Article ID: 114200, created on Jun 25, 2012, last review on May 11, 2014


H-Sphere 3.6 (with PHP 5.3): you get the following error while trying to access a MySQL database from a PHP script (PHP 5.3 is installed on a server): mysqlnd cannot connect to MySQL 4.1+ using old authentication.

Earlier H-Sphere versions: you try using new hashing scheme for mysql.


By default, all H-Sphere MySQL installations use the "old" password hashing scheme for compatibility with PHP 4 MySQL client libraries. Since the 5.3 version, PHP uses the new 41-byte password format of MySQL 4.1 (Backward Incompatible Changes).


Upgrade account passwords to the new hashing scheme on the target MySQL server.

Note: Once you upgrade passwords to the new 41-byte format, PHP 4 applications will be unable to connect to databases on the target server. Therefore, we recommend that you move clients' and third-party PHP 4 applications to a separate MySQL server with the "old" password hashing scheme.

Note: Please read this KB article carefully before performing any actions.

  1. Back up data on your target MySQL server. For example, on a MySQL server running on Linux:

    mysqldump --defaults-file=/var/lib/mysql/.my.cnf --all-databases >/somewhere/mysql.user.sql

    Another option is to stop your MySQL server and back up /var/lib/mysql/ (for Linux) or /var/db/mysql/ (for FreeBSD), and then start the server again. Example for Linux:

    /etc/init.d/mysql stop
    tar czf /somewhere/mysql.tar.gz /var/lib/mysql
    /etc/init.d/mysql start

    Example for FreeBSD:

    /usr/local/etc/rc.d/ stop
    tar czf /somewhere/mysql.tar.gz /var/lib/mysql
    /usr/local/etc/rc.d/ start
  2. Create (or use existing) a custom MySQL configuration template from the default one on the particular MySQL server:

    cd /hsphere/local/config/mysql/
    cp my.cnf_tmpl my.cnf_tmpl.custom
  3. Comment out line "old-passwords" in the file /hsphere/local/config/mysql/my.cnf_tmpl.custom on the server. This line must exist in the MySQL configuration file (it may be whether commented out or not) in all H-Sphere releases earlier than 3.4.1 SPU 50, 3.5.1 SPU 51, 3.6.0 SPU 52. For the 3.4.1 SPU 50, 3.5.1 SPU 51, 3.6.0 SPU 52 and later versions you may simply delete this line.

  4. Apply changes from the custom configuration template and restart MySQL.

    Example for Linux:

    /etc/init.d/mysql restart

    Example for FreeBSD (H-Sphere 3.4, 3.5):

    /usr/local/etc/rc.d/ restart

    Example for FreeBSD (H-Sphere 3.6):

    /usr/local/etc/rc.d/mysql-server restart 
  5. Change password hashing for end users' accounts using the script on the Control Panel server. The script can operate in two modes: SQL file generation (default) and direct modification. Direct modification allows you to update all end users’ passwords without any additional steps, but it is slower than generating and using an SQL file.

    Note: Regardless of the mode you choose, you should provide the script with the logical server ID of the target MySQL server . You can get this information from the Control Panel interface selecting proper logical server in “E. Manager” -> “Servers” -> “L.Servers”.

    1. The SQL file generation mode

      Copy the script to your Control Panel server and run it with the single parameter – the logical server Id of the target MySQL server: 30 >/tmp/newpass.sql    

      The script will generate the file /tmp/newpass.sql. Move this file to your target MySQL server and execute the following command on that server:

      mysql --defaults-file=/var/lib/mysql/.my.cnf </tmp/newpass.sql
    2. The direct modification mode

      Copy the script to your Control Panel server and run it as shown in the example below. Note that you should provide the logical server Id of the target MySQL server parameter.: 30 act
  6. Change password hashing for third-party software accounts.

    There are several MySQL accounts and respective services used by third-party software:

    • vpopmail (mail)
    • spamassassin (mail)
    • horde (webmail)
    • phpuser (phpMyAdmin)

    It is recommended to change passwords for these accounts except vpopmail by running the physical box update ( for a set of boxes that host respective services.
    The vpopmail password can be changed by running the script /hsphere/local/config/mail/scripts/ on a physical box that host target MySQL and mail logical servers.
    List of commands which you can use to find third-party account passwords in case you want to update them manually:

    • vpopmail:

      cat /hsphere/local/var/vpopmail/etc/vpopmail.mysql | awk -F\| '{ print $4 }';
    • spamassassin (you should see only one line in result):

      cat /hsphere/local/config/mail/spamassassin/ | grep sql_password | awk '{ print $2 }' | uniq
    • horde:

      grep "\bsql\b" "/hsphere/shared/apache/htdocs/horde/config/conf.php" | grep "\bpassword\b" | awk '{ print $3 }' | awk -F\' '{ print $2 }'   
    • phpuser:

      cat /hsphere/shared/apache/htdocs/phpMyAdmin/servers.config.php | grep '\bcontrolpass\b' | awk '{ print $3 }' | awk -F\' '{ print $2 }' | uniq   

    These commands should be executed on boxes that host respective services that, in turn, store their data on the target MySQL server. After you get the passwords you need, you can use them for updating password hashes on the target MySQL server manually. The following example changes a password for a Horde user. You will need to replace the PASSHERE placeholder with an actual password.

    • Linux:

      echo "UPDATE mysql.user SET password = PASSWORD( 'PASSHERE' ) where user = 'horde' ; FLUSH PRIVILEGES;" | mysql --defaults-file=/var/lib/mysql/.my.cnf
    • FreeBSD:

      echo "UPDATE mysql.user SET password = PASSWORD( 'PASSHERE' ) where user = 'horde' ; FLUSH PRIVILEGES;" | mysql --defaults-file=/var/db/mysql/.my.cnf
  7. Verify the changes You can run the following command on your target MySQL server to determine if some MySQL accounts are left with the old password scheme:

    echo "SELECT user FROM mysql.user WHERE length(password) < 41;" | mysql --defaults-file=/var/lib/mysql/.my.cnf

    Note: It is possible that some accounts that were not updated belong to removed H-Sphere users. You should review all these cases manually.


6311ae17c1ee52b36e68aaf4ad066387 f213b9fa8759d57bee5d547445806fe7 2e39a5e5b1423cc126cf735bac076008

Email subscription for changes to this article
Save as PDF