Hướng dẫn sha2 mysql
6.4.1.2 Caching SHA-2 Pluggable AuthenticationMySQL provides two authentication plugins that implement SHA-256 hashing for user account passwords:
This section describes the caching SHA-2 authentication plugin. For information about the original basic (noncaching) plugin, see Section 6.4.1.3, “SHA-256 Pluggable Authentication”. Important In MySQL 8.0, Important To connect to the server using an account that authenticates
with the Note In the name The
The following table shows the plugin names on the server and client sides. Table 6.17 Plugin and Library Names for SHA-2 Authentication
The following sections provide installation and usage information specific to caching SHA-2 pluggable authentication:
For general information about pluggable authentication in MySQL, see Section 6.2.17, “Pluggable Authentication”. Installing SHA-2 Pluggable Authentication The
The server-side plugin uses the Using SHA-2 Pluggable Authentication To set up an account that uses the
The server assigns the The preceding instructions do not assume that To start the server with the default authentication plugin set to
That causes the
Another consequence of setting
For clients that use the
To enable use of an RSA key pair for password exchange during the client connection process, use the following procedure:
After the server has been configured with the RSA key files, accounts that authenticate with the
For this connection attempt by
To request the RSA public key from the server, specify the
In this case, the server sends the RSA public key to the client, which uses it to encrypt the password and returns the result to the server. The plugin uses the RSA private key on the server side to decrypt the password and accepts or rejects the connection based on whether the password is correct. Alternatively, if the client has a file containing a local copy of the RSA public key required by the server, it can specify the file using the
In this case, the client uses the public key to encrypt the password and returns the result to the server. The plugin uses the RSA private key on the server side to decrypt the password and accepts or rejects the connection based on whether the password is correct. The public key value in the file named by the
Client users can obtain the RSA public key two ways:
Cache Operation for SHA-2 Pluggable Authentication On the server side, the
In this way, when a client first connects, authentication against the Password cache operations other than adding entries are handled by the
Cache clearing operations affect the authentication requirements for subsequent client connections. For each user account, the first client connection for the user after any of the following operations must use a secure connection (made using TCP using TLS credentials, a Unix socket file, or shared memory) or RSA key pair-based password exchange:
Once the user authenticates successfully, the account is entered into the cache and subsequent connections do not require a secure connection or the RSA key pair, until another cache clearing event occurs that affects the account. (When the cache can be used, the server uses a challenge-response mechanism that does not use cleartext password transmission and does not require a secure connection.) |