It is important to configure authentication on your Mosquitto instance, sounauthorised clients cannot connect.

In Mosquitto 2.0 and up, you must choose your authentication options explicitlybefore clients can connect. In earlier versions the default is to allow clientsto connect without authentication.

There are three choices for authentication: password files, authenticationplugins, and unauthorised/anonymous access. It is possible to use a combinationof all three choices.

It is possible to have different listeners use different authentication methodsby settingper_listener_settings true in your configuration file.

As well as authentication you should also consider some form of access controlto determine what clients can access which topics.

Password files

Password files are a simple mechanism of storing usernames and passwords in asingle file. They are good if you have a relatively small number of fairlystatic users.

If you make changes to the password file you must trigger the broker to reloadthe file by sending a SIGHUP message:

kill -HUP <process id of mosquitto>

Creating a password file

To create a password file, use themosquitto_passwd utility, use the linebelow. You will be asked for the password. Note that-c means an existingfile will be overwritten:

mosquitto_passwd -c <password file> <username>

To add more users to an existing password file, or to change the password foran existing user, leave out the-c argument:

mosquitto_passwd <password file> <username>

To remove a user from a password file:

mosquitto_passwd -D <password file> <username>

You can also add/update a username and password in a single line, but be awarethat this means the password is visible on the command line and in any commandhistory:

mosquitto_passwd <password file> <username> <password>

Configuring the broker

To start using your password file you must add thepassword_file option toyour configuration file:

password_file <path to the configuration file>

The password file must be able to be read by whatever user Mosquitto is runningas. On Linux/POSIX systems this will typically be themosquitto user, and/etc/mosquitto/password_file is a good place for the file itself.

If you are using theper_listener_settings true option to have separatesecurity settings per listener, you must place the password file optionafterthe listener it is for:

listener 1883password_file /etc/mosquitto/password_file

Authentication plugins

If you want more control over authentication of your users than is offered by apassword file, then an authentication plugin may be suitable for you. Thefeatures offered depend on which plugin you use.

Configuring the plugin

Configuring a plugin varies depending on the version of Mosquitto plugininterface the plugin was written for, either version 2.0 and up, or 1.6.x andearlier.

For 1.6.x and below, use theauth_plugin option. These plugins are alsosupported by version 2.0:

listener 1883auth_plugin <path to plugin>

Some plugins require extra configuration which will be described in theirdocumentation.

For 2.0 and up, use theplugin option:

listener 1883plugin <path to plugin>

Available plugins