This section provides general instructions for installing and using authentication plugins.
In general, pluggable authentication uses corresponding plugins on the server and client sides, so you use a given authentication method like this:
On the server host, install the library containing the appropriate server plugin, if necessary, so that the server can use it to authenticate client connections. Similarly, on each client host, install the library containing the appropriate client plugin for use by client programs.
Create MySQL accounts that specify use of the plugin for authentication.
When a client connects, the server plugin tells the client program which client plugin to use for authentication.
The instructions here use an an example authentication plugin included in MySQL distributions (see Section 188.8.131.52, “The Test Authentication Plugin”). The procedure is similar for other authentication plugins; substitute the appropriate plugin and file names.
The example authentication plugin has these characteristics:
The server-side plugin name is
The client-side plugin name is
Both plugins are located in the shared library object file
auth_test_plugin.so in the plugin
directory (the directory named by the
variable). The file name suffix might differ on your system.
Install and use the example authentication plugin as follows:
Make sure that the plugin library is installed on the server and client hosts.
Install the server-side test plugin at server startup or at runtime:
To install the plugin at startup, use the
With this plugin-loading method, the option must be
given each time you start the server. For example, use
these lines in a
To install the plugin at runtime, use the
INSTALL PLUGIN statement:
INSTALL PLUGIN test_plugin_server SONAME 'auth_test_plugin.so';
This installs the plugin permanently and need be done only once.
Verify that the plugin is installed. For example, use
SHOW PLUGINS\G... *************************** 21. row *************************** Name: test_plugin_server Status: ACTIVE Type: AUTHENTICATION Library: auth_test_plugin.so License: GPL
For other ways to check the plugin, see Section 184.108.40.206, “Obtaining Server Plugin Information”.
To specify that a MySQL user must be authenticated using a
specific server plugin, name the plugin in the
IDENTIFIED WITH clause of the
CREATE USER statement that
creates the user:
CREATE USER 'testuser'@'localhost' IDENTIFIED WITH test_plugin_server;
Connect to the server using a client program. The test
plugin authenticates the same way as native MySQL
authentication, so provide the usual
--password options that you
normally use to connect to the server. For example:
For connections by
testuser, the server
sees that the account must be authenticated using the
server-side plugin named
test_plugin_server and communicates to
the client program which client-side plugin it must
use—in this case,
In the case that the account uses the authentication method
that is the default for both the server and the client
program, the server need not communicate to the client which
plugin to use, and a round trip in client/server negotiation
can be avoided. Currently this is true for accounts that use
native MySQL authentication
option can be specified on the mysql
command line to make explicit which client-side plugin the
program can expect to use, although the server will override
this if the user account requires a different plugin.
If the client program does not find the plugin, specify a
option to indicate where the plugin is located.
If you start the server with the
authentication plugins are not used even if loaded because the
server performs no client authentication and permits any
client to connect. Because this is insecure, you might want to
--skip-networking to prevent
remote clients from connecting.