Cannot connect to database server, access denied to user root#% - mysql

I'm receiving this error when trying to open my database connection:
"Cannot connect to database server
your connection failed for user root#% to database [mydatabase]
Please:
check mysql is running on localhost
check mysql is reachable on 3306
check root has rights to connect to localhost
Make sure youre both providing a password if needed"
I'm working on Mysql workbench on a windows 10 machine. I think my root privileges have been dropped (not sure how) so any advice on that also would be fab... thanks :)

Can you provide additional info on your setup, incl. versions of MySQL server and the client applications? You mention you can still connect, if so, what command do you use, can you query all from table mysql.user and post? Also, query the table mysql.user for plugin info, because in fresh versions of MySQL server 8.0 and up according to MySQL Documentation (6.4.1.2 Caching SHA-2 Pluggable Authentication) the server by default uses new authentication method via authentication plugin caching_sha2_password. In this case the password is encrypted either by the virtue of secure connection or with RSA public_key. Then the encrypted password gets decrypted on the server by the private RSA key. For example, connections from older clients or connectors within applications might fail due to incompatibility. If you use compatible clients and authentication plugin caching_sha2_password, the connection between client and server may fail due to:
Incorrect password.
No secure (SSL) connection established.
No public RSA key presented by the client.
In case 3, quoting the docs:
Client users can obtain the RSA public key two ways:
The database administrator can provide a copy of the public key file.
A client user who can connect to the server some other way can use a
SHOW STATUS LIKE 'Caching_sha2_password_rsa_public_key' statement and
save the returned key value in a file.
If you can connect to the database with any client, obtain the public key and use it to configure another client. Alternatively, the public key for RSA connection can be obtained from the server data directory. On Windows 10 it is usually C:\ProgramData\MySQL\MySQL Server 8.0\Data
example server data directory location on a windows 10 default installation
So, if the user has caching_sha2_password set and you have the public RSA key for the MySQL server you can use it to establish connection. If the user has mysql_native_password the cause be different.

Related

Navicat doesn't recognize new entries in known_hosts file on Mac and cannot connect to remote server

UPDATE Feb 2022: this issue may have been fixed in more recent versions. See comments on the accepted solution.
Summary:
An existing connection to a remote database in Navicat was working using a domain name for the SSH > Host field. After building a new remote server and pointing the domain at the new IP address (and setting up the database and users, as well as adding your public RSA key to the new server), Navicat doesn't trust the key hash from the server. Replacing the entries in ~/.ssh/known_hosts doesn't help.
Steps to reproduce:
point the domain for a remote database at a new IP address
add your RSA public key to the authorized keys on the remote server
add the remote database and users on the remote server
in Terminal, ssh into the new remote server using the domain, and follow the prompts to add the new server to the known_hosts file
in Navicat (specifically Navicat Essentials for PostGreSQL, but this issue will apply to any app in the Navicat suite on Mac) edit an existing connection to the remote server
on the SSH tab in the "Edit Connection..." window, click 'Test Connection'
Expected:
Navicat uses the updated ~/.ssh/known_hosts file to authorize connection to the remote server
Actual:
Navicat fails to connect
Error:
The server key has changed. Either you are under attack or the administrator changed the key.
New server key hash:...
Question:
How to get Navicat to accept the new known_hosts data and authorize the connection?
Problem:
Navicat uses a different known_hosts file than the operating system does. So updating ~/.ssh/known_hosts doesn't affect the Navicat connection to the remote server.
Solution:
Optional workaround:
in Navicat, edit the database connection
on the SSH tab, change the Host field from a domain to the new IP address
Fix:
in Terminal, run sudo find ~ -name known_hosts
the results will include something like (using Navicat Essentials for PostgreSQL as an example):
/Users/<user>/Library/Containers/com.prect.NavicatEssentialsForPostgreSQL12/Data/.ssh/known_hosts
edit that file and remove the line starting with the domain for your remote server
return to Navicat and click Test Connection again. The connection should work.
If you see the error: Access denied for 'publickey'. Authentication that can continue: publickey,password (101203) or similar, check the Authentication Method selection and, if you're using 'Public Key' or 'Password and Public Key', click the 'Private Key' file navigator and re-select one of the private keys matching a public key that you've added to the remote server.

Is there any documentation around this PyMysql/Mysql behavior?

This is the pymysql code I am using to connect to the database. I am testing with an AWS RDS Mysql instance with Mysql verison 5.7.22. I am getting the certificate from https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html
pymysql.connect(secret_dict['host'], user=secret_dict['username'],
passwd=secret_dict['password'], port=port, db=dbname,
connect_timeout=5, ssl={'ca': './rds-combined-ca-bundle.pem'})
This code works with my test database with the user with ssl enabled and the user wo ssl enabled. - (Via ALTER USER 'encrypted_user'#'%' REQUIRE SSL; )
My question is is this pymysql behavior that I am seeing true of any MySQL verison database or documented anywhere? The behavior I am referring to is that if you add the ssl option to the connect call, it should work (successful connection) regardless or not the actual user has SSL required on it. I prefer not to test with every Mysql version :)
From taking a look at the pymysql code, what it seems to do is check if there are any ssl parameters associated with the request, adds it to an ssl map, and then creates a ctx_object from that ssl map and uses that ctx_ object when initializing a socket with the database.
Just found this on the Mysql 7 documentation guide
"On the server side, the --ssl option specifies that the server permits but does not require encrypted connections. This option is enabled by default, so it need not be specified explicitly."
"By default, MySQL client programs attempt to establish an encrypted connection if the server supports encrypted connections, with further control available through the --ssl-mode option:"
"In the absence of an --ssl-mode option, clients attempt to connect using encryption, falling back to an unencrypted connection if an encrypted connection cannot be established. This is also the behavior with an explicit --ssl-mode=PREFERRED option."
"PREFERRED: Establish an encrypted connection if the server supports encrypted connections, falling back to an unencrypted connection if an encrypted connection cannot be established. This is the default if --ssl-mode is not specified."
So I believe what's happening is that pymysql doesn't specify the ssl-mode option so the ssl client side mode being used is PREFERRED which means that the client(pymysql) will try to establish an ssl connection(which I think fails because the user doesn't require it) and then fallback to the unencrypted connection which will be successful.

