I have a NUT server on an RPi 2, which I’ve configured. From another client, I can connect via port 3493 and monitor the UPS status. However, my issue is that I can enter any username/password, or leave it out entirely, and still connect. I don’t want that. I don’t understand what’s causing this behavior. Does anyone have any ideas about it?

How do I prevent login without user/password from remote clients?

Now I can do this command without authentication from a remote client:

upsc [email protected]

Or isn't upsd.users supposed to be used in this way?

My configuration files look like this:

nut.conf

MODE=netserver

upsd.conf

LISTEN 0.0.0.0 3493

upsd.users

[admin]
    password = pass
    actions = SET
    actions = FSD
    instcmds = ALL

[local]
    password = pass
    upsmon master

[remote]
    password = pass
    upsmon slave

[monuser]
    password = pass
    upsmon slave

upsmon.conf

MINSUPPLIES 1
SHUTDOWNCMD "/sbin/shutdown -h +0"
POLLFREQ 5
POLLFREQALERT 5
HOSTSYNC 30
DEADTIME 25
POWERDOWNFLAG /etc/killpower
RBWARNTIME 43200
NOCOMMWARNTIME 300
FINALDELAY 90
MONITOR apc-bx1600@localhost 1 local pass master

upssched.conf

CMDSCRIPT /bin/upssched-cmd

File permissions

-rw-r--r-- 1 root root  1113 Jan 22 23:40 hosts.conf
-rw-r----- 1 root nut     15 Jan 22 17:29 nut.conf
-rw-r----- 1 root nut    248 Jan 22 23:12 ups.conf
-rw-r----- 1 root nut     19 Jan 22 23:29 upsd.conf
-rw-r----- 1 root nut    253 Jan 23 16:53 upsd.users
-rw-r----- 1 root nut    232 Jan 23 17:27 upsmon.conf
-rw-r----- 1 root nut   4201 Jan 25  2023 upssched.conf
-rw-r--r-- 1 root root  1432 Jan 23 11:23 upsset.conf
-rw-r--r-- 1 root root  3699 Jan 25  2023 upsstats.html
-rw-r--r-- 1 root root  6408 Jan 25  2023 upsstats-single.html

Example of a remote: