Bug #73981 the sha256 client plugin can\'t be used as a default plugin
Submitted: 19 Sep 2014 13:58 Modified: 31 Oct 2014 15:38
Reporter: Georgi Kodinov Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Command-line Clients Severity:S3 (Non-critical)
Version:5.6 OS:Any
Assigned to: CPU Architecture:Any

[19 Sep 2014 13:58] Georgi Kodinov 
Description:
The client part of the sha256_password plugin can't be used as a default client plugin for users authenticating with other server plugins.

When authenticating, the client will:
1. initiate the exchange using the client's default auth plugin
2. if the server requests another plugin it will restart the exchange with the requested client plugin.

But if the sha256 client plugin will reset the password in the mysql handle.
So, if used as a first plugin, it will not leave a password for the second plugin.

This prevents using the sha256_client plugin in all cases where the server may request a different client plugin.

This causes auth_sec.server_withssl_client_withssl to fail too.

How to repeat:
always run mysql with --default-auth=sha256_password
run mysqld with --default-plugin=sha256_password
create a user account that's authenticating with e.g. mysql_native_password and a non-empty password.
try to authenticate against this account.

Suggested fix:
Since the sha256_password plugin can't know if it can safely reset the password in the MYSQL handle or not it should not do so. 
The reset should be moved to the calling function and executed immediately when it's clear that the password is no longer needed.
[31 Oct 2014 15:38] Paul DuBois 
Noted in 5.7.6 changelog.

The client part of the sha256_password plugin could not be specified
as a default client plugin (--default-auth=sha256_password) for users
authenticating with other server plugins.