mosquitto_ctrl man page

Authentication, and role based access control with users and groups. Uses the dynsec module name. See: mosquitto_ctrl_dynsec(1)

mosquitto_ctrl has the ability to load external modules in the form of shared libraries. For example using the module name example will try to load the external module mosquitto_ctrl_example.so or mosquitto_ctrl_example.dll, depending on platform. This allows new functionality to be added to Mosquitto by combining a plugin and mosquitto_ctrl module, without having to recompile any Mosquitto source code.

Bind the outgoing connection to a local ip address/hostname. Use this argument if you need to restrict network communication to a particular interface.

Define the path to a file containing PEM encoded CA certificates that are trusted. Used to enable SSL communication.

See also --capath

Define the path to a directory containing PEM encoded CA certificates that are trusted. Used to enable SSL communication.

For --capath to work correctly, the certificate files must have ".crt" as the file ending and you must run "openssl rehash <path to capath>" each time you add/remove a certificate.

See also --cafile

Define the path to a file containing a PEM encoded certificate for this client, if required by the server.

See also --key.

An openssl compatible list of TLS ciphers to support in the client. See ciphers(1) for more information.

Enable debug messages.

Use an MQTT v5 property with this publish. If you use this option, the client will be set to be an MQTT v5 client. This option has two forms:

-D command identifier value

-D command identifier name value

command is the MQTT command/packet identifier and can be one of CONNECT, PUBLISH, PUBREL, DISCONNECT, AUTH, or WILL. The properties available for each command are listed in the Properties section.

identifier is the name of the property to add. This is as described in the specification, but with '-' as a word separator. For example: payload-format-indicator. More details are in the Properties section.

value is the value of the property to add, with a data type that is property specific.

name is only used for the user-property property as the first of the two strings in the string pair. In that case, value is the second of the strings in the pair.

Display usage information.

Specify the host to connect to. Defaults to localhost.

The id to use for this client. If not given, a client id will be generated depending on the MQTT version being used. For v3.1.1/v3.1, the client generates a client id in the format mosq-XXXXXXXXXXXXXXXXXX, where the X are replaced with random alphanumeric characters. For v5.0, the client sends a zero length client id, and the server will generate a client id for the client.

This option cannot be used at the same time as the --id-prefix argument.

When using certificate based encryption, this option disables verification of the server hostname in the server certificate. This can be useful when testing initial server configurations but makes it possible for a malicious third party to impersonate your server through DNS spoofing, for example. Use this option in testing only. If you need to resort to using this option in a production environment, your setup is at fault and there is no point using encryption.

Define the path to a file containing a PEM encoded private key for this client, if required by the server.

See also --cert.

Specifies the type of private key in use when making TLS connections.. This can be "pem" or "engine". This parameter is useful when a TPM module is being used and the private key has been created with it. Defaults to "pem", which means normal private key files are used.

See also --tls-engine.

Specify specify user, password, hostname, port and topic at once as a URL. The URL must be in the form: mqtt(s)://[username[:password]@]host[:port]/topic

If the scheme is mqtt:// then the port defaults to 1883. If the scheme is mqtts:// then the port defaults to 8883.

Disable Nagle's algorithm for the socket. This means that latency of sent messages is reduced, which is particularly noticeable for small, reasonably infrequent messages. Using this option may result in more packets being sent than would normally be necessary.

Provide a path to a config file to load options from. The config file should have one pair of -option value per line. The values in the config file will be used as defaults and can be overridden by using the command line. The exceptions to this are the message type options, of which only one can be specified. Note also that currently some options cannot be negated, e.g. -S. Config file lines that have a # as the first character are treated as comments and not processed any further.

Connect to the port specified. If not given, the default of 1883 for plain MQTT or 8883 for MQTT over TLS will be used.

Provide a password to be used for authenticating with the broker. Using this argument without also specifying a username is invalid when using MQTT v3.1 or v3.1.1. See also the --username option.

Specify a SOCKS5 proxy to connect through. "None" and "username" authentication types are supported. The socks-url must be of the form socks5h://[username[:password]@]host[:port]. The protocol prefix socks5h means that hostnames are resolved by the proxy. The symbols %25, %3A and %40 are URL decoded into %, : and @ respectively, if present in the username or password.

If username is not given, then no authentication is attempted. If the port is not given, then the default of 1080 is used.

More SOCKS versions may be available in the future, depending on demand, and will use different protocol prefixes as described in curl(1).

Provide the hexadecimal (no leading 0x) pre-shared-key matching the one used on the broker to use TLS-PSK encryption support. --psk-identity must also be provided to enable TLS-PSK.

The client identity to use with TLS-PSK support. This may be used instead of a username if the broker is configured to do so.

Specify the quality of service to use for messages, from 0, 1 and 2. Defaults to 1.

If this argument is given, no runtime errors will be printed. This excludes any error messages given in case of invalid user input (e.g. using --port without a port).

Provide a protocol to use when connecting to a broker that has multiple protocols available on a single port, e.g. MQTT and WebSockets.

A valid openssl engine id. These can be listed with openssl engine command.

See also --keyform.

SHA1 of the private key password when using an TLS engine. Some TLS engines such as the TPM engine may require the use of a password in order to be accessed. This option allows a hex encoded SHA1 hash of the password to the engine directly, instead of the user being prompted for the password.

See also --tls-engine.

Choose which TLS protocol version to use when communicating with the broker. Valid options are tlsv1.3, tlsv1.2 and tlsv1.1. The default value is tlsv1.2. Must match the protocol version used by the broker.

Provide a username to be used for authenticating with the broker. See also the --pw argument.

Connect to a broker through a local unix domain socket instead of a TCP socket. This is a replacement for -h and -L. For example: mosquitto_ctrl --unix /tmp/mosquitto.sock ...

See the socket_domain option in mosquitto.conf (5) to configure Mosquitto to listen on a unix socket.

Specify which version of the MQTT protocol should be used when connecting to the rmeote broker. Can be 5, 311, 31, or the more verbose mqttv5, mqttv311, or mqttv31. Defaults to 311.