Server responds with empty packet during session negotiation resulting in client giving a malformed packet error

The packet that I thought was empty was actually not, it was an Old Auth Switch Request:

Payload
1     [fe]
Fields
status (1) -- 0xfe
Returns
Protocol::AuthSwitchResponse with old password hash
Example
01 00 00 02 fe

The 1, 2, 254 that wireshark parsed is actually 01 00 00 02 fe if you look at the actual byte strings.

So it isn't that there is a misunderstanding, the server understands completely and correctly responds and the client correctly terminates because it cannot negotiate down. The protocol is not too old as it was changed in 4.1, so both 5.0 and 5.7 understand each other perfectly. This should be a clearer error message.

The client is too new to use --skip-secure-auth (reference). They purposefully removed the ability to negotiate down prior to 5.7.

So my options are to allow new passwords on the server (which is a user specific configuration, not global server option) or to use an older binary.

The specific configuration issue is based on the username I was given. At some point in the past, someone using this username was using an older client and they changed the password method:

B.5.2.4 Client does not support authentication protocol

The current implementation of the authentication protocol uses a password hashing algorithm that is incompatible with that used by older (pre-4.1) clients. Attempts to connect to a 4.1 or newer server with an older client may fail with the following message:

shell> mysql
Client does not support authentication protocol requested
by server; consider upgrading MySQL client

To deal with this problem, the preferred solution is to upgrade all client programs to use a 4.1.1 or newer client library. If that is not possible, use one of the following approaches:

    To connect to the server with a pre-4.1 client program, use an account that still has a pre-4.1-style password.

    Reset the password to pre-4.1 style for each user that needs to use a pre-4.1 client program. This can be done using the SET PASSWORD statement and the OLD_PASSWORD() function. As of MySQL 5.6.6, it is also necessary to first ensure that the authentication plugin for the account is mysql_old_password:

    mysql> UPDATE mysql.user SET plugin = 'mysql_old_password'
    mysql> WHERE User = 'some_user' AND Host = 'some_host';
    mysql> FLUSH PRIVILEGES;
    mysql> SET PASSWORD FOR
        -> 'some_user'@'some_host' = OLD_PASSWORD('new_password');

I got this error when trying to connect to an older MySQL server with @@old_passwords enabled. I am using mysql-client v5.7.19 and Server version: 5.1.73 .

I fixed the problem by manually creating a MySQL SHA1 password hash (using a program I wrote for the purpose) and then I ran this command on the server:

SET PASSWORD FOR 'nagios'@'10.10.10.201' = 'xxxx';

(Where xxxx was actually the hash.)

Tags:

Mysql