Skip to main content

Ubuntu MySQL ERROR 1698 (28000)

Ubuntu MySQL ERROR 1698 (28000): Access denied for user 'root'@'localhost'


 This is a quick note about MySQL root access error in Ubuntu even though the password is correct.


TLDR;
use sudo!
sudo mysql 


After installing MySQL in ubuntu (sudo apt install mysql-server), you can run secure installation utility command to set the root password.

sudo mysql_secure_installation utility

I'm not going to explain this in detail since this post is not about the installation but the error.

After setting the root password with the above util, the expectation is to use the below command and log into MySQL as root.

mysql -u root -p

For Ubuntu, this doesn't seem to be working. The reason is, in the new MySQL installation in Ubuntu uses something called Socket Peer-Credential Pluggable Authentication. This authentication mechanism authenticates clients that connect from the local host through the Unix socket file. Basically, it means the MySQL user also requires access to the Unix socket file itself. Unix socket is a file that OS uses to communicate with programs. 

Therefore, if you used sudo, it will grant access to the socket, so as to the MySQL itself. 

Accessing without sudo

To access without using sudo powers, we can create a new MySQL user with the name of the system user.

eg: let's say my system user is thilinaj

1. login to mysql from root (sudo mysql) and select mysql database.

USE mysql;

2. Create user

CREATE USER 'thilinaj'@'localhost' IDENTIFIED WITH auth_socket;

3. Grant permissions

GRANT ALL PRIVILEGES ON *.* TO 'thilinaj'@'localhost' WITH GRANT OPTION;

4. Reload previleges and exit

FLUSH PRIVILEGES;

exit

5. Next time you login, you can just type in mysql and you're in

Ubuntu MySQL CLI



The cool thing about the auth_socket plugin is you don't have to provide the password. That is because the authentication is taken care of by the OS auth socket.


Accessing root user without sudo

To use the root user without the sudo access, we can use the following workaround (not recommended).

1. Log in to mysql using sudo

sudo mysql -u root

2. Once logged in, switch to mysql database

USE mysql;

3. Update the authentication mechanism for root

ALTER USER 'root'@'localhost' IDENTIFIED WITH caching_sha2_password BY 'password';

4. Reload the privileges and exit.

FLUSH PRIVILEGES;

exit

5. Sometimes you may need to 

Next time when you log in, you wouldn't need to use the sudo keyword. 


Application users

When creating application users, you'll have to use the caching_sha2_password to authenticate.

eg: 


CREATE USER 'appuser'@'localhost' IDENTIFIED WITH caching_sha2_password BY 'apppassword';

CREATE USER 'appuser'@'%' IDENTIFIED WITH caching_sha2_password BY 'apppassword';


Some of the common types of authentication plugins

Following are the types of authentication mechanisms available and a little bit of information about them.

  • auth_socket 
    • Uses OS authentication socket to authenticate the MySQL user. So, the username should be similar to the OS user. The mysql root can be only accessed by the root user of the OS.
  • caching_sha2_password
    • Uses a strong SHA 256 algorithm to hash the password. Also, it supports server-side caching for the passwords, so it has better performance. This is the default authentication plugin after MySQL 8.0.
  • sha256_password
    • Same as caching_sha2_password but without caching.
  • mysql_native_password 
    • Relies on SHA1 algorithm which is relatively weak. Therefore not recommended.
MySQL supports few more authentication plugins. You can find them on this page.

These plugins can be activated and deactivated in the configurations. MySQL documentation would provide more information on this.


Labels:

Comments

Post a Comment

Popular posts from this blog

Install Docker on Windows 11 with WSL Ubuntu 22.04

This is to install Docker within Ubuntu WSL without using the Windows Docker application. Follow the below steps. Install Ubuntu 22.04 WSL 1. Enable Windows Subsystem for Linux and Virtual Machine platform Go to Control Panel -> Programs -> Programs and Features -> Turn Windows features on or off 2. Switch to WSL 2 Open Powershell and type in the below command. wsl --set-default-version 2 If you don't have WSL 2, download the latest WSL 2 package and install it.  3. Install Ubuntu Open Microsoft Store and search for Ubuntu. Select the version you intend to install. I'd use the latest LTS version Ubuntu 22.04. Click on the Get button. It will take a couple of minutes to download and install. 4. Open up the installed Ubuntu version that was installed. If you get an error like the below image, make sure to install the WSL2 Kernel update .  If it's an older Ubuntu version the error message would be something like the image below. Error: WSL 2 requires an update to its ...
1 comment
Read more

How to fix SSLHandshakeException PKIX path building failed in Java

TL ; DR 1. Extract the public certificate of the website/API that you are trying to connect from your Java application. Steps are mentioned in this post 2. Use the Java keytool to install the extracted certificate into the "cacerts" file (Trust store) keytool -import -trustcacerts -alias <domain name> -file <public certificate>.cert -keystore /path_to_java_home/jre/lib/security/cacerts -storepass changeit 3. Restart your Java application Exception A typical exception stack trace would look like below. javax.net.ssl. SSLHandshakeException : sun.security.validator.ValidatorException: PKIX path building failed : sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1959) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) at sun.security.ssl.Handshake...
Post a Comment
Read more

Automatically open Chrome developer tools in a new tab

Sometimes we need to check the console or the network transactions of a link that opens up in a new tab. By default, the Chrome developer tools are not opening in a new tab. So, by the time when we hit F12 and open the dev tools, part of the information we needed could be already gone.  There's a setting in dev tools where you can keep the dev tools open automatically in a new tab. To enable that, hit F12 and open up the dev tools. Click on the settings icon in the top right corner. In the Preferences section, scroll down to the bottom. You'll be able to find the option to Auto-open DevTools for popups. Select the checkbox and we're good to go!
Post a Comment
Read more