5.5.6.1. Installing and Using Authentication Plugins

Pluggable authentication uses corresponding plugins on the client and server sides:

  • Install the server plugin so that the server can use it to authenticate client connections.

  • Indicate to the client program when you run it to use the corresponding client plugin when it connects to the server.

The following example shows how to install and use an authentication plugin using the example plugin included in MySQL distributions. The server plugin and client plugins are named test_plugin_server and auth_test_plugin, respectively. Both plugins are located in the shared object file named auth_test_plugin.so in the plugin directory (the directory named by the plugin_dir system variable). If object files have a suffix different from .so on your system, substitute the correct suffix throughout. The procedure shown is the same for other authentication plugins. Just substitute the appropriate plugin name and file name.

The server-side test plugin can be installed at server startup or at runtime:

  • To install the plugin at startup, use the --plugin-load option. For example, use these lines in a my.cnf option file:

    [mysqld]
    plugin-load=test_plugin_server=auth_test_plugin.so
    

    With this plugin-loading method, if the server is started without the option, the plugin is not installed.

  • To install the plugin at runtime, use the INSTALL PLUGIN statement:

    mysql> INSTALL PLUGIN test_plugin_server SONAME 'auth_test_plugin.so';
    

    This installs the plugin permanently and need be done only once.

Use SHOW PLUGINS to verify that the plugin is installed:

mysql> SHOW PLUGINS\G
...
*************************** 21. row ***************************
   Name: test_plugin_server
 Status: ACTIVE
   Type: AUTHENTICATION
Library: auth_test_plugin.so
License: GPL

To tell the mysql client to use the client authentication plugin corresponding to the server-side plugin, use the --default-auth=auth_test_plugin option. The test plugin authenticates the same way as MySQL built-in authentication, so provide the usual --user and --password options that you normally use in addition to --default-auth (enter the command on a single line):

shell> mysql --default-auth=auth_test_plugin
         --user=your_name --password=your_pass

If mysql does not find the plugin, specify a --plugin-dir=dir_name option to indicate where the plugin is located.

MySQL includes two built-in plugins that implement the same kind of authentication that older servers provide:

  • mysql_native_password: Implements the same default authentication against the mysql.user table as used previously.

  • mysql_old_password: Implements authentication as used before MySQL 4.1.1 that is based on shorter password hash values. For information about this authentication method, see Section 5.3.2.3, “Password Hashing in MySQL”.

Each plugin exists in both client and server form. The mysql client uses mysql_native_password by default. The --default-auth option can be used to select either plugin explicitly:

shell> mysql --default-auth=mysql_native_password ...
shell> mysql --default-auth=mysql_old_password ...

The built-in authentication plugins are backward compatible. Clients older than MySQL 5.5.7 do not support authentication plugins but use built-in authentication, so they can connect to servers from 5.5.7 and up.

To specify that a MySQL user must be authenticated using a plugin, use CREATE USER with an IDENTIFIED WITH clause that names the plugin:

CREATE USER user IDENTIFIED WITH plugin_name;
Note

If you start the server with the --skip-grant-tables option, the server performs no client authentication and permits any client to connect. Because this is insecure, you might want to use --skip-grant-tables in conjunction with --skip-networking to prevent remote clients from connecting.

Copyright © 2010-2017 Platon Technologies, s.r.o.           Home | Man pages | tLDP | Documents | Utilities | About
Design by styleshout