First let me mention that I've gone through many suggested questions and found no relevent answer. Here is what I'm doing.
I'm connected to my Amazon EC2 instance. I can login with MySQL root with this command:
mysql -u root -p
Then I created a new user bill with host %
CREATE USER 'bill'#'%' IDENTIFIED BY 'passpass';
Granted all the privileges to user bill:
grant all privileges on *.* to 'bill'#'%' with grant option;
Then I exit from root user and try to login with bill:
mysql -u bill -p
entered the correct password and got this error:
ERROR 1045 (28000): Access denied for user 'bill'#'localhost' (using password: YES)
You probably have an anonymous user ''#'localhost' or ''#'127.0.0.1'.
As per the manual:
When multiple matches are possible, the server must determine which of
them to use. It resolves this issue as follows: (...)
When a client attempts to connect, the server looks through the rows [of table mysql.user] in sorted order.
The server uses the first row that matches the client host name and user name.
(...)
The server uses sorting rules that order rows with the most-specific Host values first.
Literal host names [such as 'localhost'] and IP addresses are the most specific.
Therefore such an anonymous user would "mask" any other user like '[any_username]'#'%' when connecting from localhost.
'bill'#'localhost' does match 'bill'#'%', but would match (e.g.) ''#'localhost' beforehands.
The recommended solution is to drop this anonymous user (this is usually a good thing to do anyways).
Below edits are mostly irrelevant to the main question. These are only meant to answer some questions raised in other comments within this thread.
Edit 1
Authenticating as 'bill'#'%' through a socket.
root#myhost:/home/mysql-5.5.16-linux2.6-x86_64# ./mysql -ubill -ppass --socket=/tmp/mysql-5.5.sock
Welcome to the MySQL monitor (...)
mysql> SELECT user, host FROM mysql.user;
+------+-----------+
| user | host |
+------+-----------+
| bill | % |
| root | 127.0.0.1 |
| root | ::1 |
| root | localhost |
+------+-----------+
4 rows in set (0.00 sec)
mysql> SELECT USER(), CURRENT_USER();
+----------------+----------------+
| USER() | CURRENT_USER() |
+----------------+----------------+
| bill#localhost | bill#% |
+----------------+----------------+
1 row in set (0.02 sec)
mysql> SHOW VARIABLES LIKE 'skip_networking';
+-----------------+-------+
| Variable_name | Value |
+-----------------+-------+
| skip_networking | ON |
+-----------------+-------+
1 row in set (0.00 sec)
Edit 2
Exact same setup, except I re-activated networking, and I now create an anonymous user ''#'localhost'.
root#myhost:/home/mysql-5.5.16-linux2.6-x86_64# ./mysql
Welcome to the MySQL monitor (...)
mysql> CREATE USER ''#'localhost' IDENTIFIED BY 'anotherpass';
Query OK, 0 rows affected (0.00 sec)
mysql> Bye
root#myhost:/home/mysql-5.5.16-linux2.6-x86_64# ./mysql -ubill -ppass \
--socket=/tmp/mysql-5.5.sock
ERROR 1045 (28000): Access denied for user 'bill'#'localhost' (using password: YES)
root#myhost:/home/mysql-5.5.16-linux2.6-x86_64# ./mysql -ubill -ppass \
-h127.0.0.1 --protocol=TCP
ERROR 1045 (28000): Access denied for user 'bill'#'localhost' (using password: YES)
root#myhost:/home/mysql-5.5.16-linux2.6-x86_64# ./mysql -ubill -ppass \
-hlocalhost --protocol=TCP
ERROR 1045 (28000): Access denied for user 'bill'#'localhost' (using password: YES)
Edit 3
Same situation as in edit 2, now providing the anonymous user's password.
root#myhost:/home/mysql-5.5.16-linux2.6-x86_64# ./mysql -ubill -panotherpass -hlocalhost
Welcome to the MySQL monitor (...)
mysql> SELECT USER(), CURRENT_USER();
+----------------+----------------+
| USER() | CURRENT_USER() |
+----------------+----------------+
| bill#localhost | #localhost |
+----------------+----------------+
1 row in set (0.01 sec)
Conclusion 1, from edit 1: One can authenticate as 'bill'#'%'through a socket.
