Old user is still there?
I have found a weird phenomenon on my MariaDB server (version 10.1.26-MariaDB-0+deb9u1)
I used to have a user XYZ long time ago, and this user probably got deleted sometime. However, I tried to login using this user and I got the following error message:
mysqli_real_connect(): (HY000/1275): Server is running in
--secure-auth mode, but 'XYZ'@'localhost' has a password in the old format; please change the password to the new format
Just to be sure, I tried to login using a non-existing user. For example, I try to login as NOTEXISTING, just to verify that the error message is indeed different.
mysqli_real_connect(): (HY000/1045): Access denied for user
'NOTEXISTING'@'localhost' (using password: YES)
Now, the question is, where is the old user information stored?
The user does not exist in the mysql database:
select * from mysql.user where user = 'XYZ';
=> empty result
grep -r XYZ /path_to_mysql_database_dir/mysql/
=> nothing
I also tried "FLUSH PRIVILEGES" to reload the user table.
Do you have an idea where the user information is stored?
Update
After trying various things and even testing on a completely fresh installed system, I come to the conclusion that it must be some kind of bug, so I opened a bug report: https://jira.mariadb.org/browse/MDEV-17789 . Any other ideas are welcome.
mariadb
add a comment |
I have found a weird phenomenon on my MariaDB server (version 10.1.26-MariaDB-0+deb9u1)
I used to have a user XYZ long time ago, and this user probably got deleted sometime. However, I tried to login using this user and I got the following error message:
mysqli_real_connect(): (HY000/1275): Server is running in
--secure-auth mode, but 'XYZ'@'localhost' has a password in the old format; please change the password to the new format
Just to be sure, I tried to login using a non-existing user. For example, I try to login as NOTEXISTING, just to verify that the error message is indeed different.
mysqli_real_connect(): (HY000/1045): Access denied for user
'NOTEXISTING'@'localhost' (using password: YES)
Now, the question is, where is the old user information stored?
The user does not exist in the mysql database:
select * from mysql.user where user = 'XYZ';
=> empty result
grep -r XYZ /path_to_mysql_database_dir/mysql/
=> nothing
I also tried "FLUSH PRIVILEGES" to reload the user table.
Do you have an idea where the user information is stored?
Update
After trying various things and even testing on a completely fresh installed system, I come to the conclusion that it must be some kind of bug, so I opened a bug report: https://jira.mariadb.org/browse/MDEV-17789 . Any other ideas are welcome.
mariadb
add a comment |
I have found a weird phenomenon on my MariaDB server (version 10.1.26-MariaDB-0+deb9u1)
I used to have a user XYZ long time ago, and this user probably got deleted sometime. However, I tried to login using this user and I got the following error message:
mysqli_real_connect(): (HY000/1275): Server is running in
--secure-auth mode, but 'XYZ'@'localhost' has a password in the old format; please change the password to the new format
Just to be sure, I tried to login using a non-existing user. For example, I try to login as NOTEXISTING, just to verify that the error message is indeed different.
mysqli_real_connect(): (HY000/1045): Access denied for user
'NOTEXISTING'@'localhost' (using password: YES)
Now, the question is, where is the old user information stored?
The user does not exist in the mysql database:
select * from mysql.user where user = 'XYZ';
=> empty result
grep -r XYZ /path_to_mysql_database_dir/mysql/
=> nothing
I also tried "FLUSH PRIVILEGES" to reload the user table.
Do you have an idea where the user information is stored?
Update
After trying various things and even testing on a completely fresh installed system, I come to the conclusion that it must be some kind of bug, so I opened a bug report: https://jira.mariadb.org/browse/MDEV-17789 . Any other ideas are welcome.
mariadb
I have found a weird phenomenon on my MariaDB server (version 10.1.26-MariaDB-0+deb9u1)
I used to have a user XYZ long time ago, and this user probably got deleted sometime. However, I tried to login using this user and I got the following error message:
mysqli_real_connect(): (HY000/1275): Server is running in
--secure-auth mode, but 'XYZ'@'localhost' has a password in the old format; please change the password to the new format
Just to be sure, I tried to login using a non-existing user. For example, I try to login as NOTEXISTING, just to verify that the error message is indeed different.
mysqli_real_connect(): (HY000/1045): Access denied for user
'NOTEXISTING'@'localhost' (using password: YES)
Now, the question is, where is the old user information stored?
