X Plugin supports MySQL user accounts created with the
caching_sha2_password
authentication plugin.
For more information on this plugin, see
Section 8.4.1.2, “Caching SHA-2 Pluggable Authentication”. You can
use X Plugin to authenticate against such accounts using non-SSL
connections with SHA256_MEMORY
authentication
and SSL connections with PLAIN
authentication.
Although the caching_sha2_password
authentication plugin holds an authentication cache, this cache is
not shared with X Plugin, so X Plugin uses its own
authentication cache for SHA256_MEMORY
authentication. The X Plugin authentication cache stores hashes
of user account passwords, and cannot be accessed using SQL. If a
user account is modified or removed, the relevant entries are
removed from the cache. The X Plugin authentication cache is
maintained by the mysqlx_cache_cleaner
plugin,
which is enabled by default, and has no related system variables
or status variables.
Before you can use non-SSL X Protocol connections to authenticate
an account that uses the caching_sha2_password
authentication plugin, the account must have authenticated at
least once over an X Protocol connection with SSL, to supply the
password to the X Plugin authentication cache. Once this initial
authentication over SSL has succeeded, non-SSL X Protocol
connections can be used.
It is possible to disable the
mysqlx_cache_cleaner
plugin by starting the
MySQL server with the option
--mysqlx_cache_cleaner=0
. If you do this, the
X Plugin authentication cache is disabled, and therefore SSL must
always be used for X Protocol connections when authenticating
with SHA256_MEMORY
authentication.