Conclusion 2, from edit 2: Whether one connects through TCP or through a socket has no impact on the authentication process (except one cannot connect as anyone else but 'something'#'localhost' through a socket, obviously).
Conclusion 3, from edit 3: Although I specified -ubill, I have been granted access as an anonymous user. This is because of the "sorting rules" advised above. Notice that in most default installations, a no-password, anonymous user exists (and should be secured/removed).
Try:
~$ mysql -u root -p
Enter Password:
mysql> grant all privileges on *.* to bill#localhost identified by 'pass' with grant option;
When you ran
mysql -u bill -p
and got this error
ERROR 1045 (28000): Access denied for user 'bill'#'localhost' (using password: YES)
mysqld is expecting you to connect as bill#localhost
Try creating bill#localhost
CREATE USER bill#localhost IDENTIFIED BY 'passpass';
grant all privileges on *.* to bill#localhost with grant option;
If you want to connect remotely, you must specify either the DNS name, the public IP, or 127.0.0.1 using TCP/IP:
mysql -u bill -p -hmydb#mydomain.com
mysql -u bill -p -h10.1.2.30
mysql -u bill -p -h127.0.0.1 --protocol=TCP
Once you login, please run this
SELECT USER(),CURRENT_USER();
USER() reports how you attempted to authenticate in MySQL
CURRENT_USER() reports how you were allowed to authenticate in MySQL from the mysql.user table
This will give you a better view of how and why you were allowed to login to mysql. Why is this view important to know? It has to do with the user authentication ordering protocol.
Here is an example: I will create an anonymous user on my desktop MySQL
mysql> select user,host from mysql.user;
+---------+-----------+
| user | host |
+---------+-----------+
| lwdba | % |
| mywife | % |
| lwdba | 127.0.0.1 |
| root | 127.0.0.1 |
| lwdba | localhost |
| root | localhost |
| vanilla | localhost |
+---------+-----------+
7 rows in set (0.00 sec)
mysql> grant all on *.* to x#'%';
Query OK, 0 rows affected (0.02 sec)
mysql> select user,host from mysql.user;
+---------+-----------+
| user | host |
+---------+-----------+
| lwdba | % |
| mywife | % |
| x | % |
| lwdba | 127.0.0.1 |
| root | 127.0.0.1 |
| lwdba | localhost |
| root | localhost |
| vanilla | localhost |
+---------+-----------+
8 rows in set (0.00 sec)
mysql> update mysql.user set user='' where user='x';
Query OK, 1 row affected (0.00 sec)
Rows matched: 1 Changed: 1 Warnings: 0
mysql> flush privileges;
Query OK, 0 rows affected (0.01 sec)
mysql> select user,host from mysql.user;
+---------+-----------+
| user | host |
+---------+-----------+
| | % |
| lwdba | % |
| mywife | % |
| lwdba | 127.0.0.1 |
| root | 127.0.0.1 |
| lwdba | localhost |
| root | localhost |
| vanilla | localhost |
+---------+-----------+
8 rows in set (0.00 sec)
mysql>
OK watch me login as anonymous user:
C:\MySQL_5.5.12>mysql -urol -Dtest -h127.0.0.1 --protocol=TCP
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 12
Server version: 5.5.12-log MySQL Community Server (GPL)
Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> select user(),current_user();
+---------------+----------------+
| user() | current_user() |
+---------------+----------------+
| rol#localhost | #% |
+---------------+----------------+
1 row in set (0.00 sec)
mysql>
Authentication ordering is very strict. It checks from the most specific to the least. I wrote about this authentiation style in the DBA StackExchange.
Don't forget to explicitly call for TCP as the protocol for mysql client when necessary.
Super late to this
I tried all of these other answers and ran many different versions of mysql -u root -p but never just ran
mysql -u root -p
And just pressing [ENTER] for the password.
Once I did that it worked. Hope this helps someone.
A related problem in my case was trying to connect using :
mysql -u mike -p mypass
Whitespace IS apparently allowed between the -u #uname# but NOT between the -p and #password#
Therefore needed:
mysql -u mike -pmypass
Otherwise with white-space between -p mypass mysql takes 'mypass' as the db name
When you type mysql -u root -p , you're connecting to the mysql server over a local unix socket.
However the grant you gave, 'bill'#'%' only matches TCP/IP connections curiously enough.