The user does not exist in the mysql database:
select * from mysql.user where user = 'XYZ';
=> empty result
grep -r XYZ /path_to_mysql_database_dir/mysql/
=> nothing
I also tried "FLUSH PRIVILEGES" to reload the user table.
Do you have an idea where the user information is stored?
Update
After trying various things and even testing on a completely fresh installed system, I come to the conclusion that it must be some kind of bug, so I opened a bug report: https://jira.mariadb.org/browse/MDEV-17789 . Any other ideas are welcome.
mariadb
mariadb
edited Nov 21 '18 at 14:27
Daniel Marschall
asked Nov 21 '18 at 8:18
Daniel MarschallDaniel Marschall
1,9332035
1,9332035
add a comment |
add a comment |
2 Answers
2
active
oldest
votes
The plaintext password is not stored anywhere.
SELECT user, host, password FROM user
may provide something like
| pm_demo | localhost | FFC3F585 |
| dist | localhost | A8900DDB |
| ronly | localhost | 5208517A |
| spent | localhost | 26B08F08 |
| test | 1.2.3.4 | A40C6DCC |
That "password" is really an encrypted version of the plaintext password. It is the "old format", which is not very secure. New passwords look more like
*A5280BD3F8C6BCC6537FCC3E113D794DD53534CC
There are also other authentication mechanisms. (I don't know where you are in the evolution of authentication.)
SELECT * FROM user WHERE user = 'xyz'G
*************************** 1. row ***************************
Host: localhost
User: xyz
Password: *6D800EA40C6DCC75BFF67DAB58D5D49FC5F8E568
Select_priv: N
Insert_priv: N
Update_priv: N
Delete_priv: N
Create_priv: N
Drop_priv: N
Reload_priv: N
Shutdown_priv: N
Process_priv: N
File_priv: N
Grant_priv: N
...
x509_subject:
max_questions: 0
max_updates: 0
max_connections: 0
max_user_connections: 0
plugin: mysql_native_password
authentication_string:
password_expired: N
1 row in set (0.00 sec)
SHOW GRANTS FOR xyz@localhost;
+------------------------------------------------------------------------------------------------------------+
| Grants for xyz@localhost |
+------------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'xyz'@'localhost' IDENTIFIED BY PASSWORD '*6D800EA40C6DCC75BFF67DAB58D5D49FC5F8E568' |
| GRANT ALL PRIVILEGES ON `xyz`.* TO 'xyz'@'localhost' |
+------------------------------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)
Yes, I know all that. But in theuser
table, as I mentioned, there is no user with the name "XYZ", so "show grants" as well as "select ... from user" does not return anything. I have verified that the message comes from the plugin mysql_native_password (using "default-authentication-plugin"), which should query the user table.
– Daniel Marschall
Nov 22 '18 at 7:16
1
I come to the conclusion that it must be a bug in MariaDB, since the wrong error message disappears when I change anything at the user table (i.e. removing or adding any user, or changing specific user names). If I do so, I get the normal "access denied" message when I try to login as this non-existing user.
– Daniel Marschall
Nov 22 '18 at 7:17
@DanielMarschall - SeeFLUSH PRIVILEGES;
– Rick James
Nov 22 '18 at 19:19
I don't want to sound disrespectful, but I did all that, and it is also written in the question
– Daniel Marschall
Nov 23 '18 at 7:58
add a comment |
A developer has confirmed that the (in my opinion wrong) error message is intentional behavior, based on a hash of the user table.
https://jira.mariadb.org/plugins/servlet/mobile#issue/MDEV-17789
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53407779%2fold-user-is-still-there%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
The plaintext password is not stored anywhere.
SELECT user, host, password FROM user
may provide something like
| pm_demo | localhost | FFC3F585 |
| dist | localhost | A8900DDB |
| ronly | localhost | 5208517A |
| spent | localhost | 26B08F08 |
| test | 1.2.3.4 | A40C6DCC |
That "password" is really an encrypted version of the plaintext password. It is the "old format", which is not very secure. New passwords look more like
*A5280BD3F8C6BCC6537FCC3E113D794DD53534CC
There are also other authentication mechanisms. (I don't know where you are in the evolution of authentication.)
