MySQL provides two authentication plugins that implement SHA-256 hashing for user account passwords:MySQL提供了两个身份验证插件,为用户帐户密码实现SHA-256哈希:
sha256_password
: Implements basic SHA-256 authentication.:实现基本的SHA-256身份验证。
caching_sha2_password
: Implements SHA-256 authentication (like :实现SHA-256身份验证(如sha256_password
), but uses caching on the server side for better performance and has additional features for wider applicability.sha256_password
),但在服务器端使用缓存以获得更好的性能,并具有更广泛的适用性。
This section describes the original noncaching SHA-2 authentication plugin. For information about the caching plugin, see Section 6.4.1.2, “Caching SHA-2 Pluggable Authentication”.本节介绍原始的非缓存SHA-2身份验证插件。有关缓存插件的信息,请参阅第6.4.1.2节,“缓存SHA-2可插拔身份验证”。
In MySQL 8.0, 在MySQL 8.0中,caching_sha2_password
is the default authentication plugin rather than mysql_native_password
. caching_sha2_password
是默认的身份验证插件,而不是MySQL_native_password。For information about the implications of this change for server operation and compatibility of the server with clients and connectors, see caching_sha2_password as the Preferred Authentication Plugin.有关此更改对服务器操作的影响以及服务器与客户端和连接器的兼容性的信息,请参阅caching_sha2_password
作为首选身份验证插件。
Because 由于caching_sha2_password
is the default authentication plugin in MySQL 8.0 and provides a superset of the capabilities of the sha256_password
authentication plugin, sha256_password
is deprecated; expect it to be removed in a future version of MySQL. caching_sha2_password
是MySQL 8.0中的默认身份验证插件,并提供了sha256_password
身份验证插件功能的超集,因此sha256_paassword
已被弃用;预计它将在MySQL的未来版本中被删除。MySQL accounts that authenticate using 应将使用sha256_password
should be migrated to use caching_sha2_password
instead.sha256_password
进行身份验证的MySQL帐户迁移为使用caching_sha2_password
。
To connect to the server using an account that authenticates with the 要使用使用sha256_password
plugin, you must use either a TLS connection or an unencrypted connection that supports password exchange using an RSA key pair, as described later in this section. sha256_password
插件进行身份验证的帐户连接到服务器,您必须使用TLS连接或支持使用RSA密钥对进行密码交换的未加密连接,如本节稍后所述。Either way, the 无论哪种方式,sha256_password
plugin uses MySQL's encryption capabilities. See Section 6.3, “Using Encrypted Connections”.sha256_password
插件都使用MySQL的加密功能。请参阅第6.3节,“使用加密连接”。
In the name 在名称sha256_password
, “sha256” refers to the 256-bit digest length the plugin uses for encryption. sha256_password
中,“sha256”是指插件用于加密的256位摘要长度。In the name 在名称caching_sha2_password
, “sha2” refers more generally to the SHA-2 class of encryption algorithms, of which 256-bit encryption is one instance. caching_sha2_password
中,“sha2”更一般地指SHA-2类加密算法,其中256位加密是一个实例。The latter name choice leaves room for future expansion of possible digest lengths without changing the plugin name.后一种名称选择为未来在不更改插件名称的情况下扩展可能的摘要长度留出了空间。
The following table shows the plugin names on the server and client sides.下表显示了服务器端和客户端的插件名称。
Table 6.14 Plugin and Library Names for SHA-256 AuthenticationSHA-256身份验证的插件和库名称
sha256_password |
|
sha256_password |
|
The following sections provide installation and usage information specific to SHA-256 pluggable authentication:以下部分提供了特定于SHA-256可插拔身份验证的安装和使用信息:
For general information about pluggable authentication in MySQL, see Section 6.2.17, “Pluggable Authentication”.有关MySQL中可插拔身份验证的一般信息,请参阅第6.2.17节,“可插拔身份认证”。
The sha256_password
plugin exists in server and client forms:sha256_password
插件存在于服务器和客户端表单中:
The server-side plugin is built into the server, need not be loaded explicitly, and cannot be disabled by unloading it.服务器端插件内置于服务器中,不需要显式加载,也不能通过卸载来禁用。
The client-side plugin is built into the 客户端插件内置于libmysqlclient
client library and is available to any program linked against libmysqlclient
.libmysqlclient
客户端库中,可供任何与libmysqlclient
链接的程序使用。
To set up an account that uses the 要设置一个使用sha256_password
plugin for SHA-256 password hashing, use the following statement, where password
is the desired account password:sha256_password
插件进行SHA-256密码哈希的帐户,请使用以下语句,其中password
是所需的帐户密码:
CREATE USER 'sha256user'@'localhost'
IDENTIFIED WITH sha256_password BY 'password
