Add use_username_as_clientid.
This commit is contained in:
parent
cabcada849
commit
fe5dba5887
@ -13,6 +13,8 @@ Important changes:
|
|||||||
- When a durable client reconnects, its queued messages are now checked
|
- When a durable client reconnects, its queued messages are now checked
|
||||||
against ACLs in case of a change in username/ACL state since it last
|
against ACLs in case of a change in username/ACL state since it last
|
||||||
connected.
|
connected.
|
||||||
|
- New use_username_as_clientid option on the broker, for preventing hijacking
|
||||||
|
of a client id.
|
||||||
|
|
||||||
|
|
||||||
Broker:
|
Broker:
|
||||||
@ -37,6 +39,9 @@ Broker:
|
|||||||
provided at the command line.
|
provided at the command line.
|
||||||
- Removed $SYS/broker/changeset. This was intended for use with debugging, but
|
- Removed $SYS/broker/changeset. This was intended for use with debugging, but
|
||||||
in practice is of no use.
|
in practice is of no use.
|
||||||
|
- Add support for use_username_as_clientid which can be used with
|
||||||
|
authentication to restrict ownership of client ids and hence prevent one
|
||||||
|
client disconnecting another by using the same client id.
|
||||||
|
|
||||||
Clients:
|
Clients:
|
||||||
- Both clients can now load default configuration options from a file.
|
- Both clients can now load default configuration options from a file.
|
||||||
|
@ -667,6 +667,25 @@
|
|||||||
<para>Not reloaded on reload signal.</para>
|
<para>Not reloaded on reload signal.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
<varlistentry>
|
||||||
|
<term><option>use_username_as_clientid</option> [ true | false ]</term>
|
||||||
|
<listitem>
|
||||||
|
<para>Set <option>use_username_as_clientid</option> to
|
||||||
|
true to replace the clientid that a client
|
||||||
|
connected with with its username. This allows
|
||||||
|
authentication to be tied to the clientid, which
|
||||||
|
means that it is possible to prevent one client
|
||||||
|
disconnecting another by using the same
|
||||||
|
clientid. Defaults to false.</para>
|
||||||
|
<para>If a client connects with no username it will be
|
||||||
|
disconnected as not authorised when this option is
|
||||||
|
set to true. Do not use in conjunction with
|
||||||
|
<option>clientid_prefixes</option>.</para>
|
||||||
|
<para>See also
|
||||||
|
<option>use_identity_as_username</option>.</para>
|
||||||
|
<para>Not reloaded on reload signal.</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
