Bug #68478 ERROR 2061 (HY000): Authentication plugin 'sha256_password' reported error
Submitted: 24 Feb 2013 13:46 Modified: 20 Mar 2013 22:30
Reporter: Shahriyar Rzayev Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Documentation Severity:S3 (Non-critical)
Version:5.6.10 OS:Linux (Centos 6.3)
Assigned to: Paul DuBois CPU Architecture:Any
Tags: Authentication plugin, sha256_password

[24 Feb 2013 13:46] Shahriyar Rzayev
Description:
As mentioned in documentation:
http://dev.mysql.com/doc/refman/5.6/en/sha256-authentication-plugin.html

after MySQL 5.6.6 there is new authentication plugin that implements SHA-256 hashing for user account passwords.
Followed by documentation i added under the [mysqld] catalog:
[mysqld]
default-authentication-plugin=sha256_password

then restart the server...
And create a new user:

create user 'piscik'@'localhost' identified by '12345';

Checked:
select user from mysql.user;
+--------+
| user   |
+--------+
| root   |
| root   |
| piscik |
| root   |
+--------+
4 rows in set (0.00 sec)

and then i want to connect:
[root@localhost ~]# mysql -u piscik -p
Enter password: 
ERROR 2061 (HY000): Authentication plugin 'sha256_password' reported error: Authentication requires SSL encryption

as i understand Error says that you must use SSL with this plugin...MUST.
But in documentation there is nothing about this that you must setup an SSL...it is just connection plugin why i must set up an SSL?

How to repeat:
Put this:
[mysqld]
default-authentication-plugin=sha256_password

Restart the server.
create a user.
and connect with this user.

Suggested fix:
nothing to suggest
[28 Feb 2013 13:12] Erlend Dahl
For MySQL distributions built using yaSSL, SHA-256 passwords can be used only when clients access the server using an SSL connection. See

http://dev.mysql.com/doc/refman/5.6/en/sha256-authentication-plugin.html

In order for this to work, the server must be configured with SSL:

  http://dev.mysql.com/doc/refman/5.6/en/configuring-for-ssl.html

Please check the value of 'have_ssl', e.g. 

  SHOW VARIABLES LIKE 'have_ssl'

to see if your server is configured with SSL and come back to us if the problem persists.
[28 Feb 2013 20:33] Shahriyar Rzayev
I read documentation carefully and dont find anything mentioned about this : "Your MySQL Server MUST be configured work with SSL for this plugin"
i see this not a bug..but it is misDocumentation problem...
This hapened with my another report(please see last comment) too:

http://bugs.mysql.com/bug.php?id=68260

thank you for reply...
[1 Mar 2013 12:34] Erlend Dahl
I agree that this could probably be better explained in the manual.

Setting the bug to the Docs category so that it can be looked into.
[2 Mar 2013 8:52] Shahriyar Rzayev
Thanks...
My friends say that they have an issue with viewing this report. Something like this:
You do not have access to bug #68478.

Maybe it is because of:
Does this bug report represent a security vulnerability? YES!
[4 Mar 2013 14:25] Erlend Dahl
Yes, you set the security flag when filing the bug report, hence it is not visible to others.

However, I don't think this is a security issue, and hence I have lifted the security flag. The report should be accessible now.
[20 Mar 2013 22:30] Paul DuBois
Thank you for your bug report. This issue has been addressed in the documentation. The updated documentation will appear on our website shortly, and will be included in the next release of the relevant products.

Added to referenced section:

Note
Use of the sha256_password plugin requires that MySQL be built with SSL capabilities. See Section 6.3.9, “Using SSL for Secure Connections”.