How to access my newly setup MySQL database (getting "Domain is currently unable to handle this request.")

I just set up a new MySQL database with the MySQL workbench & created a user for it with all necessary privileges. I am using this database for use with my php code. But I can't seem to connect to it on my live server (pages are hosted on windows server 2012). Everything works fine in my local environment with xampp and the new MySQL database is exactly the same as the xampp one. I think I am maybe using the wrong host name or something. As host name I copied the name that is displayed after "Host:" when you click on Server Status in MySQL workbench. The database name, user & password should all be correct. But when my code tries to access the db I get a "The domain page isn’t working. Domain is currently unable to handle this request."
You either have no network connection to the server at all or it is blocked due to firewall or routing misconfiguration.
If you do have network access in general, you might forgot to
FLUSH PRIVILEGES;
or you have not enabled networking over TCP, the default is to listen only to localhost (on unix systems via unix sockets, on microsoft I guess it's simply TCP).
Read about the following configuration parameter which will solve your networking issue:
bind-address
If you have a very old MySQL server version, the parameter is enable-networking but it shouldn't be the case anymore.

Error while trying to connect to the database server: [1045] Access denied for user

I have a MySQL database running and I created a new user called 'ssluser' with SSL REQUIRED. I'm having trouble with this user logging in from a client to a remote server.
I verified the firewall is not an issue. iptables are not reporting dropped packets.
I am able to connect from nonssluser to the remote server without an issue.
On the server my.cnf I have the CA, Cert, and Key file in place and MySQL WorkBench shows that SSL is enabled.
On the client, I have CA, Cert, and Key file in place as well.
For both certificates I used the FQDN as the common name. I'm not sure if that is the issue or not. Any ideas?
The connection is on a private network in the Digital Ocean datacenter NYC.
[1045] Access denied for user
is a MySQL thing - which means that you are connecting - SSL does not seem to be the problem.
This most likely means you are authenticating wrong (have the wrong password).
Check this to see if it helps if you are sure you have the right password.
To answer my question:
1 - The password was incorrect
and
2 - The application does not support SSL MySQL connections

MYSQL remote connection require SSL

I'm seeking to clear some information up for myself involving remote SSL connections to MYSQL. Particularly, once I have MYSQL setup to enable SSL and have a remote user that requires SSL.
This is how I connect (commandline), remotely, to MYSQL with a user that requires SSL:
mysql -uMyUserName -p -h192.168.5.5 --ssl-ca /path/to/ca.pem
My question is: Why do I have to provide the ca.pem file as the client?
These are the steps I took to install mysql on the server and setup remote access (Ubuntu):
Steps to Enable SSL for MYSQL
1) Obtain my Certificate Authority cert, Database cert, Database key
ca.pem (Certificate Authority cert)
dbcert.pem (Database cert)
dbkey.pem (Databse key)
2) Add the following lines to /etc/mysql/my.cnf under [mysqld]
ssl-ca=/path/to/ca.pem
ssl-cert=/path/to/dbcert.pem
ssl-key=/path/to/dbkey.pem
3) Restart mysql and confirm ssl enabled by logging in and typing following:
show variables like '%ssl%';
Configure Remote Connection Requiring SSL
1) Comment out the following lines in /etc/mysql/my.cnf
#bind-address
#skip-networking
2) Login to mysql and grant a user access to, in this case, every database
GRANT ALL PRIVILEGES ON . to 'USERNAME'#'%' IDENTIFIED BY 'PASSWORD' REQUIRE SSL
At this point, I have MYSQL setup to enable SSL && I have a remote user that will require SSL to login. I am able to login on a remote commandline, but i need to specify the --ssl-ca.
Why do I have to provide the ssl-ca from client? Is there a way to do this so that I don't have to?
I would really appreciate some insight here.
Thanks in advance.
Unlike your typical web browser, a commandline tool like mysql doesn't have a built-in list of certificate authorities. Browsers come with a built in list of certification authorities, and you implicitly trust them (whether you know it or not).
When you use mysql to log in to a MySQL server supporting encryption, that server will present you the public part of a certificate. To complete the secure handshake, your client needs to verify the server certificate is signed by a trusted certificate authority. Otherwise, it will have to say "hey, this looks like a well-formed certificate, but I never heard of the ca signing it."
For Hibernate / JDBC / TLS, a little bit of search-engine work turns up some useful suggestions. It's all about setting the right properties in your config.
http://razorsql.com/articles/mysql_ssl_jdbc.html
How can I configure Hibernate to use SSL to talk to the DB server?