</variablelist>
|
</variablelist>
|
||||||
</refsect2>
|
</refsect2>
|
||||||
<refsect2>
|
<refsect2>
|
||||||
|
@ -150,6 +150,16 @@
|
|||||||
# only the cafile, certfile, keyfile and ciphers options are supported.
|
# only the cafile, certfile, keyfile and ciphers options are supported.
|
||||||
#protocol mqtt
|
#protocol mqtt
|
||||||
|
|
||||||
|
# Set use_username_as_clientid to true to replace the clientid that a client
|
||||||
|
# connected with with its username. This allows authentication to be tied to
|
||||||
|
# the clientid, which means that it is possible to prevent one client
|
||||||
|
# disconnecting another by using the same clientid.
|
||||||
|
# If a client connects with no username it will be disconnected as not
|
||||||
|
# authorised when this option is set to true.
|
||||||
|
# Do not use in conjunction with clientid_prefixes.
|
||||||
|
# See also use_identity_as_username.
|
||||||
|
#use_username_as_clientid
|
||||||
|
|
||||||
# -----------------------------------------------------------------
|
# -----------------------------------------------------------------
|
||||||
# Certificate based SSL/TLS support
|
# Certificate based SSL/TLS support
|
||||||
# -----------------------------------------------------------------
|
# -----------------------------------------------------------------
|
||||||
@ -276,6 +286,16 @@
|
|||||||
# This can be either mqtt or websockets.
|
# This can be either mqtt or websockets.
|
||||||
#protocol mqtt
|
#protocol mqtt
|
||||||
|
|
||||||
|
# Set use_username_as_clientid to true to replace the clientid that a client
|
||||||
|
# connected with with its username. This allows authentication to be tied to
|
||||||
|
# the clientid, which means that it is possible to prevent one client
|
||||||
|
# disconnecting another by using the same clientid.
|
||||||
|
# If a client connects with no username it will be disconnected as not
|
||||||
|
# authorised when this option is set to true.
|
||||||
|
# Do not use in conjunction with clientid_prefixes.
|
||||||
|
# See also use_identity_as_username.
|
||||||
|
#use_username_as_clientid
|
||||||
|
|
||||||
# -----------------------------------------------------------------
|
# -----------------------------------------------------------------
|
||||||
# Certificate based SSL/TLS support
|
# Certificate based SSL/TLS support
|
||||||
# -----------------------------------------------------------------
|
# -----------------------------------------------------------------
|
||||||
|
@ -178,6 +178,7 @@ void mqtt3_config_init(struct mqtt3_config *config)
|
|||||||
config->default_listener.sock_count = 0;
|
config->default_listener.sock_count = 0;
|
||||||
config->default_listener.client_count = 0;
|
config->default_listener.client_count = 0;
|
||||||
config->default_listener.protocol = mp_mqtt;
|
config->default_listener.protocol = mp_mqtt;
|
||||||
|
config->default_listener.use_username_as_clientid = false;
|
||||||
#ifdef WITH_TLS
|
#ifdef WITH_TLS
|
||||||
config->default_listener.tls_version = NULL;
|
config->default_listener.tls_version = NULL;
|
||||||
config->default_listener.cafile = NULL;
|
config->default_listener.cafile = NULL;
|
||||||
@ -378,6 +379,7 @@ int mqtt3_config_parse_args(struct mqtt3_config *config, int argc, char *argv[])
|
|||||||
|| config->default_listener.crlfile
|
|| config->default_listener.crlfile
|
||||||
|| config->default_listener.use_identity_as_username
|
|| config->default_listener.use_identity_as_username
|
||||||
#endif
|
#endif
|
||||||
|
|| config->default_listener.use_username_as_clientid
|
||||||
|| config->default_listener.host
|
|| config->default_listener.host
|
||||||
|| config->default_listener.port
|
|| config->default_listener.port
|
||||||
|| config->default_listener.max_connections != -1
|
|| config->default_listener.max_connections != -1
|
||||||
@ -412,6 +414,7 @@ int mqtt3_config_parse_args(struct mqtt3_config *config, int argc, char *argv[])
|
|||||||
config->listeners[config->listener_count-1].socks = NULL;
|
config->listeners[config->listener_count-1].socks = NULL;
|
||||||
config->listeners[config->listener_count-1].sock_count = 0;
|
config->listeners[config->listener_count-1].sock_count = 0;
|
||||||
config->listeners[config->listener_count-1].client_count = 0;
|
config->listeners[config->listener_count-1].client_count = 0;
|
||||||
|
config->listeners[config->listener_count-1].use_username_as_clientid = config->default_listener.use_username_as_clientid;
|
||||||
#ifdef WITH_TLS
|
#ifdef WITH_TLS
|
||||||
config->listeners[config->listener_count-1].tls_version = config->default_listener.tls_version;
|
config->listeners[config->listener_count-1].tls_version = config->default_listener.tls_version;
|
||||||
config->listeners[config->listener_count-1].cafile = config->default_listener.cafile;
|
config->listeners[config->listener_count-1].cafile = config->default_listener.cafile;
|
||||||
@ -1763,6 +1766,12 @@ int _config_read_file_core(struct mqtt3_config *config, bool reload, const char
|
|||||||
#else
|
#else
|
||||||
_mosquitto_log_printf(NULL, MOSQ_LOG_WARNING, "Warning: TLS support not available.");
|
_mosquitto_log_printf(NULL, MOSQ_LOG_WARNING, "Warning: TLS support not available.");
|
||||||
#endif
|
#endif
|
||||||
|
}else if(!strcmp(token, "user")){
|
||||||
|
if(reload) continue; // Drop privileges user not valid for reloading.
|
||||||
|
if(_conf_parse_string(&token, "user", &config->user, saveptr)) return MOSQ_ERR_INVAL;
|
||||||
|
}else if(!strcmp(token, "use_username_as_clientid")){
|
||||||
|
if(reload) continue; // Listeners not valid for reloading.
|
||||||
|
if(_conf_parse_bool(&token, "use_username_as_clientid", &cur_listener->use_username_as_clientid, saveptr)) return MOSQ_ERR_INVAL;
|
||||||
}else if(!strcmp(token, "user")){
|
}else if(!strcmp(token, "user")){
|
||||||
if(reload) continue; // Drop privileges user not valid for reloading.
|
if(reload) continue; // Drop privileges user not valid for reloading.
|
||||||
if(_conf_parse_string(&token, "user", &config->user, saveptr)) return MOSQ_ERR_INVAL;
|
if(_conf_parse_string(&token, "user", &config->user, saveptr)) return MOSQ_ERR_INVAL;
|
||||||
|
@ -59,6 +59,7 @@ struct _mqtt3_listener {
|
|||||||
int sock_count;
|
int sock_count;
|
||||||
int client_count;
|
int client_count;
|
||||||
enum mosquitto_protocol protocol;
|
enum mosquitto_protocol protocol;
|
||||||
|
bool use_username_as_clientid;
|
||||||
#ifdef WITH_TLS
|
#ifdef WITH_TLS
|
||||||
char *cafile;
|
char *cafile;
|
||||||
char *capath;
|
char *capath;
|
||||||
|
@ -387,6 +387,21 @@ int mqtt3_handle_connect(struct mosquitto_db *db, struct mosquitto *context)
|
|||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
if(context->listener && context->listener->use_username_as_clientid){
|
||||||
|
if(context->username){
|
||||||
|
_mosquitto_free(client_id);
|
||||||
|
client_id = _mosquitto_strdup(context->username);
|
||||||
|
if(!client_id){
|
||||||
|
rc = MOSQ_ERR_NOMEM;
|
||||||
|
goto handle_connect_error;
|
||||||
|
}
|
||||||
|
}else{
|
||||||
|
_mosquitto_send_connack(context, 0, CONNACK_REFUSED_NOT_AUTHORIZED);
|
||||||
|
rc = MOSQ_ERR_SUCCESS;
|
||||||
|
goto handle_connect_error;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
/* Find if this client already has an entry. This must be done *after* any security checks. */
|
/* Find if this client already has an entry. This must be done *after* any security checks. */
|
||||||
HASH_FIND(hh_id, db->contexts_by_id, client_id, strlen(client_id), found_context);
|
HASH_FIND(hh_id, db->contexts_by_id, client_id, strlen(client_id), found_context);
|
||||||
if(found_context){
|
if(found_context){
|
||||||
|
Loading…
Reference in New Issue
Block a user