How to Fix MySQL Error 1698: Access Denied for User root (auth_socket)

Pulse - Elasticsearch Operations Done Right

On this page

What This Error Means Common Causes How to Fix <code>ER_ACCESS_DENIED_ERROR</code> Additional Information Frequently Asked Questions

MySQL error 1698 (ER_ACCESS_DENIED_ERROR) surfaces with the message ERROR 1698 (28000): Access denied for user 'root'@'localhost' and has SQLSTATE code 28000. It means MySQL refused the connection attempt because the supplied credentials — or lack of credentials — did not satisfy the authentication plugin configured for that user account. The error itself is generic to any denied login, but on Ubuntu and Debian systems the most common trigger is the auth_socket (also called unix_socket) plugin assigned to the root account by default.

What This Error Means

SQLSTATE 28000 belongs to the "invalid authorization specification" class. MySQL raises it during the handshake phase, before a session is established, so no transaction context exists when the error is returned.

The auth_socket plugin authenticates a MySQL user by checking whether the connecting OS user matches the MySQL username. When you run mysql -u root as a non-root OS user, the plugin sees the mismatch and denies the connection, even if you supply a correct password — because the plugin does not check passwords at all. This is intentional: the plugin is a security measure that ensures only the OS root user can log in as MySQL root without a separate password.

On Ubuntu 16.04 and later, mysql_secure_installation and package post-install scripts configure the root account to use auth_socket (or unix_socket in MariaDB) by default. Many developers hit this immediately after a fresh install when they try to connect from an application or run mysql -u root -p as a regular user.

Common Causes

  1. Connecting as a non-root OS user to a MySQL root account using auth_socket. The OS user identity does not match root, so the plugin rejects the connection regardless of the password provided.
  2. Application connection strings pointing to root with a password. Frameworks and ORMs (Laravel, Django, Rails, etc.) connect as a regular OS process user and always fail against an auth_socket-protected account.
  3. Using mysql -u root -p in a non-root shell. Even with the correct password, auth_socket ignores the password and checks OS identity instead.
  4. The root account password was never set and auth_socket was later removed without assigning a new authentication method or password.
  5. MariaDB unix_socket plugin — the same issue occurs on MariaDB (the plugin is named unix_socket rather than auth_socket), which is the default on Debian-family distributions.

How to Fix ER_ACCESS_DENIED_ERROR

Option 1: Use sudo to access MySQL as OS root (quickest)

If you just need an interactive session and the auth_socket setup is intentional:

sudo mysql
# or
sudo mysql -u root

This works because sudo elevates your OS identity to root, satisfying the plugin.

Option 2: Switch the root account to password-based authentication

Use sudo mysql to enter a privileged session, then change the authentication plugin and set a password:

ALTER USER 'root'@'localhost'
  IDENTIFIED WITH mysql_native_password
  BY 'your_strong_password';

FLUSH PRIVILEGES;

On MySQL 8.0.4 and later, caching_sha2_password is the preferred plugin:

ALTER USER 'root'@'localhost'
  IDENTIFIED WITH caching_sha2_password
  BY 'your_strong_password';

FLUSH PRIVILEGES;

After this change, mysql -u root -p will prompt for the password and work from any OS user.

Option 3: Create a dedicated application user (recommended for production)

Avoid using root for application connections entirely. Create a least-privilege user instead:

CREATE USER 'appuser'@'localhost' IDENTIFIED BY 'strong_password';
GRANT SELECT, INSERT, UPDATE, DELETE ON myapp.* TO 'appuser'@'localhost';
FLUSH PRIVILEGES;

Update your application's connection string to use appuser and the assigned password.

Option 4: Re-enable auth_socket selectively (security-conscious approach)

If you want to keep auth_socket for root but need to run scripts as a non-root OS user, create an OS-level alias or a MySQL config file (~/.my.cnf) that connects using a separate admin account with password auth.

# ~/.my.cnf
[client]
user=appuser
password=strong_password

Additional Information

  • auth_socket was introduced in the MySQL 5.5 era but became the default for the root account on Ubuntu/Debian packages starting with Ubuntu 16.04 (MySQL 5.7). MariaDB adopted the equivalent unix_socket plugin around the same time.
  • SQLSTATE 28000 is also used for other authentication failures (wrong password, account locked, host not allowed), so the specific error number 1698 and the mention of auth_socket in the MySQL error log help distinguish this case.
  • Related error codes: 1045 (ER_ACCESS_DENIED_ERROR with a password mismatch — same SQLSTATE 28000 but different trigger), 1130 (ER_HOST_NOT_PRIVILEGED — host is not allowed to connect).
  • MySQL connectors (Connector/J, mysqlclient, PyMySQL, mysql2 for Node.js) all surface this as a connection-refused error at the driver level. The underlying MySQL error code 1698 is typically included in the exception message or accessible via the driver's error object.
  • After switching from auth_socket to password auth, you may need to restart your application to pick up the new credentials.

Frequently Asked Questions

Why does sudo mysql work but mysql -u root -p does not? The auth_socket plugin authenticates based on the OS user running the client process, not the password. sudo mysql runs the process as OS root, which matches the MySQL root account name. Without sudo, the OS user is your regular account, which does not match, and the plugin rejects the connection before even checking a password.

Will changing the root account to password auth make my server less secure? It can, if you choose a weak password or expose MySQL to external networks. The auth_socket default exists precisely to avoid having a password-accessible root account on a server. For local development it is fine to switch to password auth; on production servers, prefer creating dedicated application users with limited privileges and keep root locked down.

I ran ALTER USER but I still get error 1698. What did I miss? Check that you ran FLUSH PRIVILEGES; after the ALTER USER statement, and verify the change took effect with SELECT user, host, plugin FROM mysql.user WHERE user='root';. Also confirm you are connecting to localhost (Unix socket) rather than 127.0.0.1 (TCP), as these may match different user rows in mysql.user.

Does this affect MySQL on macOS or Windows? No. The auth_socket / unix_socket plugin is Linux-only (it relies on Unix domain socket peer credentials). On macOS and Windows, fresh MySQL installs either set a random root password during installation or require you to set one, and this error does not arise from the socket plugin.

How to Fix MySQL Error 1698: Access Denied for User root (auth_socket)

Get AI-Powered Cluster Maintenance

Try it Free

Subscribe to the Pulse Newsletter

Get early access to new Pulse features, insightful blogs & exclusive events , webinars, and workshops.

We use cookies to provide an optimized user experience and understand our traffic. To learn more, read our use of cookies; otherwise, please choose 'Accept Cookies' to continue using our website.