';
The server assigns the 服务器将sha256_password
plugin to the account and uses it to encrypt the password using SHA-256, storing those values in the plugin
and authentication_string
columns of the mysql.user
system table.sha256_password
插件分配给帐户,并使用它使用SHA-256对密码进行加密,将这些值存储在mysql.user
系统表的plugin
和authentication_string
列中。
The preceding instructions do not assume that 前面的说明并不假设sha256_password
is the default authentication plugin. sha256_password
是默认的身份验证插件。If 如果sha256_password
is the default authentication plugin, a simpler CREATE USER
syntax can be used.sha256_password
是默认的身份验证插件,则可以使用更简单的CREATE USER
语法。
To start the server with the default authentication plugin set to 要使用设置为sha256_password
, put these lines in the server option file:sha256_password
的默认身份验证插件启动服务器,请将以下行放入服务器选项文件中:
[mysqld] default_authentication_plugin=sha256_password
That causes the 这会导致默认情况下新帐户使用sha256_password
plugin to be used by default for new accounts. As a result, it is possible to create the account and set its password without naming the plugin explicitly:sha256_password
插件。因此,可以创建帐户并设置密码,而无需显式命名插件:
CREATE USER 'sha256user'@'localhost' IDENTIFIED BY 'password
';
Another consequence of setting 将default_authentication_plugin
to sha256_password
is that, to use some other plugin for account creation, you must specify that plugin explicitly. default_authentication_plugin
设置为sha256_password
的另一个后果是,要使用其他插件创建帐户,您必须明确指定该插件。For example, to use the 例如,要使用mysql_native_password
plugin, use this statement:mysql_native_password
插件,请使用以下语句:
CREATE USER 'nativeuser'@'localhost'
IDENTIFIED WITH mysql_native_password BY 'password
';
sha256_password
supports connections over secure transport. sha256_password
支持通过安全传输进行连接。如果MySQL是使用OpenSSL编译的,并且您要连接的MySQL服务器配置为支持RSA(使用本节稍后给出的RSA配置过程),则sha256_password
also supports encrypted password exchange using RSA over unencrypted connections if MySQL is compiled using OpenSSL, and the MySQL server to which you wish to connect is configured to support RSA (using the RSA configuration procedure given later in this section).sha256_password
还支持在未加密的连接上使用RSA进行加密密码交换。
RSA support has these characteristics:RSA支持具有以下特点:
On the server side, two system variables name the RSA private and public key-pair files: 在服务器端,两个系统变量命名RSA私钥和公钥对文件:sha256_password_private_key_path
and sha256_password_public_key_path
. sha256_password_private_key_path
和sha256_paassword_public_key_path
。The database administrator must set these variables at server startup if the key files to use have names that differ from the system variable default values.如果要使用的密钥文件的名称与系统变量默认值不同,数据库管理员必须在服务器启动时设置这些变量。
The server uses the 服务器使用sha256_password_auto_generate_rsa_keys
system variable to determine whether to automatically generate the RSA key-pair files. sha256_password_auto_generate_rsa_keys
系统变量来确定是否自动生成rsa密钥对文件。See Section 6.3.3, “Creating SSL and RSA Certificates and Keys”.请参阅第6.3.3节,“创建SSL和RSA证书和密钥”。
The Rsa_public_key
status variable displays the RSA public key value used by the sha256_password
authentication plugin.Rsa_public_key
状态变量显示sha256_password
身份验证插件使用的Rsa公钥值。
Clients that are in possession of the RSA public key can perform RSA key pair-based password exchange with the server during the connection process, as described later.拥有RSA公钥的客户端可以在连接过程中与服务器进行基于RSA密钥对的密码交换,如稍后所述。
For connections by accounts that authenticate with 对于使用sha256_password
and RSA public key pair-based password exchange, the server sends the RSA public key to the client as needed. sha256_password
和基于RSA公钥对的密码交换进行身份验证的帐户的连接,服务器会根据需要将RSA公钥发送给客户端。However, if a copy of the public key is available on the client host, the client can use it to save a round trip in the client/server protocol:但是,如果客户端主机上有公钥的副本,客户端可以使用它来保存客户端/服务器协议中的往返:
For these command-line clients, use the 对于这些命令行客户端,使用--server-public-key-path
option to specify the RSA public key file: mysql, mysqladmin, mysqlbinlog, mysqlcheck, mysqldump, mysqlimport, mysqlpump, mysqlshow, mysqlslap, mysqltest, mysql_upgrade.--server-public-key-path