SELECT * FROM user WHERE user = 'xyz'G
*************************** 1. row ***************************
Host: localhost
User: xyz
Password: *6D800EA40C6DCC75BFF67DAB58D5D49FC5F8E568
Select_priv: N
Insert_priv: N
Update_priv: N
Delete_priv: N
Create_priv: N
Drop_priv: N
Reload_priv: N
Shutdown_priv: N
Process_priv: N
File_priv: N
Grant_priv: N
...
x509_subject:
max_questions: 0
max_updates: 0
max_connections: 0
max_user_connections: 0
plugin: mysql_native_password
authentication_string:
password_expired: N
1 row in set (0.00 sec)
SHOW GRANTS FOR xyz@localhost;
+------------------------------------------------------------------------------------------------------------+
| Grants for xyz@localhost |
+------------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'xyz'@'localhost' IDENTIFIED BY PASSWORD '*6D800EA40C6DCC75BFF67DAB58D5D49FC5F8E568' |
| GRANT ALL PRIVILEGES ON `xyz`.* TO 'xyz'@'localhost' |
+------------------------------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)
Yes, I know all that. But in theuser
table, as I mentioned, there is no user with the name "XYZ", so "show grants" as well as "select ... from user" does not return anything. I have verified that the message comes from the plugin mysql_native_password (using "default-authentication-plugin"), which should query the user table.
– Daniel Marschall
Nov 22 '18 at 7:16
1
I come to the conclusion that it must be a bug in MariaDB, since the wrong error message disappears when I change anything at the user table (i.e. removing or adding any user, or changing specific user names). If I do so, I get the normal "access denied" message when I try to login as this non-existing user.
– Daniel Marschall
Nov 22 '18 at 7:17
@DanielMarschall - SeeFLUSH PRIVILEGES;
– Rick James
Nov 22 '18 at 19:19
I don't want to sound disrespectful, but I did all that, and it is also written in the question
– Daniel Marschall
Nov 23 '18 at 7:58
add a comment |
The plaintext password is not stored anywhere.
SELECT user, host, password FROM user
may provide something like
| pm_demo | localhost | FFC3F585 |
| dist | localhost | A8900DDB |
| ronly | localhost | 5208517A |
| spent | localhost | 26B08F08 |
| test | 1.2.3.4 | A40C6DCC |
That "password" is really an encrypted version of the plaintext password. It is the "old format", which is not very secure. New passwords look more like
*A5280BD3F8C6BCC6537FCC3E113D794DD53534CC
There are also other authentication mechanisms. (I don't know where you are in the evolution of authentication.)
SELECT * FROM user WHERE user = 'xyz'G
*************************** 1. row ***************************
Host: localhost
User: xyz
Password: *6D800EA40C6DCC75BFF67DAB58D5D49FC5F8E568
Select_priv: N
Insert_priv: N
Update_priv: N
Delete_priv: N
Create_priv: N
Drop_priv: N
Reload_priv: N
Shutdown_priv: N
Process_priv: N
File_priv: N
Grant_priv: N
...
x509_subject:
max_questions: 0
max_updates: 0
max_connections: 0
max_user_connections: 0
plugin: mysql_native_password
authentication_string:
password_expired: N
1 row in set (0.00 sec)
SHOW GRANTS FOR xyz@localhost;
+------------------------------------------------------------------------------------------------------------+
| Grants for xyz@localhost |
+------------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'xyz'@'localhost' IDENTIFIED BY PASSWORD '*6D800EA40C6DCC75BFF67DAB58D5D49FC5F8E568' |
| GRANT ALL PRIVILEGES ON `xyz`.* TO 'xyz'@'localhost' |
+------------------------------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)
Yes, I know all that. But in theuser
table, as I mentioned, there is no user with the name "XYZ", so "show grants" as well as "select ... from user" does not return anything. I have verified that the message comes from the plugin mysql_native_password (using "default-authentication-plugin"), which should query the user table.
– Daniel Marschall
Nov 22 '18 at 7:16
1
I come to the conclusion that it must be a bug in MariaDB, since the wrong error message disappears when I change anything at the user table (i.e. removing or adding any user, or changing specific user names). If I do so, I get the normal "access denied" message when I try to login as this non-existing user.
