Authentication Plugin - SHA-256

Background

MySQL 5.6 added support for the sha256_password authentication plugin, and MySQL 8.0 also added support for the caching_sha2_password authentication plugin.

The caching_sha2_password plugin is now the default authentication plugin in MySQL 8.0.4 and above, based on the value of the default_authentication_plugin system variable.

Support in MariaDB Server

Reasons for not supporting the SHA-256 plugin:

• To use the protocol, you have to distribute the server's public key to all MariaDB users, which can be cumbersome and impractical.

• The server receives the password in clear text, which can cause problems if the user connects to a malicious server.

If you are migrating from a MySQL instance that is using SHA-256 authentication, you have to change the SHA-256 authentication to mysql_native_authentication :

ALTER USER user_name IDENTIFIED WITH mysql_native_password BY 'new_password'

Support in Client Libraries

Client Authentication Plugins

For clients that use the MariaDB Connector/C library, MariaDB provides client authentication plugins that are compatible with MySQL's SHA-256 authentication plugins:

• sha256_password

• caching_sha256_password

When connecting with a client or utility to a server, using a user account that authenticates with the sha256_password or caching_sha256_password authentication plugin, you may need to tell the client where to find the relevant client authentication plugin by specifying the --plugin-dir option:

mysql --plugin-dir=/usr/local/mysql/lib64/mysql/plugin --user=alice

sha256_password

The sha256_password client authentication plugin is compatible with MySQL's sha256_password authentication plugin, which was added in MySQL 5.6.

caching_sha256_password

The caching_sha256_password client authentication plugin is compatible with MySQL's caching_sha2_password authentication plugin, which was added in MySQL 8.0.

The caching_sha2_password plugin is now the default authentication plugin in MySQL 8.0.4 and above, based on the value of the default_authentication_plugin system variable.

Using the Plugin with MariaDB Connector/C

MariaDB Connector/C supports sha256_password and caching_sha2_password authentication using the client authentication plugins mentioned in the previous section.

It has supported the sha256_password client authentication plugin since MariaDB Connector/C 3.0.2. See CONC-229 for more information.

It has supported the caching_sha256_password client authentication plugin since MariaDB Connector/C 3.0.8 and MariaDB Connector/C 3.1.0. See CONC-312 for more information.

Using Plugins with MariaDB Connector/ODBC

MariaDB Connector/ODBC supports sha256_password and caching_sha2_password authentication using the client authentication plugins mentioned in the previous section.

It has supported sha256_password and caching_sha2_password authentication since MariaDB Connector/ODBC 3.1.4. See ODBC-241 for more information.

Using Plugins with MariaDB Connector/J

MariaDB Connector/J supports sha256_password and caching_sha2_password authentication since MariaDB Connector/J 2.5.0. See CONJ-327 and CONJ-663 for more information.

note: The version 3.x being a rewrite of the connector, only caching_sha2_password is implemented, since sha256_password is only implemented on EOL version.

Using Plugins with MariaDB Connector/Node.js

MariaDB Connector/Node.js supports sha256_password and caching_sha2_password authentication since MariaDB Connector/Node.js 2.5.0. See CONJS-76 and CONJS-77 for more information.

See Also

• MDEV-9804 contains the plans to use if we ever decide to support these protocols.

• History of MySQL and MariaDB authentication protocols

_{This page is licensed: CC BY-SA / Gnu FDL}