Why can't I connect to MariaDB with Navicat through SSH tunnel?

Codemonkey asked:

I’ve always used Navicat on windows to manage my MySQL/Percona instances.

A few days ago I bought a new server and have installed MariaDB 10.3.9.

I can connect to it fine when I’m in a putty session SSHd into the box. mysql -u root -p brings it up perfectly.

For some reason though, Navicat throws the error access denied for user 'root'@'::1' (using password: YES)

Navicat settings are the same that I’ve always used before:

Host Name: localhost
Port: 3306
Mysql username: root
Mysql password: [root’s mysql password]

Use SSH tunnel: yes
IP address: [my server’s ip]
SSH username: [my name]
SSH password: [my ssh password]

I’m not sure why it’d work over SSH when I manually do it, but not when Navicat does it, even though it’s presumably doing largely the same thing. What’s the '::1' bit about, does that point to the problem?


My answer:

Actually there are three subtly different root users in MySQL. (Which is a real pain, but it’s been this way forever and probably won’t change…)

MariaDB [(none)]> select Host, User from mysql.user where User = 'root';
| Host      | User |
| | root |
| ::1       | root |
| localhost | root |
3 rows in set (0.06 sec)

The user root with host localhost is only used when connecting using the UNIX socket. The other users are used when connecting via the TCP socket, via IPv4 or IPv6 respectively.

When you do your ssh port forwarding with Navicat, the TCP socket is used, and specifically the IPv6 TCP socket (as IPv6 is preferred over IPv4). So that user is the one being authenticated against.

Most of us deal with this by making sure the password is set the same for all three rows.

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.