– Daniel Marschall
Nov 22 '18 at 7:17
@DanielMarschall - SeeFLUSH PRIVILEGES;
– Rick James
Nov 22 '18 at 19:19
I don't want to sound disrespectful, but I did all that, and it is also written in the question
– Daniel Marschall
Nov 23 '18 at 7:58
add a comment |
The plaintext password is not stored anywhere.
SELECT user, host, password FROM user
may provide something like
| pm_demo | localhost | FFC3F585 |
| dist | localhost | A8900DDB |
| ronly | localhost | 5208517A |
| spent | localhost | 26B08F08 |
| test | 1.2.3.4 | A40C6DCC |
That "password" is really an encrypted version of the plaintext password. It is the "old format", which is not very secure. New passwords look more like
*A5280BD3F8C6BCC6537FCC3E113D794DD53534CC
There are also other authentication mechanisms. (I don't know where you are in the evolution of authentication.)
SELECT * FROM user WHERE user = 'xyz'G
*************************** 1. row ***************************
Host: localhost
User: xyz
Password: *6D800EA40C6DCC75BFF67DAB58D5D49FC5F8E568
Select_priv: N
Insert_priv: N
Update_priv: N
Delete_priv: N
Create_priv: N
Drop_priv: N
Reload_priv: N
Shutdown_priv: N
Process_priv: N
File_priv: N
Grant_priv: N
...
x509_subject:
max_questions: 0
max_updates: 0
max_connections: 0
max_user_connections: 0
plugin: mysql_native_password
authentication_string:
password_expired: N
1 row in set (0.00 sec)
SHOW GRANTS FOR xyz@localhost;
+------------------------------------------------------------------------------------------------------------+
| Grants for xyz@localhost |
+------------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'xyz'@'localhost' IDENTIFIED BY PASSWORD '*6D800EA40C6DCC75BFF67DAB58D5D49FC5F8E568' |
| GRANT ALL PRIVILEGES ON `xyz`.* TO 'xyz'@'localhost' |
+------------------------------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)
The plaintext password is not stored anywhere.
SELECT user, host, password FROM user
may provide something like
| pm_demo | localhost | FFC3F585 |
| dist | localhost | A8900DDB |
| ronly | localhost | 5208517A |
| spent | localhost | 26B08F08 |
| test | 1.2.3.4 | A40C6DCC |
That "password" is really an encrypted version of the plaintext password. It is the "old format", which is not very secure. New passwords look more like
*A5280BD3F8C6BCC6537FCC3E113D794DD53534CC
There are also other authentication mechanisms. (I don't know where you are in the evolution of authentication.)
SELECT * FROM user WHERE user = 'xyz'G
*************************** 1. row ***************************
Host: localhost
User: xyz
Password: *6D800EA40C6DCC75BFF67DAB58D5D49FC5F8E568
Select_priv: N
Insert_priv: N
Update_priv: N
Delete_priv: N
Create_priv: N
Drop_priv: N
Reload_priv: N
Shutdown_priv: N
Process_priv: N
File_priv: N
Grant_priv: N
...
x509_subject:
max_questions: 0
max_updates: 0
max_connections: 0
max_user_connections: 0
plugin: mysql_native_password
authentication_string:
password_expired: N
1 row in set (0.00 sec)
SHOW GRANTS FOR xyz@localhost;
+------------------------------------------------------------------------------------------------------------+
| Grants for xyz@localhost |
+------------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'xyz'@'localhost' IDENTIFIED BY PASSWORD '*6D800EA40C6DCC75BFF67DAB58D5D49FC5F8E568' |
| GRANT ALL PRIVILEGES ON `xyz`.* TO 'xyz'@'localhost' |
+------------------------------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)
answered Nov 21 '18 at 21:57
Rick JamesRick James
69.4k561102
69.4k561102
Yes, I know all that. But in theuser
table, as I mentioned, there is no user with the name "XYZ", so "show grants" as well as "select ... from user" does not return anything. I have verified that the message comes from the plugin mysql_native_password (using "default-authentication-plugin"), which should query the user table.