If you want to grant access to the local unix socket, you need to grant privileges to 'bill'#'localhost' , which curiously enough is not the same as 'bill'#'127.0.0.1'
You could also connect using TCP/IP with the mysql command line client, as to match the privileges you already granted, e.g. run mysql -u root -p -h 192.168.1.123 or whichever local IP address your box have.
If you forget your password or you want to modify your password.You can follow these steps :
1 :stop your mysql
[root#maomao ~]# service mysqld stop
Stopping MySQL: [ OK ]
2 :use “--skip-grant-tables” to restart mysql
[root#mcy400 ~]# mysqld_safe --skip-grant-tables
[root#cy400 ~]# Starting mysqld daemon with databases from /var/lib/mysql
3 : open a new window and input mysql -u root
[root#cy400 ~]# mysql -u root
Welcome to the MySQL monitor. Commands end with ; or \g.
4 : change the user database
mysql> use mysql
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
5 : modify your password your new password should be input in "()"
mysql> update user set password=password('root123') where user='root';
Query OK, 3 rows affected (0.00 sec)
Rows matched: 3 Changed: 3 Warnings: 0
6 : flush
mysql> flush privileges;
7: quit
mysql> quit
Bye
8: restart mysql
[root#cy400 ~]# service mysqld restart;
Stopping MySQL: [ OK ]
Starting MySQL: [ OK ]
Bingo! You can connect your database with your username and new password:
[root#cy400 ~]# mysql -u root -p <br>
Enter password: admin123 <br>
Welcome to the MySQL monitor. Commands end with ; or \g. <br>
Your MySQL connection id is 2 <br>
Server version: 5.0.77 Source distribution <br>
Type 'help;' or '\h' for help. Type '\c' to clear the buffer. <br>
mysql> quit <br>
Bye
I had a somewhat similar problem - on my first attempt to enter MySQL, as root, it told me access denied. Turns out I forgot to use the sudo...
So, if you fail on root first attempt, try:
sudo mysql -u root -p
and then enter your password, this should work.
Save yourself of a MAJOR headache... Your problem might be that you are missing the quotes around the password. At least that was my case that detoured me for 3 hours.
[client]
user = myusername
password = "mypassword" # <----------------------- VERY IMPORTANT (quotes)
host = localhost
http://dev.mysql.com/doc/refman/5.7/en/option-files.html
Search for "Here is a typical user option file:" and see the example they state in there. Good luck, and I hope to save someone else some time.
The solution is to delete the anonymous (Any) user!
I also faced the same issue on a server setup by someone else. I normally don't choose to create an anonymous user upon installing MySQL, so hadn't noticed this. Initially I logged in as "root" user and created a couple of "normal" users (aka users with privileges only on dbs with their username as prefix), then logged out, then went on to verify the first normal user. I couldn't log in. Neither via phpMyAdmin, nor via shell. Turns out, the culprit is this "Any" user.
The best solution i found for myself is.
my user is sonar and whenever i am trying to connect to my database from external or other machine i am getting error as
ERROR 1045 (28000): Access denied for user 'sonar'#'localhost' (using password: YES)
Also as i am trying this from another machine and through Jenkins job my URL for accessing is
alm-lt-test.xyz.com
if you want to connect remotely you can specify it with different ways as follows:
mysql -u sonar -p -halm-lt-test.xyz.com
mysql -u sonar -p -h101.33.65.94
mysql -u sonar -p -h127.0.0.1 --protocol=TCP
mysql -u sonar -p -h172.27.59.54 --protocol=TCP
To access this with URL you just have to execute the following query.
GRANT ALL ON sonar.* TO 'sonar'#'localhost' IDENTIFIED BY 'sonar';
GRANT ALL ON sonar.* TO 'sonar'#'alm-lt-test.xyz.com' IDENTIFIED BY 'sonar';
GRANT ALL ON sonar.* TO 'sonar'#'127.0.0.1' IDENTIFIED BY 'sonar';
GRANT ALL ON sonar.* TO 'sonar'#'172.27.59.54' IDENTIFIED BY 'sonar';
It's a difference between:
CREATE USER 'bill'#'%' IDENTIFIED BY 'passpass';
and
CREATE USER 'bill'#'localhost' IDENTIFIED BY 'passpass';
Check it:
mysql> select user,host from mysql.user;
+---------------+----------------------------+
| user | host |
+---------------+----------------------------+
| bill | % | <=== created by first
| root | 127.0.0.1 |
| root | ::1 |
| root | localhost |
| bill | localhost | <=== created by second
+---------------+----------------------------+
The command
mysql -u bill -p
access implicit to 'bill'#'localhost' and NOT to 'bill'#'%'.
