Technology sharing | mysql:caching_ sha2_ Password quick Q & A

author ： Hu Chengqing

Love can be born DBA Team members , Good at fault analysis 、 performance optimization , Personal blog ：https://www.jianshu.com/u/a95ec11f67a8, Welcome to discuss .

In this paper, the source ： Original contribution

* Produced by aikesheng open source community , Original content is not allowed to be used without authorization , For reprint, please contact the editor and indicate the source .

An error report

Logging in using the client MySQL8.0 when , We often encounter the following error report ：

ERROR 2061 (HY000): Authentication plugin 'caching_sha2_password' reported error: Authentication requires secure connection.

Many posts on the Internet teach us to modify the user authentication plug-in to mysql_native_password To solve , So in fact, what's going on ？ This article will discuss one or two .

caching_sha2_password brief introduction

caching_sha2_password yes MySQL 8.0.4 Introduced a new authentication plug-in , Its characteristics can be inferred from its name ：

• sha2_password： In fact, that is sha256_password, This is a MySQL5.6 The authentication plug-in introduced , The utility model has the advantage that the salt adding password is processed in multiple rounds SHA256 Hash , To ensure that hash conversion is more secure . The disadvantage is that it requires the use of secure connections or the use of RSA An unencrypted connection for cryptographic exchange of key pairs , Therefore, its authentication efficiency is low .

• caching： stay sha256_password Add cache based on , There is no need to encrypt the connection or RSA Key pair , Safety and efficiency have been achieved .

In fact, the above introduction is not easy to understand , Now let's take a question and answer to reveal caching_sha2_password The veil of .

Q： A secure connection is required or RSA What does a key pair mean by an unencrypted connection for password exchange ？

caching_sha2_password Require higher password security , It is required that the password transmitted on the network during the user authentication process is encrypted ：

• If it is SSL Encrypted connection , Then use SSL Certificates and key pairs " Symmetric encryption key pair （ stay TSL Generated in handshake ）" In exchange for , Use later “ Symmetric encryption key pair ” Encrypt passwords and data . Specific view ：MySQL:SSL Connection analysis ;

• If it is right or wrong SSL Encrypted connection , When the connection is established, the client uses MySQL Server Terminal RSA Public key encrypts the user password ,Server End use RSA Decrypt the private key to verify the correctness of the password , It can prevent passwords from being snooped during network transmission .

tips：SSL Encrypting the connection will not only encrypt the user password , It also encrypts data （SQL request 、 The result returned ）; Unencrypted connections only use RSA The key pair encrypts the user password .

Q： How unencrypted connections are used RSA Key pairs for cryptographic exchange ？

When the user authentication succeeds , Will cache the user password hash . When a new connection client initiates a login request ,MySQL Server The client will determine whether the cache is hit , If there is no cache , For unencrypted connections ,caching_sha2_password The plug-in requires that the connection be established using RSA Exchange encrypted passwords , Otherwise, the report will be wrong , The process is ：

• If the client has the server RSA Public key , Then use --server-public-key-path Option assignment RSA A public key file ;

• Client side usage RSA The public key encrypts the user password , Request connection ;

• Server use RSA The private key is decrypted , Verify the correctness of the password .

If the client does not save the server RSA A public key file , You can also use --get-server-public-key Option to request the public key from the server , When the connection is established , The server will first send RSA Public key sent to client .

If --server-public-key-path、--get-server-public-key No designation , The following classic error will be reported ：

[[email protected] ~] mysql -h172.16.21.4 -utest -ptestpass --ssl-mode=disable
mysql: [Warning] Using a password on the command line interface can be insecure.
ERROR 2061 (HY000): Authentication plugin 'caching_sha2_password' reported error: Authentication requires secure connection.

Appoint --get-server-public-key You can log in successfully ：

[[email protected] ~] mysql -h172.16.21.4 -utest -ptestpass --ssl-mode=disable --get-server-public-key -e "select 1"
mysql: [Warning] Using a password on the command line interface can be insecure.
+---+
| 1 |
+---+
| 1 |
+---+

If test User login successful , With caching , Then the unencrypted connection is no longer required for the next authentication RSA Key pair ：

[[email protected] ~] mysql -h172.16.21.4 -utest -ptestpass --ssl-mode=disable -e "select 1"
mysql: [Warning] Using a password on the command line interface can be insecure.
+---+
| 1 |
+---+
| 1 |
+---+

Be careful ： The above clients refer to mysql Default command line client ,--server-public-key-path、--get-server-public-key The parameter also applies only to mysql client

RSA Where are the key pairs stored ？

RSA The key pair is saved by default MySQL  datadir Next , Used for the SSL Password encryption exchange during connection ： Use RSA Public key encryption password , Use RSA Private key decryption ：

private_key.pem      RSA Public key 
public_key.pem       RSA Private key 

Q： When does the password hash cache expire ？

When the user authentication succeeds , Password hashes are cached , The cache will be cleaned up when ：

• When the user's password is changed ;

• When using RENAME USER When renaming a user ;

• perform FLUSH PRIVILEGES when ;

• MySQL restart .

Q： Copy user use caching_sha2_password What plug-ins need to pay attention to ？

about MGR , If you set group_replication_ssl_mode=DISABLED , You must also use the following variables to specify RSA Public key , Otherwise, the report will be wrong ：

• group_replication_recovery_get_public_key ： Request from the server RSA Public key ;

• group_replication_recovery_public_key_path ： Specify the local RSA A public key file .

Just set one , Consider copying RSA The public key to each node is troublesome , It is recommended to set group_replication_recovery_get_public_key=ON .

For asynchronous / Semi-synchronous replication , Need to be in change master The order specifies ：MASTER_PUBLIC_KEY_PATH = 'key_file_path' or GET_MASTER_PUBLIC_KEY = {0|1}

The above meaning , Suggest ：GET_MASTER_PUBLIC_KEY = 1

Reference material

https://dev.mysql.com/blog-archive/mysql-8-0-4-new-default-authentication-plugin-caching_sha2_password/

https://dev.mysql.com/doc/refman/8.0/en/caching-sha2-pluggable-authentication.html

Key words of this article ：#caching_sha2_password#

Article recommendation ：

Technology sharing | MySQL : SSL Connection analysis

Interpretation of new characteristics | MySQL 8.0：explain analyze analysis SQL Execution process

MySQL 8.0： Deadlock log improvements

About SQLE

Aikesheng open source community  SQLE  Is a database for users and managers , Support multi scenario audit , Support standardized online process , Native support MySQL Audit and database type extensible  SQL Audit tools .

How to get

More about SQLE Information and communication , Please join the official QQ Communication group ：637150065...