ED25519

Overview

In 23.08, 23.02:

Highly secure authentication method based on public key cryptography.

In 22.08, 6, 2.5, 2.4:

Not present

See also: Authenticators for MariaDB MaxScale 23.08, in 23.02, in 22.08, in 6, in 2.5, and in 2.4

USAGE

DETAILS

MaxScale's ed25519 authenticator provides a highly secure authentication method based on public key cryptography.

MaxScale's ed25519 authentication is compatible with the ed25519 authentication plugin from MariaDB Enterprise Server.

When a client authenticates with MaxScale using ed25519, the following exchange occurs:

  1. MaxScale transmits a random message to the client.

  2. The client signs the message using the password as the private key and transmits the signature to MaxScale.

  3. MaxScale verifies the signature using the public key stored for the user.

Throughout this exchange, the client's password is never transmitted to MaxScale.

This authentication method does have a downside for MaxScale. MaxScale requires a password to login to the database nodes on behalf of the client. Since MaxScale never receives the client's password, one of the following options is required:

  • Option 1: MaxScale must store the password somewhere

  • Option 2: MaxScale must use a different authentication method between the client and MaxScale, so that MaxScale can obtain the password from the client

MaxScale's implementation of ed25519 authentication supports both alternatives. Option 1 is ed_mode=ed25519 and option 2 is ed_mode=sha256.

SYNONYMS

SCHEMA

PARAMETERS

The ed25519 authenticator provides the following options that can be configured via the authenticator_options parameter:

Authenticator Option

Type

Description

ed_mode

String

Specifies the authentication mode to use. Two values are supported:

  • ed25519 (default): Use ed25519 authentication between the client and MaxScale, but use another authentication method between MaxScale and the database nodes. Requires a user mapping file containing passwords. The user mapping file is configured by the user_mapping_file parameter.

  • sha256: Use caching_sha2_password authentication between the client and MaxScale, but use ed25519 authentication between MaxScale and the database nodes. Requires either TLS encryption or an RSA key-pair. The RSA key-pair is configured by the ed_rsa_privkey_path and ed_rsa_pubkey_path arguments for the authenticator_options parameter.

ed_rsa_privkey_path

String

Specifies the path to the RSA private key file. Only required for ed_mode=sha256 when TLS is not used.

ed_rsa_pubkey_path

String

Specifies the path to the RSA public key file. Only required for ed_mode=sha256 when TLS is not used.

SKYSQL

PRIVILEGES

EXAMPLES

ed_mode=ed25519

When ed25519 authentication is enabled for a listener in ed25519 mode, MaxScale uses ed25519 authentication between the client and MaxScale, but it uses another authentication method between MaxScale and the database nodes. The other authentication method is pulled from the user mapping file.

To enable ed25519 authentication for a listener in ed25519 mode, specify authenticator=ed25519auth and authenticator_options="ed_mode=ed25519" and configure the path to the user mapping file with the user_mapping_file parameter:

[rw-listener]
type=listener
address=::
service=rw-service
authenticator=ed25519auth
authenticator_options="ed_mode=ed25519"
user_mapping_file=/etc/maxscale/user_mapping.json

The user mapping file specifies the user mappings and specifies the user names, passwords, and authentication methods to use for authenticating with the database nodes:

{
   "user_map": [
      {
         "original_user": "alice",
         "mapped_user": "dba"
      },
      {
         "original_user": "bob",
         "mapped_user": "dba"
      }
   ],
   "server_credentials": [
      {
         "mapped_user": "dba",
         "password": "PASSWORD",
         "plugin": "mysql_native_password"
      },
      {
         "mapped_user": "carol",
         "password": "PASSWORD",
         "plugin": "mysql_native_password"
      }
   ]
}

The passwords can be encrypted with maxpasswd, or the passwords can be in clear-text.

In the example above:

  • When alice or bob authenticates with MaxScale, MaxScale uses the mapped dba user with the specified password and authentication method to authenticate with the database nodes.

  • When carol authenticates with MaxScale, there is no mapped user, so MaxScale uses the password and authentication method specified for carol without performing any user mapping.

ed_mode=sha256

When ed25519 authentication is enabled for a listener in sha256 mode, MaxScale uses ed25519 authentication between MaxScale and the database nodes, but it uses caching_sha2_password authentication between the client and MaxScale. To use this mode, either TLS encryption or an RSA key-pair are required. The RSA key-pair is configured by the ed_rsa_privkey_path and ed_rsa_pubkey_path arguments for the authenticator_options parameter.

To enable ed25519 authentication for a listener in sha256 mode, specify authenticator=ed25519auth and authenticator_options="ed_mode=sha256" and configure the paths to the RSA key-pair:

[rw-listener]
type=listener
address=::
service=rw-service
authenticator=ed25519auth
authenticator_options="ed_mode=sha256,ed_rsa_privkey_path=/etc/ssl/maxscale/sha_private_key.pem,ed_rsa_pubkey_path=/etc/ssl/maxscale/sha_public_key.pem"

Alternatively, instead of configuring the paths to an RSA key-pair, TLS can be configured:

[rw-listener]
type=listener
address=::
service=rw-service
authenticator=ed25519auth
authenticator_options="ed_mode=sha256"
ssl=true
ssl_key=/etc/ssl/maxscale/mxs-key.pem
ssl_cert=/etc/ssl/maxscale/mxs-cert.pem
ssl_ca=/etc/ssl/maxscale/ca.pem

ERROR HANDLING

FEATURE INTERACTION

RESPONSES

DIAGNOSIS

ISO 9075:2016

CHANGE HISTORY

Release Series

History

23.08

  • Present starting in MariaDB MaxScale 23.08.1.

23.02

  • Added in MariaDB MaxScale 23.02.1.

22.08

  • Not present.

6

  • Not present.

2.5

  • Not present.

2.4

  • Not present.

EXTERNAL REFERENCES