There are no permissions for 'bill'#'localhost'
you get the error:
ERROR 1045 (28000): Access denied for user 'bill'#'localhost' (using password: YES)
solving the problem:
CREATE USER 'bill'#'localhost' IDENTIFIED BY 'passpass';
grant all privileges on . to 'bill'#'localhost' with grant option;
Okay, I'm not sure but probably this is my.cnf file inside mysql installation directory is the culprit.
Comment out this line and the problem might be resolved.
bind-address = 127.0.0.1
Not sure if anyone else will find this helpful, but I encountered the same error and searched all over for any anonymous users...and there weren't any. The problem ended up being that the user account was set to "Require SSL" - which I found in PHPMyAdmin by going to User Accounts and clicking on Edit Privileges for the user. As soon as I unchecked this option, everything worked as expected!
This also happens when your password contains some special characters like #,$,etc.
To avoid this situation you can wrap password in single quotes:
$ mysql -usomeuser -p's0mep#$$w0Rd'
Or instead don't use password while entering. Leave it blank and then type it when terminal asks. This is the recommended way.
$ mysql -usomeuser -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 191
Server version: 5.5.46-0ubuntu0.14.04.2 (Ubuntu)
Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql>
Update: On v8.0.15 (maybe this version) the PASSWORD() function does not work.
You have to:
Make sure you have Stopped MySQL first.
Run the server in safe mode with privilege bypass: sudo mysqld_safe --skip-grant-tables
Login: mysql -u root
mysql> UPDATE mysql.user SET authentication_string=null WHERE User='root';
mysql> FLUSH PRIVILEGES;
mysql> exit;
Login again: mysql -u root
mysql> ALTER USER 'root'#'localhost' IDENTIFIED WITH caching_sha2_password BY 'yourpasswd';
Just wanted to let you know a unusual circumstance I received the same error. Perhaps this helps someone in the future.
I had developed a few base views, created at the development site and transferred them to the production-site. Later that week I changed a PHP script and all of a sudden errors came up that Access was denied for user 'local-web-user'#'localhost'. The datasource object had not changed, so I concentrated on the database user in MySQL, worrying in the meantime someone hacked my website. Luckily the rest of the site seemed unharmed.
It later turned out that the views were the culprit(s). Our object transfers are done using another (and remote: admin#ip-address) user than the local website user. So the views were created with 'admin'#'ip-address' as the definer. The view creation SECURITY default is
SQL SECURITY DEFINER
When local-web-user tries to use the view it stumbles on the lacking privileges of the definer to use the tables. Once security was changed to:
SQL SECURITY INVOKER
the issue was resolved. The actual problem was completely different than anticipated based on the error message.
For me, this problem was caused by a new feature of MySQL 5.7.2: user entries are ignored if their plugin field is empty.
Set it to e.g. mysql_native_password to reenable them:
UPDATE user SET plugin='mysql_native_password' WHERE user='foo';
FLUSH PRIVILEGES;
See the release notes for MySQL 5.7.2, under «Authentication Notes».
For some reason (maybe because my pre-4.1 password hashes were removed), the mysql_upgrade script didn't set a default plugin value.
I found out by noticing the following warning message in /var/log/mysql/error.log:
[Warning] User entry 'foo'#'%' has an empty plugin value. The user will be ignored and no one can login with this user anymore.
I post this answer here to maybe save someone from using the same ridiculous amount of time on this as I did.
Debugging Summary
Check for typo error: username or password.
Check the host name and compare it with mysql.user table host name.
Check user exists or not.
Check whether host contains IP address or host name.
There is a great chance that, you might have encountered this issue multiple times in your work. This issue occurred to me most of times due to the incorrectly entering user name or password. Though this is one of the reasons, there are other many chances you might get this issue. Sometimes, it looks very similar, but when you dig deeper, you will realize multiple factors contributing to this error. This post will explain in detail, most of the common reasons and work around to fix this issue.
Possible reasons:
Case 1: Typo error: username or password.
This is the most common reason for this error. If you entered the username or password wrongly, surely you will get this error.
