[Philip Heller]

I'm trying to access a MySql database running on a Mac server cluster, using my MacBook pro as a client. The server cluster lives on my university campus. When I try to access from home, everything is fine. When I try to access from campus I get a "Can't connect to MySQL server" error message.

I can connect to the server machine from campus to do everything else besides MySQL. So I'm pretty sure it's a MySQL permissions problem. And when I try to be a jdbc client from campus, I get an exception that explicitly says "permission denied". So I'm DEFINITELY pretty sure it's a MySQL permissions problem.

Here's my entry in the MySQL user table:

mysql> select host, user, password from user where user='philheller';
+------+------------+-------------------------------------------+
| host | user | password |
+------+------------+-------------------------------------------+
| % | philheller | *09B7D8DBF2350D7F685948FD3C0EF161028C48CC |
+------+------------+-------------------------------------------+


Anybody got any clues?
TIA,
Phil

[besson3c]

Could be a firewall issue. If your campus is blocking port 3306, this is a good thing. You do not want to be connecting directly to your MySQL shell from home, as unless you configure SSL encryption all of this traffic will be sent in plain-text which is not a good thing. A better bet would be to SSH to the machine, and then access the MySQL shell from there.

[Philip Heller]

But my access problem is when I'm on campus, not at home. If it's the firewall that's blocking me, then would human error account for this? They /intended/ to block outside access, and /actually/ blocked on-campus access. I could convince myself that this is what's happening.

[besson3c]

Originally Posted by Philip Heller 

But my access problem is when I'm on campus, not at home. If it's the firewall that's blocking me, then would human error account for this? They /intended/ to block outside access, and /actually/ blocked on-campus access. I could convince myself that this is what's happening.

If they were smart they'd prohibit all outbound port 3306 traffic, which would explain why you can't access MySQL on port 3306 while on campus.

If you want you can try some telnet on port 3306 tests to confirm that this is indeed a firewall issue (if it were a MySQL permissions error you'd still be prompted for your password), but it were me I wouldn't waste my time. Connecting to MySQL on port 3306 is simply a bad idea, no host in their right mind would allow this. It is possible to secure it, but from a network admin perspective there is no way of guaranteeing encryption, so this is a huge liability (especially since this can include sending passwords and/or password hashes in the clear).

Plus, there are several ways around this:

- SSH tunnel to your MySQL server
- SSH hop to your MySQL server
- force using a web-based tool like phpMyAdmin on the MySQL server over SSL

[Philip Heller]

I think you've called it exactly. Thanks, I would have wasted a lot of time fooling around with musql permissions.

[besson3c]

No problem! Please let us know if you'd like help with coming up with an alternate way of accessing MySQL

[mduell]

Originally Posted by Philip Heller 

And when I try to be a jdbc client from campus, I get an exception that explicitly says "permission denied".

besson you think a firewall issue is causing permission denied? Or that it's a poorly worded error message?

[Philip Heller]

I don't have access to the source code, but I think the jdbc driver can't tell the difference between denial by the firewall and denial by the mysql server. So I think mduell is right, it's a misleading error message.

Out network admin is doing some firewall testing this morning. I'll report back when he tells me something.

[besson3c]

Originally Posted by mduell 

besson you think a firewall issue is causing permission denied? Or that it's a poorly worded error message?

I may have misread a part of the original post, you are right that usually firewall problems result in an immediate connection refused sort of error message, but I suppose that it is not out of the realm of possibility for his client (which I'm not familiar with) to give a misleading error message like that.