Method used for authentication is tied to the user account and
stored in the
plugin column of
mysql.user table. Client informs about the
user account it wants to log into in the
Response Packet. Only then server can look-up
mysql.user table and find the
authentication method to be used.
However, to save some round-trips, server and client start authentication exchange already in the initial handshake using an optimistic guess of the authentication method to be used.
Server uses its default authentication method to produce
intial authentication data payload and sends it to the client
Handshake Packet together with the name of
the method used. Client can include in the
Response Packet its reply to the
authentication data sent by server.
When including authentication reply in the
Response Packet, client is not obliged to use
the same authentication method that was indicated by server in
Handshake Packet. The name of the
authentication method used by client is stored in the packet.
If the guessed authentication method used either by the client
or the server in the initial handshake was not correct, server
informs client which authentication method should be used
Method Switch Request Packet (see
Section 14.2.3, “Authentication Method Mismatch”).
Up to MySQL 4.0 the MySQL protocol only supported the
Password Authentication, in MySQL 4.1 the
Password Authentication method was added and
in MySQL 5.5 arbitrary authentication methods can be
implemented by means of authentication plugins.
If client or server do not support pluggable authentication
capability flag is not set) then the authentication method
used is inferred from client and server capabilities as