Solution:
Solution for this type of error is very simple. Just enter the correct username and password. This error will be resolved. In case if you forget the password you can reset the username/password.
If you forget the password for admin / root account, there are many ways to reset / recapture the root password. I will publish another post on how to reset the root password in-case if you forget root password.
Case 2: Accessing from wrong host.
MySQL provides host based restriction for user access as a security features. In our production environment, we used to restrict the access request only to the Application servers. This feature is really helpful in many production scenarios.
Solution:
When you face this type of issue, first check whether your host is allowed or not by checking the mysql.user table.
If it is not defined, you can update or insert new record to mysql.user table.
Generally, accessing as a root user from remote machine is disabled and it is not a best practice, because of security concerns.
If you have requirements to access your server from multiple machines, give access only to those machines. It is better not to use wildcards (%) and gives universal accesses.
Let me update the mysql.user table, now the demouser can access MySQL server from any host.
Case 3: User does not exists on the server.
This type of error occurs when the user, which you are trying to access not exist on the MySQL server.
Solutions:
When you face this type of issue, just check whether the user is exists in mysql.user table or not. If the record not exists, user cannot access. If there is a requirement for that user to access, create a new user with that username.
Case 4: Mix of numeric and name based hosts.
Important points
It is not advisable to use wildcards while defining user host, try to use the exact host name.
Disable root login from remote machine.
Use proxy user concept.
There are few other concepts related with this topic and getting into details of those topics is very different scope of this article. We will look into the following related topics in the upcoming articles.
What to do, if you forgot root password in of MySQL server.
MySQL Access privilege issues and user related tables.
MySQL security features with best practices.
I hope this post will help for you to fix the MySQL Error Code 1045 Access denied for user in MySQL.
I hope you have not done more damage by also deleting the debian-sys-maint user in mysql
Have your mysql daemon running the normal way. Start your mysql client as shown below
mysql -u debian-sys-maint -p
In another terminal, cat the file /etc/mysql/debian.cnf. That file contains a password; paste that password when prompted for it.
http://ubuntuforums.org/showthread.php?t=1836919
I discovered yet another case that appears on the surface to be an edge case; I can export to the file system, via SELECT INTO .. OUTFILE as root, but not as regular user. While this may be a matter of permissions, I've looked at that, and see nothing especially obvious. All I can say is that executing the query as a regular user who has all permissions on the data base in question returns the access denied error that led me to this topic. When I found the transcript of a successful use of SELECT INTO … OUTFILE in an old project, I noticed that I was logged in as root. Sure enough, when I logged in as root, the query ran as expected.
For me root had a default password
i changed the password using ALTER USER 'root'#'localhost' IDENTIFIED BY 'new Password'; and it worked
I had similar problems because my password contains ";" char breaking my password when I creates it at first moment. Caution with this if can help you.
This may apply to very few people, but here goes. Don't use an exclamation ! in your password.
I did and got the above error using MariaDB. When I simplified it to just numbers and letters it worked. Other characters such as # and $ work fine - I used those characters in a different user on the same instance.
The fifth response at this address led me to my fix.
Nowadays! Solution for :
MySQL ERROR 1045 (28000): Access denied for user 'user'#'localhost'
(using password: YES);
Wampserver 3.2.0 new instalation or upgrading
Probably xamp using mariaDB as default is well.
Wamp server comes with mariaDB and mysql, and instaling mariaDB as default on 3306 port and mysql on 3307, port sometimes 3308.
Connect to mysql!
On instalation it asks to use mariaDB or MySql, But mariaDB is checked as default and you cant change it, check mysql option and install.
when instalation done both will be runing mariaDB on default port 3306 and mysql on another port 3307 or 3308.
Right click on wampserver icon where its runing should be on right bottom corner, goto tools and see your correct mysql runing port.
And include it in your database connection same as folowng :
$host = 'localhost';
$db = 'test';
$user = 'root';
$pass = '';
$charset = 'utf8mb4';
$port = '3308';//Port
$dsn = "mysql:host=$host;dbname=$db;port=$port;charset=$charset"; //Add in connection
$options = [
PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION,
PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
PDO::ATTR_EMULATE_PREPARES => false,
];
try {
$pdo = new PDO($dsn, $user, $pass, $options);
} catch (\PDOException $e) {
throw new \PDOException($e->getMessage(), (int)$e->getCode());
}
Note : I am using pdo.
