

# Listen for messages from clients on remote machines listener 1883 # Allow anonymous pub/sub, allow_anonymous is false by default, allow_anonymous true # Require client user/password authentication #password_file /etc/mosquitto/passwd

Adding the listener and allowing anonymous connections makes the new version of the broker behave as the old version did by default.

This behaviour is not secure so one can agree that the changes were justified. At a minimum a client should supply a user name and password to authenticate itself when it connects to the broker. If that is enabled in the configuration file (see the last line and remember that it makes no sense to allow anonymous connections at the same time) then a password file has to be created. Here is an example of how to proceed with the mosquitto_passwd utility. The file is created when adding a first user and then a second user is added. Note the presence of the -c option to create a new file when adding the first user and the absence of the flag when adding additional users and passwords.

pi@tarte:~ $ sudo mosquitto_passwd -c /etc/mosquitto/passwd michel Password: no echo to the screen Reenter password: no echo to the screen pi@tarte:~ $ sudo mosquitto_passwd /etc/mosquitto/passwd alvin Password: no echo to the screen Reenter password: no echo to the screen pi@tarte:~ $ cat /etc/mosquitto/passwd michel:$7$101$cXYz7be/EFf3HgTq$JOHuVKqb9MbgkBSQx7Lrpb3SIhR4/Fk91TJlu4vwFJ0+MJohsE1D0l2VPafQdntUdYvxCincgenQImYedXGymg== alvin:$7$101$dUT43uqHQJdAa2su$rvJurbDMo0Imc5EVcA5/QdQXb8FKH0TMPOw8U0tWSt+j5GDH6Ob24IS5WEAmV4Wtucp9XbrXQd5yyAMoJS3JTA==

The colon, ":", is used to separate the user name from the password so clearly user names cannot contain colons. It could quickly become tedious to enter many user names and password in this fashion, so look at the -U option in the man page for mosquitto_passwd (also available on the web) for an easier way to create a password file for many clients.

Here is the result of a test using mosquitto_rr which more or less combines mosquitto_pub and mosquitto_sub and which was included along with the latter two in the mosquitto-clients package on my desktop computer.

michel@hp:~$ mosquitto_rr -v -u michel -P secret_passwd -h 192.168.1.22 -t test -e test -m "Hello there!" test Hello there!

The mosquitto package offers more sophisticated methods to handle access control, user name and password authentication and encryption. If any of this is required, then you would obviously not be reading this.

The good news for me is that I do not have to rewrite lazmqttc although this experience highlights the need for improved handling of connection errors.

<-3. Installing the mosquitto MQTT Broker in Home Automation System on a Raspberry Pi