Server responds with empty packet during session negotiation resulting in client giving a malformed packet error

The packet that I thought was empty was actually not, it was an Old Auth Switch Request:

Payload
1     [fe]
Fields
status (1) -- 0xfe
Returns
Protocol::AuthSwitchResponse with old password hash
Example
01 00 00 02 fe

The 1, 2, 254 that wireshark parsed is actually 01 00 00 02 fe if you look at the actual byte strings.

So it isn't that there is a misunderstanding, the server understands completely and correctly responds and the client correctly terminates because it cannot negotiate down. The protocol is not too old as it was changed in 4.1, so both 5.0 and 5.7 understand each other perfectly. This should be a clearer error message.

The client is too new to use --skip-secure-auth (reference). They purposefully removed the ability to negotiate down prior to 5.7.

So my options are to allow new passwords on the server (which is a user specific configuration, not global server option) or to use an older binary.

The specific configuration issue is based on the username I was given. At some point in the past, someone using this username was using an older client and they changed the password method:

B.5.2.4 Client does not support authentication protocol

The current implementation of the authentication protocol uses a password hashing algorithm that is incompatible with that used by older (pre-4.1) clients. Attempts to connect to a 4.1 or newer server with an older client may fail with the following message:

shell> mysql
Client does not support authentication protocol requested
by server; consider upgrading MySQL client

To deal with this problem, the preferred solution is to upgrade all client programs to use a 4.1.1 or newer client library. If that is not possible, use one of the following approaches:

    To connect to the server with a pre-4.1 client program, use an account that still has a pre-4.1-style password.

    Reset the password to pre-4.1 style for each user that needs to use a pre-4.1 client program. This can be done using the SET PASSWORD statement and the OLD_PASSWORD() function. As of MySQL 5.6.6, it is also necessary to first ensure that the authentication plugin for the account is mysql_old_password:

    mysql> UPDATE mysql.user SET plugin = 'mysql_old_password'
    mysql> WHERE User = 'some_user' AND Host = 'some_host';
    mysql> FLUSH PRIVILEGES;
    mysql> SET PASSWORD FOR
        -> 'some_user'@'some_host' = OLD_PASSWORD('new_password');

I got this error when trying to connect to an older MySQL server with @@old_passwords enabled. I am using mysql-client v5.7.19 and Server version: 5.1.73 .

I fixed the problem by manually creating a MySQL SHA1 password hash (using a program I wrote for the purpose) and then I ran this command on the server:

SET PASSWORD FOR 'nagios'@'10.10.10.201' = 'xxxx';

(Where xxxx was actually the hash.)

Tags:

Mysql

Related

What is considered for output from an sql server job step? mongodb could not find host matching read preference { mode: \"primary\" } for set? Query against sys.schemas and sys.synonyms runs very slow for one user Shrinking database which is not having any insert/update How do you properly remove "REQUIRE SSL" from a single user? how to get estimated subtree cost? 'Id' with the format: YYYYNNNNNN with the NNNNNN part restarting each year SQL Server sample Update of Statistics misses highest RANGE_HI_KEY on ascending key column How to improve estimate of 1 row in a View constrained by DateAdd() against an index How do I detect execute permission granted to a role (when no ON clause was used) Is total_elapsed_time in DMV sys.dm_exec_requests completely inaccurate? Convert row into concatenated string with column names included

Recent Posts