Understanding MySQL 8.0 caching_sha2_password Authentication Errors and Solutions

When using the MySQL 8.0 client to log in, users often encounter the error ERROR 2061 (HY000): Authentication plugin 'caching_sha2_password' reported error: Authentication requires secure connection. This article explains why this occurs and how to resolve it.

caching_sha2_password Overview

caching_sha2_password is a new authentication plugin introduced in MySQL 8.0.4. It builds on the earlier sha256_password (also known as sha2_password) which hashes salted passwords with multiple rounds of SHA‑256, but requires a secure (SSL) connection or RSA‑based password exchange. The “caching” part adds a local cache of password hashes, allowing authentication without an encrypted connection after the first successful login.

Q: What does “secure connection or RSA‑based password exchange for unencrypted connections” mean?

The plugin requires that the password be encrypted during transmission. With SSL, the client and server exchange a symmetric key during the TLS handshake and use it to encrypt all traffic. Without SSL, the client encrypts the password with the server’s RSA public key; the server decrypts it with its RSA private key.

Tips

SSL encrypts both the password and all data (SQL statements, results). Non‑SSL connections only encrypt the password using RSA.

Q: How does an unencrypted connection use RSA for password exchange?

After a successful login, the server caches the password hash. For a new connection that is not SSL, the plugin requires the client to encrypt the password with the server’s RSA public key. The client can provide the public key via --server-public-key-path or request it from the server using --get-server-public-key . If neither option is supplied, the client receives the classic error shown above.

[root@172-16-21-5 ~] mysql -h172.16.21.4 -utest -ptestpass --ssl-mode=disable
mysql: [Warning] Using a password on the command line interface can be insecure.
ERROR 2061 (HY000): Authentication plugin 'caching_sha2_password' reported error: Authentication requires secure connection.

Specifying --get-server-public-key allows the login to succeed:

[root@172-16-21-5 ~] mysql -h172.16.21.4 -utest -ptestpass --ssl-mode=disable --get-server-public-key -e "select 1"
+---+
| 1 |
+---+
| 1 |
+---+

If the user’s password is cached, subsequent unencrypted connections no longer need RSA encryption.

[root@172-16-21-5 ~] mysql -h172.16.21.4 -utest -ptestpass --ssl-mode=disable -e "select 1"
+---+
| 1 |
+---+
| 1 |
+---+

Note: The --server-public-key-path and --get-server-public-key options apply only to the MySQL command‑line client.

Where are the RSA key files stored?

By default, MySQL stores the RSA key pair in the data directory ( datadir ) as private_key.pem (private key) and public_key.pem (public key).

Q: When does the password‑hash cache expire?

The cache is cleared when the user’s password is changed, the user is renamed, FLUSH PRIVILEGES is executed, or the MySQL server restarts.

Q: What should be considered when replicating users that use caching_sha2_password?

For MySQL Group Replication (MGR) with group_replication_ssl_mode=DISABLED , you must also set either group_replication_recovery_get_public_key (to request the RSA public key) or group_replication_recovery_public_key_path (to specify a local key file). For asynchronous or semi‑synchronous replication, the MASTER_PUBLIC_KEY_PATH or GET_MASTER_PUBLIC_KEY options must be configured in the CHANGE MASTER command.

References

https://dev.mysql.com/blog-archive/mysql-8-0-4-new-default-authentication-plugin-caching_sha2_password/

https://dev.mysql.com/doc/refman/8.0/en/caching-sha2-pluggable-authentication.html