See here for more : https://sourceforge.net/projects/wampserver/
sudo -i
mysql -u root
ALTER USER 'root'#'localhost' IDENTIFIED WITH mysql_native_password BY 'root';
access mysql service without login ( can see beacue in shell mysql> )
On Windows, here's how to resolve:
ERROR 1045 (28000): Access denied for user 'root'#'localhost' (using password: NO)
Uninstall mysql from the control panel
Delete the MySql folder from C:\Program Files,C:\Program Files (x86) and C:\ProgramData
Install mysql
For me, It was not specifying the -p parameter when entering mysql.
mysql -p
I had no problem, but it was wrong to invoke mysql without a password.
So for me the issue was related to the ports i'm mapping.
3306 => 3306 did not work(because I had a local mysql running)
3307 => 3306 works!
This is in the context of establishing as ssh tunnel:
ssh -N -L 3307:rdsDns:3306 ec2User#ec2Dns -i key.pem -v
3307 is the local port, and 3306 is the remote port.
When you run mysql -u bill -p, localhost is resolved to your ip, since it is 127.0.0.1 and in your /etc/hosts file, as default 127.0.0.1 localhost exists. So, mysql interprets you as bill#localhost which is not granted with bill#'%' . This is why there are 2 different records for root user in result of select host, user from mysql.user; query.
There are two ways to handle this issue.
One is specifying an ip which is not reversely resolved by /etc/hosts file when you try to login. For example, the ip of server is 10.0.0.2. When you run the command mysql -u bill -p -h 10.0.0.2, you will be able to login. If you type select user();, you will get bill#10.0.0.2. Of course, any domain name should not be resolved to this ip in your /etc/hosts file.
Secondly, you need grant access for this specific domain name. For bill#localhost, you should call command grant all privileges on *.* to bill#localhost identified by 'billpass'; . In this case, you will be able to login with command mysql -u bill -p. Once logined, select user(); command returns bill#localhost.
But this is only for that you try to login a mysql server in the same host. From remote hosts, mysql behaves expectedly, '%' will grant you to login.
Related
everyone!
An unknown problem occurred in mysql command execution. Procedure
mysql> desc aaaa;
ERROR 1044 (42000): Access denied for user 'mysql.infoschema'#'localhost' to database 'information_schema'
This will happen with any table
I am not currently using the 'mysql.infoschema'#'localhost' user, but a user with higher privileges
mysql> show grants for user_1
| GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, PROCESS, REFERENCES, INDEX, ALTER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER ON *.* TO `user_1`#`%` WITH GRANT OPTION |
| GRANT XA_RECOVER_ADMIN ON *.* TO `user_1`#`%` WITH GRANT OPTION
ql> show grants for `mysql.infoschema`#'localhost';
+------------------------------------------------------------+
| Grants for mysql.infoschema#localhost |
+------------------------------------------------------------+
| GRANT SELECT ON *.* TO `mysql.infoschema`#`localhost` |
| GRANT SYSTEM_USER ON *.* TO `mysql.infoschema`#`localhost` |
+-------------------------
I try to modify mysql.infoschema#localhost as an admin user (give highest privileges)
mysql> desc aaaa;
ERROR 1356 (HY000): View 'information_schema.COLUMNS' references invalid table(s) or column(s) or function(s) or definer/invoker of view lack rights to use them
I also get an error using mysqldump
mysqldump: Couldn't execute 'show fields from `aaaa`': Access denied for user 'mysql.infoschema'#'localhost' to database 'information_schema' (1044)
``
The developer who created a platform my company uses is no longer working for us and I don't know how I can retrieve the passwords from a custom PHP application
When I look in the PHPmyAdmin the passwords are ecrypted (eg *2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19)
How can I change or retrieve these?
If a proper encryption method was used, it's not going to be possible to easily retrieve them.
Just reset them with new passwords.
Edit: The string looks like it is using PASSWORD():
UPDATE user SET password = PASSWORD("newpassword");
How can I decrypt MySQL passwords
You can't really because they are hashed and not encrypted.
