When a client connects to the MySQL server, the server uses the
user name provided by the client and the client host to select the
appropriate account row from the
table. The server then authenticates the client, determining from
the account row which authentication plugin applies for the
If the account row specifies a plugin, the server invokes it to authenticate the user. If the server cannot find the plugin, an error occurs.
If the account row specifies no plugin name, the server
authenticates the account using either the
mysql_old_password plugin, depending on
whether the password hash value in the
Password column used native hashing or the
older pre-4.1 hashing method. Clients must match the password
Password column of the account row.
The plugin returns a status to the server indicating whether the user is permitted to connect.
Pluggable authentication enables two important capabilities:
Pluggable authentication makes it possible for clients to
connect to the MySQL server with credentials that are
appropriate for authentication methods other than native
authentication based on passwords stored in the
mysql.user table. For example, plugins can
be created to use external authentication methods such as PAM,
Windows login IDs, LDAP, or Kerberos.
Proxy users: If a user is permitted to connect, an authentication plugin can return to the server a user name different from the name of the connecting user, to indicate that the connecting user is a proxy for another user. While the connection lasts, the proxy user is treated, for purposes of access control, as having the privileges of a different user. In effect, one user impersonates another. For more information, see Section 5.8, “Proxy Users”.
Several authentication plugins are available in MySQL:
Plugins that perform native authentication that matches the
password against the
Password column of the
account row. The
plugin implements authentication based on the native password
hashing method. The
plugin implements native authentication based on the older
(pre-4.1) password hashing method (and is now deprecated). See
Section 5.7.2, “The Native Authentication Plugin”, and
Section 5.7.3, “The “Old” Native Authentication Plugin”. Native
is the default for accounts that have no plugin named
explicitly in their account row, unless the server was started
option to change the default plugin.
A plugin that performs authentication using SHA-256 password
hashing. This plugin matches the password against the
authentication_string column of the account
row. This is stronger encryption than that available with
native authentication. See
Section 5.7.4, “The SHA-256 Authentication Plugin”.
A plugin that performs external authentication against PAM (Pluggable Authentication Modules), enabling MySQL Server to use PAM to authenticate MySQL users. This plugin supports proxy users as well. See Section 5.7.5, “The PAM Authentication Plugin”.
A plugin that performs external authentication on Windows, enabling MySQL Server to use native Windows services to authenticate client connections. Users who have logged in to Windows can connect from MySQL client programs to the server based on the information in their environment without specifying an additional password. This plugin supports proxy users as well. See Section 5.7.6, “The Windows Native Authentication Plugin”.
A client-side plugin that sends the password to the server without hashing or encryption. This plugin can be used by server-side plugins that require access to the password exactly as provided by the client user. See Section 5.7.7, “The Cleartext Client-Side Authentication Plugin”.
A plugin that authenticates clients that connect from the local host through the Unix socket file. See Section 5.7.8, “The Socket Peer-Credential Authentication Plugin”.
A test plugin that authenticates using MySQL native authentication. This plugin is intended for testing and development purposes, and as an example of how to write an authentication plugin. See Section 5.7.9, “The Test Authentication Plugin”.
For general information about how to use authentication plugins, see Section 5.7.1, “Authentication Plugin Usage Instructions”.
For information about current restrictions on the use of pluggable authentication, including which connectors support which plugins, see Restrictions on Pluggable Authentication.
Third-party connector developers should read that section to determine the extent to which a connector can take advantage of pluggable authentication capabilities and what steps to take to become more compliant.
If you are interested in writing your own authentication plugins, see Writing Authentication Plugins.