– Daniel Marschall
Nov 22 '18 at 7:16
1
I come to the conclusion that it must be a bug in MariaDB, since the wrong error message disappears when I change anything at the user table (i.e. removing or adding any user, or changing specific user names). If I do so, I get the normal "access denied" message when I try to login as this non-existing user.
– Daniel Marschall
Nov 22 '18 at 7:17
@DanielMarschall - SeeFLUSH PRIVILEGES;
– Rick James
Nov 22 '18 at 19:19
I don't want to sound disrespectful, but I did all that, and it is also written in the question
– Daniel Marschall
Nov 23 '18 at 7:58
add a comment |
Yes, I know all that. But in theuser
table, as I mentioned, there is no user with the name "XYZ", so "show grants" as well as "select ... from user" does not return anything. I have verified that the message comes from the plugin mysql_native_password (using "default-authentication-plugin"), which should query the user table.
– Daniel Marschall
Nov 22 '18 at 7:16
1
I come to the conclusion that it must be a bug in MariaDB, since the wrong error message disappears when I change anything at the user table (i.e. removing or adding any user, or changing specific user names). If I do so, I get the normal "access denied" message when I try to login as this non-existing user.
– Daniel Marschall
Nov 22 '18 at 7:17
@DanielMarschall - SeeFLUSH PRIVILEGES;
– Rick James
Nov 22 '18 at 19:19
I don't want to sound disrespectful, but I did all that, and it is also written in the question
– Daniel Marschall
Nov 23 '18 at 7:58
Yes, I know all that. But in the
user
table, as I mentioned, there is no user with the name "XYZ", so "show grants" as well as "select ... from user" does not return anything. I have verified that the message comes from the plugin mysql_native_password (using "default-authentication-plugin"), which should query the user table.– Daniel Marschall
Nov 22 '18 at 7:16
Yes, I know all that. But in the
user
table, as I mentioned, there is no user with the name "XYZ", so "show grants" as well as "select ... from user" does not return anything. I have verified that the message comes from the plugin mysql_native_password (using "default-authentication-plugin"), which should query the user table.– Daniel Marschall
Nov 22 '18 at 7:16
1
1
I come to the conclusion that it must be a bug in MariaDB, since the wrong error message disappears when I change anything at the user table (i.e. removing or adding any user, or changing specific user names). If I do so, I get the normal "access denied" message when I try to login as this non-existing user.
– Daniel Marschall
Nov 22 '18 at 7:17
I come to the conclusion that it must be a bug in MariaDB, since the wrong error message disappears when I change anything at the user table (i.e. removing or adding any user, or changing specific user names). If I do so, I get the normal "access denied" message when I try to login as this non-existing user.
– Daniel Marschall
Nov 22 '18 at 7:17
@DanielMarschall - See
FLUSH PRIVILEGES;
– Rick James
Nov 22 '18 at 19:19
@DanielMarschall - See
FLUSH PRIVILEGES;
– Rick James
Nov 22 '18 at 19:19
I don't want to sound disrespectful, but I did all that, and it is also written in the question
– Daniel Marschall
Nov 23 '18 at 7:58
I don't want to sound disrespectful, but I did all that, and it is also written in the question
– Daniel Marschall
Nov 23 '18 at 7:58
add a comment |
A developer has confirmed that the (in my opinion wrong) error message is intentional behavior, based on a hash of the user table.
https://jira.mariadb.org/plugins/servlet/mobile#issue/MDEV-17789
add a comment |
A developer has confirmed that the (in my opinion wrong) error message is intentional behavior, based on a hash of the user table.
https://jira.mariadb.org/plugins/servlet/mobile#issue/MDEV-17789
add a comment |
A developer has confirmed that the (in my opinion wrong) error message is intentional behavior, based on a hash of the user table.
https://jira.mariadb.org/plugins/servlet/mobile#issue/MDEV-17789
A developer has confirmed that the (in my opinion wrong) error message is intentional behavior, based on a hash of the user table.
https://jira.mariadb.org/plugins/servlet/mobile#issue/MDEV-17789
edited Dec 29 '18 at 18:01
answered Nov 23 '18 at 11:00
Daniel MarschallDaniel Marschall
1,9332035
1,9332035
add a comment |
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53407779%2fold-user-is-still-there%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown