Error 2061 occurs when the MySQL client or server cannot execute the selected authentication plugin, stopping the connection handshake.
MySQL Error 2061: CR_AUTH_PLUGIN_ERR means the server-chosen authentication plugin failed on the client or server side. Mismatched client libraries, missing plugin binaries, or unsupported plugins cause it. Install the required plugin or switch the user to a supported plugin (e.g., mysql_native_password) to resolve it.
Authentication plugin '%s' reported error: %s
Error 2061 appears during the connection handshake when MySQL tries to use an authentication plugin that cannot load or execute. The placeholder %s shows the plugin name (for example, caching_sha2_password) and the specific error returned by that plugin.
The failure stops authentication, so the client disconnects before the session starts.
Users see CR_AUTH_PLUGIN_ERR in connectors, mysql CLI, Galaxy, and other tools that rely on libmysql or the MySQL protocol.
The server triggers the error if it cannot run its own authentication plugin binary or library.
The client triggers the error if it does not support, locate, or execute the plugin the server selected for the account.
Error 2061 is common after upgrading to MySQL 8.0, migrating between Linux distributions, or compiling custom client binaries without plugin support.
Plugin mismatch between client and server versions forces the client to load an unavailable plugin.
Missing plugin libraries on the server prevent execution of a custom or third-party authentication method.
Incorrect user account definition in mysql.user references a plugin that was removed or disabled.
Restricted file permissions stop mysqld from reading the plugin shared object files, triggering a load failure.
First, confirm the plugin that fails by reading the full error message or running SHOW CREATE USER.
Then decide whether to install the plugin or switch the account to a supported one.
Most production teams resolve the error by reverting the user to mysql_native_password or caching_sha2_password, which are bundled with MySQL.
After an upgrade, legacy clients compiled before MySQL 8.0 cannot use caching_sha2_password. Updating the connector package or forcing mysql_native_password on the account fixes the handshake.
On Debian or Alpine images, plugin libraries live in a separate package (for example, mysql-community-server-plugins).
Installing that package restores the missing .so files.
Standardize authentication plugins across environments and document them in code repositories.
Automate user creation scripts with ALTER USER ... IDENTIFIED WITH to set the intended plugin explicitly.
Monitor connection errors in logs and alert on spikes of CR_AUTH_PLUGIN_ERR to catch plugin drift early.
Error 1251 (ER_UNKNOWN_AUTH_METHOD) appears when the server receives an unknown plugin name.
The fix mirrors Error 2061: align plugins or install the missing code.
Error 2059 (CR_AUTH_PLUGIN_PAYLOAD_LEN) indicates the client read an invalid plugin payload length, often due to protocol mismatch rather than missing libraries.
Error 1045 (ER_ACCESS_DENIED_ERROR) is more general, but if authentication plugins silently fail it can surface as 1045 instead of 2061.
.
Old MySQL clients or language connectors do not include caching_sha2_password support, so the handshake fails.
Deleting or moving the .so file or setting wrong permissions makes mysqld unable to load the plugin.
Manual UPDATE of mysql.user or an import from another server can point to a plugin the target server does not have.
Plugins compiled for x86 may not run on ARM images such as Apple Silicon, triggering CR_AUTH_PLUGIN_ERR.
.
MySQL 8.0 sets caching_sha2_password as the default plugin. Older clients cannot use it, triggering CR_AUTH_PLUGIN_ERR until you upgrade the connector or switch the user back to mysql_native_password.
Yes. Set default_authentication_plugin=mysql_native_password in my.cnf and restart mysqld. New users inherit that plugin while existing users keep theirs.
Galaxy relies on the local MySQL client library. As long as that library supports the server plugin, Galaxy connects. Using bundled plugins like mysql_native_password or caching_sha2_password avoids issues.
Direct UPDATE statements work but bypass validation. Prefer ALTER USER which checks plugin existence and updates related security fields correctly.
.avif)
.avif){kind=logo}
