MySQL错误:用户’a’@’localhost’拒绝访问(使用密码:YES)

我使用root帐户创建帐户’a’@’%’.但是当我指定host参数时,我无法使用该帐户连接到MySQL服务器.我可以在没有-h参数的情况下成功连接.请参阅下面的成绩单.我希望有人可以帮我解释一下.谢谢.

mysql> grant all on *.* to 'a'@'%' identified by a;
ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'a' at line 1
mysql> grant all on *.* to 'a'@'%' identified by 'a';
Query OK, 0 rows affected (0.00 sec)

mysql> show grants for 'a'@'%';
+-----------------------------------------------------------------------------------------------------------+
| Grants for a@%                                                                                            |
+-----------------------------------------------------------------------------------------------------------+
| GRANT ALL PRIVILEGES ON *.* TO 'a'@'%' IDENTIFIED BY PASSWORD '*667F407DE7C6AD07358FA38DAED7828A72014B4E' |
+-----------------------------------------------------------------------------------------------------------+
1 row in set (0.00 sec)

mysql> exit
Bye

[root@localhost ~]# mysql -h localhost -u a -p
Enter password: 
ERROR 1045 (28000): Access denied for user 'a'@'localhost' (using password: YES)
[root@localhost ~]# mysql -h 127.0.0.1 -u a -p
Enter password: 
ERROR 1045 (28000): Access denied for user 'a'@'localhost' (using password: YES)
[root@localhost ~]# mysql -u a -p
Enter password: 
ERROR 1045 (28000): Access denied for user 'a'@'localhost' (using password: YES)
[root@localhost ~]# mysql -u a
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 20
Server version: 5.5.17 MySQL Community Server (GPL)

Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql>
mysql> status
--------------
mysql  Ver 14.14 Distrib 5.5.17, for Linux (x86_64) using readline 5.1

Connection id:      20
Current database:   
Current user:       a@localhost
SSL:            Not in use
Current pager:      stdout
Using outfile:      ''
Using delimiter:    ;
Server version:     5.5.17 MySQL Community Server (GPL)
Protocol version:   10
Connection:     Localhost via UNIX socket
Server characterset:    utf8
Db     characterset:    utf8
Client characterset:    utf8
Conn.  characterset:    utf8
UNIX socket:        /var/lib/mysql/mysql.sock
Uptime:         15 days 15 hours 20 min 18 sec

Threads: 1  Questions: 40  Slow queries: 0  Opens: 41  Flush tables: 1  Open tables: 4  Queries per second avg: 0.000
--------------

mysql> 

编辑:

是的,MySQL正在侦听端口3306.

[root@localhost ~]# nmap localhost

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2012-01-18 07:35 CST
Interesting ports on localhost.localdomain (127.0.0.1):
Not shown: 1674 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
25/tcp   open  smtp
111/tcp  open  rpcbind
631/tcp  open  ipp
840/tcp  open  unknown
3306/tcp open  mysql

Nmap finished: 1 IP address (1 host up) scanned in 0.064 seconds
[root@localhost ~]# 
最佳答案
这是一个快速而简单的方法,用于检查MySQL如何执行成功的身份验证.

请运行此查询:

SELECT USER(),CURRENT_USER();

USER()报告了您如何尝试在mysqld中进行身份验证

CURRENT_USER()报告了如何通过mysqld进行身份验证

有时,USER()和CURRENT_USER()是不同的.那是因为mysql身份验证遵循特定的协议.

根据MySQL 5.0 Certification Study Guide

有关mysql的身份验证算法,请参阅第486,487页:

There are two stages of client access control:

In the first stage, a client attempts to connect and the server either
accepts or rejects the connection. For the attempt to succeed, some
entry in the user table must match the host from which the client
connects, the username, and the password.

In the second stage (which occurs only if a client has already
connected sucessfully), the server checks every query it receives from
the client to see whether the client has sufficient privileges to
execute it.

The server matches a client against entries in the grant tables based
on the host from which the client connects and the user the client
provides. However, it’s possible for more than one record to match:

Host values in grant tables may be specified as patterns contains
wildcard values. If a grant table contains entries from
myhost.example.com, %.example.com, %.com, and %, all of them
match a client who connects from myhost.example.com.

Patterns are not allowed for the User values in grant table entries,
but a username may be given as an empty string to specify an anonymous
user. The empty string matches any username and thus effectively acts
as a wildcard.

When the Host and the User values in more than one user table record
match a client, the server must decide which one to use. It does this
by sorting records with the most specific Host and User column values
first, and choosing the matching record that occurs first in the
sorted list, Sorting take place as follows:

In the Host Column, literal values such as localhost, 127.0.0.1,
and myhost.example.com sort ahead of values such as %.example.com
that have pattern characters in them. Pattern values are sorted
according to how specific they are. For example, %.example.com is
more specific than %.com, which is more specific than %.

In the User column, non-blank usernames sort ahead of blank usernames.
That is, non-anonymous users sort ahead of anonymous users.

The server performs this sorting when it starts. It reads the grant
tables into memory, sorts them, and uses the in-memory copies for
access control.

从此描述中,您不必担心mysql.user表的顺序,因为存在授权表的内存中副本,该副本按照前面提到的方式排序.

关于你如何登录,只有mysql -u一个工作.返回并再次登录并运行这些命令

SELECT USER(),CURRENT_USER();
SELECT user,host,password FROM mysql.user;

确保这一点

>每个用户都有密码.
>没有匿名用户(当用户为空时)

这只是一个猜测,但我怀疑mysql -u a通过localhost连接,因为当未指定连接协议时,默认是通过套接字文件连接. mysql.user中可能存在允许匿名localhost连接的条目.

运行此查询:

SELECT user,host,password FROM mysql.user WHERE user='' AND host='localhost';

如果你回来没有密码的行,这完全解释了为什么mysq -u a有效.

更新2012-01-19 11:12 EDT

Craig Efrein提出了一个有趣的问题:如果mysql.user表中存在两个相同的用户名,一个有密码而另一个没有,这是否意味着MySQL在不使用密码时拒绝验证?

关于MySQL用户身份验证,这个问题非常出色.

请注意,mysql.user的主键是host,user.没有其他索引.这允许多次出现用户名.每次出现都可以有不同的密码或没有密码.这允许用户’dbuser’在本地登录(dbuser @ localhost),使用无密码和同一用户从给定网络中的另一个服务器(dbuser@’10.1.2.20′)登录,并使用密码“pass1”和该用户登录使用远程密码(例如’pass2′)从任何地方(dbuser @’%’)远程访问.

鉴于MySQL使用的身份验证算法,对存在或缺少密码的用户没有任何限制.

这就是MySQL 5.0 Certification Study Guide says on Page 498 Paragraph 6在其要点中介绍如何清理身份验证过程的原因:

On Unix, MySQL comes with a mysql_secure_installation script that can
perform several helpful security-related operations on your
installation. The script has the following capabilities:

  • Set a password for the root accounts
  • Remove any remotely accessible root accounts.
  • Remove the anonymous user accounts. This improves security because
    it prevents the possibility of anyone connecting to the MySQL server
    as root from a remote host. The results is that anyone who wants to
    connect as root must first be able to log in on the server host, which
    provides an additional barrier against attack.
  • Remove the test database (If you remove the anonymous accounts, you
    might also want to remove the test database to which they have
    access).

转载注明原文:MySQL错误:用户’a’@’localhost’拒绝访问(使用密码:YES) - 代码日志