Here's the essence of the PASSWORD function that current MySQL uses. You can execute it from the sql terminal:
mysql> SELECT SHA1(UNHEX(SHA1("password")));
+------------------------------------------+
| SHA1(UNHEX(SHA1("password"))) |
+------------------------------------------+
| 2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19 |
+------------------------------------------+
1 row in set (0.00 sec)
How can I change or retrieve these?
If you are having trouble logging in on a debian or ubuntu system, first try this (thanks to tohuwawohu at https://askubuntu.com/questions/120718/cant-log-to-mysql):
$ sudo cat /etc/mysql/debian.conf | grep -i password
...
password: QWERTY12345...
Then, log in with the debian maintenance user:
$ mysql -u debian-sys-maint -p
password:
Finally, change the user's password:
mysql> UPDATE mysql.user SET Password=PASSWORD('new password') WHERE User='root';
mysql> FLUSH PRIVILEGES;
mysql> quit;
When I look in the PHPmyAdmin the passwords are encrypted
Related, if you need to dump the user database for the relevant information, try:
mysql> SELECT User,Host,Password FROM mysql.user;
+------------------+-----------+----------------------+
| User | Host | Password |
+------------------+-----------+----------------------+
| root | localhost | *0123456789ABCDEF... |
| root | 127.0.0.1 | *0123456789ABCDEF... |
| root | ::1 | *0123456789ABCDEF... |
| debian-sys-maint | localhost | *ABCDEF0123456789... |
+------------------+-----------+----------------------+
And yes, those passwords are NOT salted. So an attacker can prebuild the tables and apply them to all MySQL installations. In addition, the adversary can learn which users have the same passwords.
Needles to say, the folks at mySQL are not following best practices. John Steven did an excellent paper on Password Storage Best Practice at OWASP's Password Storage Cheat Sheet. In fairness to the MySQL folks, they may be doing it because of pain points in the architecture, design or implementation (I simply don't know).
If you use the PASSWORD and UPDATE commands and the change does not work, then see http://dev.mysql.com/doc/refman/5.0/en/resetting-permissions.html. Even though the page is named "resetting permissions", its really about how to change a password. (Its befuddling the MySQL password change procedure is so broken that you have to jump through the hoops, but it is what it is).
Hashing is a one-way process but using a password-list you can regenerate the hashes and compare to the stored hash to 'crack' the password.
This site https://crackstation.net/ attempts to do this for you - run through passwords lists and tell you the cleartext password based on your hash.
With luck, if the original developer was any good, you will not be able to get the plain text out. I say "luck" otherwise you probably have an insecure system.
For the admin passwords, as you have the code, you should be able to create hashed passwords from a known plain text such that you can take control of the application. Follow the algorithm used by the original developer.
If they were not salted and hashed, then make sure you do apply this as 'best practice'
just change them to password('yourpassword')
You can't decrypt MySQL passwords, because the are hashed by using MD5 hash algorithm, which is not an encryption algorithm.
Simply best way from linux server
sudo mysql --defaults-file=/etc/mysql/debian.cnf -e 'use mysql;UPDATE user SET password=PASSWORD("snippetbucket-technologies") WHERE user="root";FLUSH PRIVILEGES;'
This way work for any linux server, I had 100% sure on Debian and Ubuntu you win.
recently I started to work with db2, and created few databases.
To drop a single DB I should use db2 drop db demoDB, is there a way to drop all DBs at once?
Thanks
Taking into account the previous answer, this set of lines do the same without creating a script.
db2 list db directory | tail -n +6 | sed 'N;N;N;N;N;N;N;N;N;N;N;s/\n/ /g' | awk '$28 = /Indirect/ {print "db2 drop database "$7}' | source /dev/stdin
This filters the local databases, and executes the generated output.
(Only works in English environment)
first , i don't think there is any db2 nature way to do that. But I usually do the following thing. At start, the way to see all the databases on your instance is one of the following:
db2 list db directory
db2 list active active databases
Depends on your need ( all DBs or just the active DBs)
I'm sure there is more DBs lists you can get.(at DB2 user guide)
The way I usually drop all my DBs is by using shell script:
1. create new script by using 'vi db2_drop_all.sh' or some other way you want.
