Documentation Home
MySQL Internals Manual

MySQL Internals Manual  /  ...  /  Determining Authentication Method Determining Authentication Method

Method used for authentication is tied to the user account and stored in the plugin column of mysql.user table. Client informs about the user account it wants to log into in the Handshake Response Packet. Only then server can look-up the mysql.user table and find the authentication method to be used.

However, to save some round-trips, server and client start authentication exchange already in the initial handshake using an optimistic guess of the authentication method to be used.

Server uses its default authentication method to produce intial authentication data payload and sends it to the client inside Initial Handshake Packet together with the name of the method used. Client can include in the Handshake Response Packet its reply to the authentication data sent by server.

When including authentication reply in the Handshake Response Packet, client is not obliged to use the same authentication method that was indicated by server in the Initial Handshake Packet. The name of the authentication method used by client is stored in the packet. If the guessed authentication method used either by the client or the server in the initial handshake was not correct, server informs client which authentication method should be used using Authentication Method Switch Request Packet (see Section 14.2.3, “Authentication Method Mismatch”).

Up to MySQL 4.0 the MySQL protocol only supported the Old Password Authentication, in MySQL 4.1 the Secure Password Authentication method was added and in MySQL 5.5 arbitrary authentication methods can be implemented by means of authentication plugins.

If client or server do not support pluggable authentication (CLIENT_PLUGIN_AUTH capability flag is not set) then the authentication method used is inferred from client and server capabilities as follows: