Bug #75670 Connection fails with "Public Key Retrieval is not allowed" for native auth
Submitted: 28 Jan 2015 21:06 Modified: 20 Aug 2015 19:57
Reporter: Jess Balint Email Updates:
Status: Closed Impact on me:
Category:Connector / J Severity:S3 (Non-critical)
Version:5.1 OS:Any
Assigned to: Filipe Silva CPU Architecture:Any
Tags: auth, pluggable auth, SHA256

[28 Jan 2015 21:06] Jess Balint
The driver manages the state of connecting improperly and fails with "java.sql.SQLNonTransientConnectionException: Public Key Retrieval" even if the user is configured with the mysql_native_password plugin.

How to repeat:
Set default auth plugin to sha256. Server will send initial handshake packet specifying sha256 plugin. Driver will try to generate a response for sha256. If the password is not empty, SSL is not enabled (requiring RSA), and the RSA public key is not given, the driver will attempt to request it from the server. However, if the connection property "allowPublicKeyRetrieval" is not set to true, an exception is thrown.

Suggested fix:
Driver should proceed with authentication when the server sends an auth change request after realizing that the user is configured with the mysql_native_password plugin.
[20 Aug 2015 19:57] Daniel So
Added the following entry to the Connector/J 6.0 changelog: 

"If the MySQL server's default authentication method was SHA256 but neither one of the Connector/J connection properties allowPublicKeyRetrieval and serverRSAPublicKeyFile was set, the authentication failed with a TransientConnectionException, complaining that the public key could not be retrieved. With this fix, authentication continues in the situation, allowing other enabled authentication methods to be tried."
[20 Aug 2015 20:32] Daniel So
CORRECTION: The changelog entry mentioned was actually added for Connector/J 5.1.37.