2. paste the code:
#!/bin/bash -x
for db_name in $(db2 list db directory | grep Database | \
grep name | cut -d= -f2); do
db2 drop db $db_name || true
done
exit 0
3. save changes
4. and just run the script (after you switched to your instance of course ) sh db2_drop_all.sh
Notice that in step 2 you can change the list of DBs as you wish. ( for example to db2 list active databases)
Hope it helped you. :)
I try to check the availability of a DB2 Instance via the db2cli-utility, as follows
db2cli execsql -user USER -passwd PASSWD -connstring DATABASE:HOST:PORT
(with actual values for the uppercased text). I would expect this to connect to HOST:PORT, using the credentials USER and PASSWD, and to switch to database DATABASE.
As a result i get
SQLError: rc = 0 (SQL_SUCCESS)
SQLGetDiagRec: SQLState : 08001
fNativeError : -1024
szErrorMsg : [IBM][CLI Driver] SQL1024N A database connection does not exist. SQLSTATE=08003
cbErrorMsg : 82
But: these values WORK, on the same machine, if i use them as credentials in applications that connect to DB2, so i would expect that i get a connection with the given command.
My Question is: am i using db2cli wrong?
You are using wrong connection string as well as options. Check correct command syntax by running "db2cli execsql -help" command.
You can use -user and -passwd option with -dsn option only. If you are using connection string, then uid and pwd should be part of -connstring option value. Also, the syntax of connection string is wrong. It must be a pair of keyword and value separated by semicolon and enclosed by quotes like "key1=val1;key2=val2;key3=val3". The correct command that you should use is:
db2cli execsql -connstring "DATABASE=dbname;HOSTNAME=hostname;PORT=portnumber;UID=userid;PWD=passwd"
The output for me is as below:
$ db2cli execsql -connstring "database=bluemix;hostname=192.168.1.20;port=50000;uid=myuid;pwd=mydbpassword"
IBM DATABASE 2 Interactive CLI Sample Program
(C) COPYRIGHT International Business Machines Corp. 1993,1996
All Rights Reserved
Licensed Materials - Property of IBM
US Government Users Restricted Rights - Use, duplication or
disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
> select 'bluemix' from sysibm.sysdummy1
select 'bluemix' from sysibm.sysdummy1
FetchAll: Columns: 1
1
bluemix
FetchAll: 1 rows fetched.
> quit
$
To know the instance name, you should run db2level command.
$ db2level
DB21085I This instance or install (instance name, where applicable: "bimaljha") uses
"64" bits and DB2 code release "SQL10054" with level identifier "0605010E".
Informational tokens are "DB2 v10.5.0.4", "s140813", "IP23623", and Fix Pack "4".
Product is installed at "/home/bimaljha/sqllib".
you can try validate connect like below(it will make you sure if connection is successful)
db2cli validate -dsn sample -connect
db2cli.ini :
[sample]
hostname=host
pwd=password
port=portnumber
PROTOCOL=TCPIP
database=dbname
uid=username
I've created a role in my Oracle 11g database called TestUserRole that will eventually have more privileges, but currently has only the Create Session privilege. I've assigned that role to a user, TestUser. It is their only role.
I created this as follows:
CREATE ROLE TestUserRole IDENTIFIED BY somepassword;
GRANT Create Session TO TestUserRole;
CREATE USER TestUser IDENTIFIED BY somepassword;
GRANT TestUserRole TO TestUser;
When I try to connect to the database, I receive:
ORA-01045: user TESTUSER lacks CREATE SESSION privilege; logon denied
I have verified (I think) that the user and role were setup successfully. If I query
select * from dba_role_privs where grantee = 'TESTUSER'
I get
| Grantee | Granted_Role | Admin_Option | Default_Role |
---------------------------------------------------------
| TESTUSER | TESTUSERROLE | NO | YES |
Then if I query
select * from role_sys_privs where role = 'TESTUSERROLE'
I get
| Role | Privilege | Admin_Option |
------------------------------------------------
| TESTUSERROLE | CREATE SESSION | NO |
So it appears that I have created the user and role successfully, the user has the role, and the role has the create session permission. Yet, when I try to log on, Oracle is telling me that the user doesn't have the Create Session permission. Where am I going wrong? Do I have to assign this privilege directly to the user rather than through a role?
Can you try creating your role without the "IDENTIFIED BY password" clause ?
Here it says the following:
The BY password clause lets you create a local role and indicates that the user must specify the password to the database when enabling the role.
Then the problem is because when logging in the role is not enabled yet, the user must enable it using the "SET ROLE" statement as specified here but this can only be done after logging in.