ED25519
This page is part of MariaDB's Documentation.
The parent of this page is: Authenticators for MariaDB MaxScale
Topics on this page:
Overview
DETAILS
MaxScale's ed25519
authenticator provides a highly secure authentication method based on public key cryptography.
MaxScale's ed25519
authentication is compatible with the ed25519
authentication plugin from MariaDB Enterprise Server.
When a client authenticates with MaxScale using ed25519
, the following exchange occurs:
MaxScale transmits a random message to the client.
The client signs the message using the password as the private key and transmits the signature to MaxScale.
MaxScale verifies the signature using the public key stored for the user.
Throughout this exchange, the client's password is never transmitted to MaxScale.
This authentication method does have a downside for MaxScale. MaxScale requires a password to login to the database nodes on behalf of the client. Since MaxScale never receives the client's password, one of the following options is required:
Option 1: MaxScale must store the password somewhere
Option 2: MaxScale must use a different authentication method between the client and MaxScale, so that MaxScale can obtain the password from the client
MaxScale's implementation of ed25519
authentication supports both alternatives. Option 1 is ed_mode=ed25519
and option 2 is ed_mode=sha256
.
PARAMETERS
The ed25519
authenticator provides the following options that can be configured via the authenticator_options
parameter:
Authenticator Option | Type | Description |
---|---|---|
|
| Specifies the authentication mode to use. Two values are supported:
|
|
| Specifies the path to the RSA private key file. Only required for |
|
| Specifies the path to the RSA public key file. Only required for |
EXAMPLES
ed_mode=ed25519
When ed25519
authentication is enabled for a listener in ed25519
mode, MaxScale uses ed25519
authentication between the client and MaxScale, but it uses another authentication method between MaxScale and the database nodes. The other authentication method is pulled from the user mapping file.
To enable ed25519
authentication for a listener in ed25519
mode, specify authenticator=ed25519auth
and authenticator_options="ed_mode=ed25519"
and configure the path to the user mapping file with the user_mapping_file
parameter:
[rw-listener]
type=listener
address=::
service=rw-service
authenticator=ed25519auth
authenticator_options="ed_mode=ed25519"
user_mapping_file=/etc/maxscale/user_mapping.json
The user mapping file specifies the user mappings and specifies the user names, passwords, and authentication methods to use for authenticating with the database nodes:
{
"user_map": [
{
"original_user": "alice",
"mapped_user": "dba"
},
{
"original_user": "bob",
"mapped_user": "dba"
}
],
"server_credentials": [
{
"mapped_user": "dba",
"password": "PASSWORD",
"plugin": "mysql_native_password"
},
{
"mapped_user": "carol",
"password": "PASSWORD",
"plugin": "mysql_native_password"
}
]
}
The passwords can be encrypted with
, or the passwords can be in clear-text.In the example above:
When
alice
orbob
authenticates with MaxScale, MaxScale uses the mappeddba
user with the specified password and authentication method to authenticate with the database nodes.When
carol
authenticates with MaxScale, there is no mapped user, so MaxScale uses the password and authentication method specified forcarol
without performing any user mapping.
ed_mode=sha256
When ed25519
authentication is enabled for a listener in sha256
mode, MaxScale uses ed25519
authentication between MaxScale and the database nodes, but it uses caching_sha2_password
authentication between the client and MaxScale. To use this mode, either TLS encryption or an RSA key-pair are required. The RSA key-pair is configured by the ed_rsa_privkey_path
and ed_rsa_pubkey_path
arguments for the authenticator_options
parameter.
To enable ed25519
authentication for a listener in sha256
mode, specify authenticator=ed25519auth
and authenticator_options="ed_mode=sha256"
and configure the paths to the RSA key-pair:
[rw-listener]
type=listener
address=::
service=rw-service
authenticator=ed25519auth
authenticator_options="ed_mode=sha256,ed_rsa_privkey_path=/etc/ssl/maxscale/sha_private_key.pem,ed_rsa_pubkey_path=/etc/ssl/maxscale/sha_public_key.pem"
Alternatively, instead of configuring the paths to an RSA key-pair, TLS can be configured:
[rw-listener]
type=listener
address=::
service=rw-service
authenticator=ed25519auth
authenticator_options="ed_mode=sha256"
ssl=true
ssl_key=/etc/ssl/maxscale/mxs-key.pem
ssl_cert=/etc/ssl/maxscale/mxs-cert.pem
ssl_ca=/etc/ssl/maxscale/ca.pem
CHANGE HISTORY
EXTERNAL REFERENCES
Additional information on this topic may be found in the MariaDB Public Knowledge Base.