Chapter 11 Enabling Authentication

In MySQL 8.0, caching_sha2_password is the default authentication plugin rather than mysql_native_password, which was the default in MySQL 5.7.

The server-side caching_sha2_password plugin is built into the server and it does not need to be loaded explicitly. Therefore, no server-side configuration is required to use it.

The client-side plugin is built into the libmysqlclient library (MySQL 8.0.4 and higher) and is available to any program linked against libmysqlclient. For a list of compatible clients and connectors, see caching_sha2_password-Compatible Clients and Connectors.

The caching_sha2_password plugin uses a SHA-2 algorithm that provides 256-bit password encryption. Passwords are salted with random data before SHA-256 transformations are applied. The resulting hashed values are stored in the mysql.user table. Using a salt helps defend against dictionary attacks on stored password hash values.

The caching_sha2_password plugin requires a secure connection (made using TLS credentials, a Unix socket file, or shared memory) or an unencrypted connection that supports password exchange using an RSA key pair. However, the performance cost associated with a secure connection is mitigated by the caching capability of the plugin. Once a hashed password is cached in memory, authentication can be performed over an unencrypted channel using a SHA256-based challenge-response mechanism, which means faster authentication for users that have connected previously.

User accounts created later in this deployment use caching_sha2_password authentication. See Chapter 13, Creating User Accounts. TLS and RSA key pair connection methods are demonstrated in Chapter 14, Connecting to the Server.

For additional information about the caching_sha2_password plugin, see Caching SHA-2 Pluggable Authentication.

This section describes how to enable the server-side auth_socket authentication plugin, which authenticates clients that connect to the MySQL server from the local host through the Unix socket file. auth_socket authentication is well suited to server administration user accounts for which access must be tightly restricted.

The auth_socket plugin checks whether the socket user name matches the MySQL user name specified by the client program to the server. If the names do not match, the plugin also checks whether the socket user name matches the name specified in the authentication_string column of the mysql.user table row. If a match is found, the plugin permits the connection.

For example, suppose that a MySQL account is created for a user named valerie who is to be authenticated by the auth_socket plugin for connections from the local host through the socket file:

CREATE USER 'valerie'@'localhost' IDENTIFIED WITH auth_socket;

If a user on the local host with a login name of stefanie invokes mysql with the option --user=valerie to connect through the socket file, the server uses auth_socket to authenticate the client. The plugin determines that the --user option value (valerie) differs from the client user's name (stephanie) and refuses the connection. If a user named valerie tries the same thing, the plugin finds that the user name and the MySQL user name are both valerie and permits the connection. However, the plugin refuses the connection even for valerie if the connection is made using a different protocol, such as TCP/IP.

Users authenticated by the auth_socket need not specify a password when connecting to the server. However, users authenticated by the auth_socket plugin are restricted from connecting remotely; they can only connect from the local host through the Unix socket file.

To install the server-side auth_socket plugin:

For more information about the auth_socket plugin, see Socket Peer-Credential Pluggable Authentication.