选项指定RSA公钥文件:mysql、mysqladmin、mysqlbinlog、mysqlcheck、mysqldump、mysqlimport、mysqlpump、mysqlshow、mysqlslap、mysqltest、mysql_upgrade。
For programs that use the C API, call 对于使用C API的程序,请调用mysql_options()
to specify the RSA public key file by passing the MYSQL_SERVER_PUBLIC_KEY
option and the name of the file.mysql_options()
,通过传递MYSQL_SERVER_PUBLIC_KEY
选项和文件名来指定RSA公钥文件。
For replicas, use the 对于副本,使用CHANGE REPLICATION SOURCE TO
statement (from MySQL 8.0.23) or CHANGE MASTER TO
statement (before MySQL 8.0.23) with the SOURCE_PUBLIC_KEY_PATH
| MASTER_PUBLIC_KEY_PATH
option to specify the RSA public key file. CHANGE REPLICATION SOURCE TO
语句(来自MySQL 8.0.23)或CHANGE MASTER TO
语句(MySQL 8.0.22之前),并使用SOURCE_PUBLIC_KEY_PATH
| MASTER _PUBLIC_ KEY_PATH
选项指定RSA公钥文件。For Group Replication, the 对于组复制,group_replication_recovery_get_public_key
system variable serves the same purpose.group_replication_recovery_get_public_key
系统变量具有相同的目的。
For clients that use the 对于使用sha256_password
plugin, passwords are never exposed as cleartext when connecting to the server. How password transmission occurs depends on whether a secure connection or RSA encryption is used:sha256_password
插件的客户端,连接到服务器时密码永远不会以明文形式公开。密码传输的方式取决于使用的是安全连接还是RSA加密:
If the connection is secure, an RSA key pair is unnecessary and is not used. This applies to connections encrypted using TLS. The password is sent as cleartext but cannot be snooped because the connection is secure.如果连接是安全的,则不需要使用RSA密钥对。这适用于使用TLS加密的连接。密码以明文形式发送,但无法被窥探,因为连接是安全的。
Unlike 与caching_sha2_password
, the sha256_password
plugin does not treat shared-memory connections as secure, even though share-memory transport is secure by default.caching_sha2_password
不同,sha256_password
插件不会将共享内存连接视为安全的,即使默认情况下共享内存传输是安全的。
If the connection is not secure, and an RSA key pair is available, the connection remains unencrypted. This applies to connections not encrypted using TLS. 如果连接不安全,并且RSA密钥对可用,则连接保持未加密状态。这适用于未使用TLS加密的连接。RSA is used only for password exchange between client and server, to prevent password snooping. When the server receives the encrypted password, it decrypts it. A scramble is used in the encryption to prevent repeat attacks.RSA仅用于客户端和服务器之间的密码交换,以防止密码窥探。当服务器接收到加密的密码时,它会对其进行解密。加密过程中会使用加扰来防止重复攻击。
If a secure connection is not used and RSA encryption is not available, the connection attempt fails because the password cannot be sent without being exposed as cleartext.如果未使用安全连接且RSA加密不可用,则连接尝试失败,因为密码在不以明文形式公开的情况下无法发送。
To use RSA password encryption with 要使用带有sha256_password
, the client and server both must be compiled using OpenSSL, not just one of them.sha256_password
的RSA密码加密,客户端和服务器都必须使用OpenSSL进行编译,而不仅仅是其中之一。
Assuming that MySQL has been compiled using OpenSSL, use the following procedure to enable use of an RSA key pair for password exchange during the client connection process:假设MySQL是使用OpenSSL编译的,请使用以下过程在客户端连接过程中启用RSA密钥对进行密码交换:
Create the RSA private and public key-pair files using the instructions in Section 6.3.3, “Creating SSL and RSA Certificates and Keys”.使用第6.3.3节,“创建SSL和RSA证书和密钥”中的说明创建RSA私钥和公钥对文件。
If the private and public key files are located in the data directory and are named 如果私钥和公钥文件位于数据目录中,并命名为private_key.pem
and public_key.pem
(the default values of the sha256_password_private_key_path
and sha256_password_public_key_path
system variables), the server uses them automatically at startup.private_key.pem
和public_key.pem
(sha256_password_private_key_path
和sha256_paassword_public_key_path
系统变量的默认值),服务器将在启动时自动使用它们。
Otherwise, to name the key files explicitly, set the system variables to the key file names in the server option file. If the files are located in the server data directory, you need not specify their full path names:否则,要显式命名密钥文件,请将系统变量设置为服务器选项文件中的密钥文件名。如果文件位于服务器数据目录中,则无需指定其完整路径名:
[mysqld] sha256_password_private_key_path=myprivkey.pem sha256_password_public_key_path=mypubkey.pem
If the key files are not located in the data directory, or to make their locations explicit in the system variable values, use full path names:如果密钥文件不在数据目录中,或者要在系统变量值中明确其位置,请使用完整路径名:
[mysqld] sha256_password_private_key_path=/usr/local/mysql/myprivkey.pem sha256_password_public_key_path=/usr/local/mysql/mypubkey.pem
Restart the server, then connect to it and check the 重新启动服务器,然后连接到它并检查Rsa_public_key
status variable value. The value actually displayed differs from that shown here, but should be nonempty:Rsa_public_key
状态变量值。实际显示的值与此处显示的值不同,但不应为空:
mysql> SHOW STATUS LIKE 'Rsa_public_key'\G
*************************** 1. row ***************************
Variable_name: Rsa_public_key
Value: -----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDO9nRUDd+KvSZgY7cNBZMNpwX6
MvE1PbJFXO7u18nJ9lwc99Du/E7lw6CVXw7VKrXPeHbVQUzGyUNkf45Nz/ckaaJa
aLgJOBCIDmNVnyU54OT/1lcs2xiyfaDMe8fCJ64ZwTnKbY2gkt1IMjUAB5Ogd5kJ
g8aV7EtKwyhHb0c30QIDAQAB
-----END PUBLIC KEY-----
If the value is empty, the server found some problem with the key files. Check the error log for diagnostic information.如果该值为空,则服务器发现密钥文件存在问题。检查错误日志以获取诊断信息。
After the server has been configured with the RSA key files, accounts that authenticate with the 在服务器配置了RSA密钥文件后,使用sha256_password
plugin have the option of using those key files to connect to the server. sha256_password
插件进行身份验证的帐户可以选择使用这些密钥文件连接到服务器。As mentioned previously, such accounts can use either a secure connection (in which case RSA is not used) or an unencrypted connection that performs password exchange using RSA. Suppose that an unencrypted connection is used. For example:如前所述,此类帐户可以使用安全连接(在这种情况下不使用RSA)或使用RSA进行密码交换的未加密连接。假设使用了未加密的连接。例如:
shell>mysql --ssl-mode=DISABLED -u sha256user -p
Enter password:password
For this connection attempt by 对于sha256user
, the server determines that sha256_password
is the appropriate authentication plugin and invokes it (because that was the plugin specified at CREATE USER
time). sha256user
的此连接尝试,服务器确定sha256_password
是适当的身份验证插件并调用它(因为这是在CREATE USER
时指定的插件)。The plugin finds that the connection is not encrypted and thus requires the password to be transmitted using RSA encryption. 插件发现连接未加密,因此要求使用RSA加密传输密码。In this case, the plugin sends the RSA public key to the client, which uses it to encrypt the password and returns the result to the server. 在这种情况下,插件将RSA公钥发送给客户端,客户端使用它来加密密码,并将结果返回给服务器。The plugin uses the RSA private key on the server side to decrypt the password and accepts or rejects the connection based on whether the password is correct.该插件使用服务器端的RSA私钥解密密码,并根据密码是否正确接受或拒绝连接。
The server sends the RSA public key to the client as needed. However, if the client has a file containing a local copy of the RSA public key required by the server, it can specify the file using the 服务器根据需要向客户端发送RSA公钥。但是,如果客户端有一个文件包含服务器所需的RSA公钥的本地副本,则可以使用--server-public-key-path
option:--server-public-key-path
选项指定该文件:
shell>mysql --ssl-mode=DISABLED -u sha256user -p --server-public-key-path=
Enter password:file_name
password
The public key value in the file named by the 由--server-public-key-path
option should be the same as the key value in the server-side file named by the sha256_password_public_key_path
system variable. --server-public-key-path
选项命名的文件中的公钥值应与由sha256_password_public_key_path
系统变量命名的服务器端文件中的键值相同。If the key file contains a valid public key value but the value is incorrect, an access-denied error occurs. If the key file does not contain a valid public key, the client program cannot use it. 如果密钥文件包含有效的公钥值,但该值不正确,则会发生拒绝访问错误。如果密钥文件不包含有效的公钥,则客户端程序无法使用它。In this case, the 在这种情况下,sha256_password
plugin sends the public key to the client as if no --server-public-key-path
option had been specified.sha256_password
插件将公钥发送给客户端,就像没有指定--server-public-key-path
选项一样。
Client users can obtain the RSA public key two ways:客户端用户可以通过两种方式获取RSA公钥:
The database administrator can provide a copy of the public key file.数据库管理员可以提供公钥文件的副本。
A client user who can connect to the server some other way can use a 可以通过其他方式连接到服务器的客户端用户可以使用SHOW STATUS LIKE 'Rsa_public_key'
statement and save the returned key value in a file.SHOW STATUS LIKE 'Rsa_public_key'
语句,并将返回的键值保存在文件中。