Documentation Home
Security in MySQL
Related Documentation Download this Excerpt
PDF (US Ltr) - 1.5Mb
PDF (A4) - 1.5Mb
HTML Download (TGZ) - 316.1Kb
HTML Download (Zip) - 324.8Kb


Security in MySQL  /  ...  /  Client-Side Cleartext Pluggable Authentication

7.1.6 Client-Side Cleartext Pluggable Authentication

A client-side authentication plugin is available that sends the password to the server without hashing or encryption. This plugin is built into the MySQL client library.

The following table shows the plugin name.

Table 7.5 Plugin and Library Names for Cleartext Authentication

Plugin or File Plugin or File Name
Server-side plugin None, see discussion
Client-side plugin mysql_clear_password
Library file None (plugin is built in)

With many MySQL authentication methods, the client performs hashing or encryption of the password before sending it to the server. This enables the client to avoid sending the password in clear text.

Hashing or encryption cannot be done for authentication schemes that require the server to receive the password as entered on the client side. In such cases, the client-side mysql_clear_password plugin is used to send the password to the server in clear text. There is no corresponding server-side plugin. Rather, the client-side plugin can be used by any server-side plugin that needs a cleartext password. (Examples are the PAM and simple LDAP authentication plugins; see Section 7.1.7, “PAM Pluggable Authentication”, and Section 7.1.9, “LDAP Pluggable Authentication”.)

The following discussion provides usage information specific to clear text pluggable authentication. For For general information about pluggable authentication in MySQL, see Section 5.9, “Pluggable Authentication”.

Note

Sending passwords in clear text may be a security problem in some configurations. To avoid problems if there is any possibility that the password would be intercepted, clients should connect to MySQL Server using a method that protects the password. Possibilities include SSL (see Chapter 6, Using Encrypted Connections), IPsec, or a private network.

To make inadvertent use of the mysql_clear_password plugin less likely, MySQL clients must explicitly enable it. This can be done in several ways:

  • Set the LIBMYSQL_ENABLE_CLEARTEXT_PLUGIN environment variable to a value that begins with 1, Y, or y. This enables the plugin for all client connections.

  • The mysql, mysqladmin, and mysqlslap client programs (also mysqlcheck, mysqldump, and mysqlshow for MySQL 5.7.10 and later) support an --enable-cleartext-plugin option that enables the plugin on a per-invocation basis.

  • The mysql_options() C API function supports a MYSQL_ENABLE_CLEARTEXT_PLUGIN option that enables the plugin on a per-connection basis. Also, any program that uses libmysqlclient and reads option files can enable the plugin by including an enable-cleartext-plugin option in an option group read by the client library.


User Comments
User comments in this section are, as the name implies, provided by MySQL users. The MySQL documentation team is not responsible for, nor do they endorse, any of the information provided here.
Sign Up Login You must be logged in to post a comment.