New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
mosquitto: Explicitly configure password file #27131
Conversation
@richardlarocque, thanks for your PR! By analyzing the history of the files in this pull request, we identified @Cornu and @fpletz to be potential reviewers. |
I admit to having done no manual testing and not having much clue why conflict resolution was necessary. (My local branch seems to be up to date...) This is more of a proof-of-concept for #27130. I have manually verified that
fixes the problem reported there. So the change should be good at the Mosquitto level. I'm less familiar with testing NixOS services, so I'm going to hope the Travis CI bot does a good enough job of that. |
Nixos services are not covered by travis ci at all. Please use |
Related to NixOS#27130. Adds an option to NixOS configuration option to have Mosquitto use the password file that it generates. When this option is false the Mosquitto server will accept login attempts with any username and any password. This option defaults to false because this matches the behavior of the service prior to the introduction of this option. When the `services.mosquitto.checkPasswords` is true, the server will only accept valid usernames and passwords.
fc3005f
to
66b07e4
Compare
I've clobbered this PR with a new version. The merge commit is gone now. Your point about backwards compatibility is a good one. I've updated the PR to make this change opt-in. Users must set the I believe this change has no direct effect on the use of If I'm right, then the effect of this change will be that many users who thought they had hashed their passwords correctly will find out that their hashes and passwords do not match. Previously, it would have appeared to work because the server accepted any password as valid, regardless of what hash was specified. But all of that only comes into play if they toggle on the flag. It defaults to providing the old behavior, so any hashed password value is acceptable. |
By the way, I couldn't figure out which tests were relevant, but I did write and run some tests of my own. I used a script to rebuild and restart the mosquitto daemon under various configs:
And another script to verify its behavior:
I hope this is sufficient. My changes only touch configs, so I can't imagine how I could have broken package-building. See also the notes on the related issue. #27130 |
Related issue for the password hashing instructions: #27996. |
Adds explicit entry to mosquitto configuration file to specify the path
of the password file.
This path matches the path of the automatically-generated password file
defined elsewhere in this service definition, so there is no need to
make it configurable.
Motivation for this change
See further details at #27130.
Things done
(nix.useSandbox on NixOS,
or option
build-use-sandbox
innix.conf
on non-NixOS)
nix-shell -p nox --run "nox-review wip"
./result/bin/
)