Pluggable authentication uses corresponding plugins on the client and server sides:
Install the server plugin so that the server can use it to authenticate client connections.
Indicate to the client program when you run it to use the corresponding client plugin when it connects to the server.
The following example shows how to install and use an
authentication plugin using the example plugin included in MySQL
distributions. The server plugin and client plugins are named
test_plugin_server and
auth_test_plugin, respectively. Both plugins
are located in the shared object file named
auth_test_plugin.so in the plugin directory
(the directory named by the
plugin_dir system variable). If
object files have a suffix different from
.so on your system, substitute the correct
suffix throughout. The procedure shown is the same for other
authentication plugins. Just substitute the appropriate plugin
name and file name.
The server-side test plugin can be installed at server startup or at runtime:
To install the plugin at startup, use the
--plugin-loadoption. For example, use these lines in amy.cnfoption file:[mysqld] plugin-load=test_plugin_server=auth_test_plugin.so
With this plugin-loading method, if the server is started without the option, the plugin is not installed.
To install the plugin at runtime, use the
INSTALL PLUGINstatement:mysql>
INSTALL PLUGIN test_plugin_server SONAME 'auth_test_plugin.so';This installs the plugin permanently and need be done only once.
Use SHOW PLUGINS to verify that
the plugin is installed:
mysql> SHOW PLUGINS\G
...
*************************** 21. row ***************************
Name: test_plugin_server
Status: ACTIVE
Type: AUTHENTICATION
Library: auth_test_plugin.so
License: GPL
To tell the mysql client to use the client
authentication plugin corresponding to the server-side plugin,
use the
--default-auth=auth_test_plugin
option. The test plugin authenticates the same way as MySQL
built-in authentication, so provide the usual
--user and
--password options that you
normally use in addition to
--default-auth (enter the command
on a single line):
shell>mysql --default-auth=auth_test_plugin--user=your_name--password=your_pass
If mysql does not find the plugin, specify a
--plugin-dir=
option to indicate where the plugin is located.
dir_name
MySQL includes two built-in plugins that implement the same kind of authentication that older servers provide:
mysql_native_password: Implements the same default authentication against themysql.usertable as used previously.mysql_old_password: Implements authentication as used before MySQL 4.1.1 that is based on shorter password hash values. For information about this authentication method, see Section 5.3.2.3, “Password Hashing in MySQL”.
Each plugin exists in both client and server form. The
mysql client uses
mysql_native_password by default. The
--default-auth option can be used
to select either plugin explicitly:
shell>mysql --default-auth=mysql_native_password ...shell>mysql --default-auth=mysql_old_password ...
The built-in authentication plugins are backward compatible. Clients older than MySQL 5.5.7 do not support authentication plugins but use built-in authentication, so they can connect to servers from 5.5.7 and up.
To specify that a MySQL user must be authenticated using a
plugin, use CREATE USER with an
IDENTIFIED WITH clause that names the plugin:
CREATE USERuserIDENTIFIED WITHplugin_name;
If you start the server with the
--skip-grant-tables option, the
server performs no client authentication and permits any
client to connect. Because this is insecure, you might want to
use --skip-grant-tables in
conjunction with
--skip-networking to prevent
remote clients from connecting.