Documentation Home
MySQL 8.3 Reference Manual
Related Documentation Download this Manual
PDF (US Ltr) - 40.7Mb
PDF (A4) - 40.8Mb
Man Pages (TGZ) - 293.3Kb
Man Pages (Zip) - 408.4Kb
Info (Gzip) - 4.0Mb
Info (Zip) - 4.0Mb
Excerpts from this Manual

MySQL 8.3 Reference Manual  /  ...  /  Native Pluggable Authentication

8.4.1.1 Native Pluggable Authentication

MySQL includes a mysql_native_password plugin that implements native authentication; that is, authentication based on the password hashing method in use from before the introduction of pluggable authentication.

Note

The mysql_native_password authentication plugin is deprecated and subject to removal in a future version of MySQL.

The following table shows the plugin names on the server and client sides.

Table 8.16 Plugin and Library Names for Native Password Authentication

Plugin or File Plugin or File Name
Server-side plugin mysql_native_password
Client-side plugin mysql_native_password
Library file None (plugins are built in)

The following sections provide installation and usage information specific to native pluggable authentication:

For general information about pluggable authentication in MySQL, see Section 8.2.17, “Pluggable Authentication”.

Installing Native Pluggable Authentication

The mysql_native_password plugin exists in server and client forms:

  • The server-side plugin is built into the server, need not be loaded explicitly, and cannot be disabled by unloading it.

  • The client-side plugin is built into the libmysqlclient client library and is available to any program linked against libmysqlclient.

Using Native Pluggable Authentication

MySQL client programs use mysql_native_password by default. The --default-auth option can be used as a hint about which client-side plugin the program can expect to use:

$> mysql --default-auth=mysql_native_password ...
Disabling Native Pluggable Authentication

As a built-in plugin, the mysql_native_password server-side plugin installs and loads by default, although it is not the default password mechanism for performing authentication. The --plugin_name[=activation_state] option permits disabling the plugin at server startup.

$> mysqld --mysql_native_password=OFF ...

In the previous example, the activation_state value OFF is equivalent to off or 0. If a DBA disables the plugin at server startup, all of the operations that depend on the plugin are inaccessible. Specifically:

  • Defined user accounts that authenticate with mysql_native_password encounter an error when they attempt to connect.

    $> MYSQL -u userx -p
    ERROR 1045 (28000): Access denied for user 'userx'@'localhost' (using password: NO)

    The server writes these errors to the server log.

  • Attempts to create a new user account or to alter an existing user account identified with mysql_native_password also fail and emit an error.

    mysql> CREATE USER userxx@localhost IDENTIFIED WITH 'mysql_native_password';
    ERROR 1524 (HY000): Plugin 'mysql_native_password' is not loaded
    mysql> ALTER USER userxy@localhost IDENTIFIED WITH 'mysql_native_password;
    ERROR 1524 (HY000): Plugin 'mysql_native_password' is not loaded

To enable the plugin after disabling it, restart the server without specifying the --plugin_name[=activation_state] option. Optionally, activation_state values ON, on, or 1 also enable the plugin if used at startup.