MySQL user is not expired but asking for Password RESET

MySQLmysql-5.7

I am getting the below error for the user root@'%', but when I login through root@'localhost',I can see the password_expired = 'N' for root@'%'

Server version: 5.7.9-log MySQL Community Server (GPL)

ERROR 1820 (HY000): You must reset your password using ALTER USER
statement before executing this statement.

+------+------+------------------+----------------+-------------------+-----------------------+
| user | host | password_expired | account_locked | password_lifetime | password_last_changed |
+------+------+------------------+----------------+-------------------+-----------------------+
| root | %    | N                | N              |              NULL | 2015-12-16 04:50:23   |
+------+------+------------------+----------------+-------------------+-----------------------+

Best Answer

The password is expired -- implicitly -- after 360 days -- in MySQL Server 5.7 versions prior to 5.7.11.

From MySQL 5.7.4 to 5.7.10, the default default_password_lifetime value is 360 (passwords must be changed approximately once per year). For those versions, be aware that, if you make no changes to the default_password_lifetime variable or to individual user accounts, all user passwords will expire after 360 days, and all user accounts will start running in restricted mode when this happens. Clients (which are effectively users) connecting to the server will then get an error indicating that the password must be changed: ERROR 1820 (HY000): You must reset your password using ALTER USER statement before executing this statement.

https://dev.mysql.com/doc/refman/5.7/en/password-expiration-policy.html

Temporary workaround should be this:

mysql> SET GLOBAL DEFAULT_PASSWORD_LIFETIME = 0;

Better, add to the mysqld section of my.cnf:

default_password_lifetime = 0

...or another appropriate value for your site, then restart the server.

Even better still... upgrade. There were numerous bugs in early GA versions of 5.7, particularly 5.7.9, which was the first GA version of the release series.

Of course, you should be able to modify this account using ALTER USER ... PASSWORD EXPIRE NEVER which is apparently not the same as the NULL value shown in the table.

Related Solutions

Mysql Getting Access denied for user ‘root’@’localhost’ (using password: YES) constantly in log

A) You can check TCPdump output for MySQL port connection.

B) Also you can verify whether any script is running on MySQL server may be something like monit etc.. which continuously pings MySQL port.

MySQL Connection – Fix PHP Connection Issues While Command-Line Works

Found the answer in the MySQL manual, Pluggable Authentication:

As of MySQL 5.5.7, the server authenticates clients using a plugin. Selection of the proper account row from the mysql.user table is based on the user name and client host, as before, but the server authenticates the client by determining from the account row which authentication plugin applies for the client.

The MySQL package creates a root user using the auth_socket authentication plugin, so only connections via a socket are permitted, and the username of the Linux account is checked as well.

The mysql command uses a socket by default, and runs as root in my script, so it was allowed to connect.

According to the PHP manual, a PDO MySQL connection to localhost also uses a socket; but PHP is run as an unprivileged user, so the connection is refused by the auth_socket plugin.

I fixed my script by adding this line:

mysql --user=root -e \
"UPDATE mysql.user SET plugin='mysql_native_password'; FLUSH PRIVILEGES";

And it now works fine.

Best Answer

Related Solutions

Mysql Getting Access denied for user ‘root’@’localhost’ (using password: YES) constantly in log

MySQL Connection – Fix PHP Connection Issues While Command-Line Works

Related Question