The ed25519 authentication plugin provides high-security password authentication using the Elliptic Curve Digital Signature Algorithm, a modern alternative to SHA-1.
MySQL has used SHA-1 based authentication since version 4.1. The authentication plugin is called mysql_native_password. Over the years as computers became faster, new attacks on SHA-1 were being developed. Nowadays SHA-1 is no longer considered as secure as it was in 2001. That's why the ed25519 authentication plugin was created.
The ed25519 authentication plugin uses Elliptic Curve Digital Signature Algorithm (ECDSA) to securely store users' passwords and to authenticate users. The ed25519 algorithm is the same one that is used by OpenSSH. It is based on the elliptic curve and code created by Daniel J. Bernstein.
Although the plugin's shared library is distributed by default with MariaDB, with a file name of auth_ed25519.so (Unix) or auth_ed25519.dll (Windows), the plugin is not actually installed by MariaDB by default. There are two methods that can be used to install the plugin with MariaDB.
The first method can be used to install the plugin without restarting the server. You can install the plugin dynamically by executing or :
The second method can be used to tell the server to load the plugin when it starts up. The plugin can be installed this way by providing the or the options. This can be specified as a command-line argument to or it can be specified in a relevant server in an :
You can uninstall the plugin dynamically by executing or :
If you installed the plugin by providing the or the options in a relevant server in an , those options must be removed to prevent the plugin from being loaded the next time the server is restarted.
You can create a user account by executing the statement and providing the clause followied by the name of the plugin, ed25519, and providing the USING clause followed by the function, with the plain-text password as an argument:
If does not have NO_AUTO_CREATE_USER set, then you can also create the user account via :
The function and statements don't work with the ed25519 authentication plugin. Instead, you have to use the that comes with the authentication plugin to calculate the password hash:
Now you can calculate a password hash by executing this query:
Now you can use it to create the user account using the new password hash. As with any password, you should always use a complex password that isn't easy to guess. If you don't, if anyone gets access to the stored passwords in the mysql.user table, they could use to figure out the original password.
To create a user account via , specify the name of the plugin in the clause while providing the password hash as the USING clause:
If does not have NO_AUTO_CREATE_USER set, you can also create the user account via :
Note that users require a password in order to be able to connect. It is possible to create users without specifying a password, but they will be unable to connect.
You can change a user account's password by executing the statement followed by the function and providing the plain-text password as an argument:
You can also change the user account's password with the statement. You would have to specify the name of the plugin in the clause while providing the plain-text password as an argument to the PASSWORD() function in the USING clause:
The PASSWORD() function and statement did not work with the ed25519 authentication plugin. Instead, you would have to use the that comes with the authentication plugin to calculate the password hash:
Now you can calculate a password hash by executing this query:
Now you can change the user account's password using the new password hash.
You can change the user account's password with the statement. You have to specify the name of the plugin in the clause, while providing the password hash as the USING clause:
For clients that use the libmysqlclient or libraries, MariaDB provides one client authentication plugin that is compatible with the ed25519 authentication plugin:
client_ed25519
When connecting with a to a server as a user account that authenticates with the ed25519 authentication plugin, you may need to tell the client where to find the relevant client authentication plugin by specifying the --plugin-dir option:
client_ed25519The client_ed25519 client authentication plugin hashes and signs the password using the before sending it to the server.
supports ed25519 authentication using the client authentication plugins mentioned in the previous section.
supports ed25519 authentication using the client authentication plugins mentioned in the previous section.
supports ed25519 authentication.
supports ed25519 authentication.
supports ed25519 authentication.
The connector implemented support for this authentication plugin in a separate package called . After the package is installed, your application must call Ed25519AuthenticationPlugin.Install to enable it.
ed25519Description: Controls how the server should treat the plugin when it starts up.
Valid values are:
OFF - Disables the plugin without removing it from the table.
This page is licensed: CC BY-SA / Gnu FDL
ON - Enables the plugin. If the plugin cannot be initialized, then the server will still continue starting up, but the plugin will be disabled.FORCE - Enables the plugin. If the plugin cannot be initialized, then the server will fail to start with an error.
FORCE_PLUS_PERMANENT - Enables the plugin. If the plugin cannot be initialized, then the server will fail to start with an error. In addition, the plugin cannot be uninstalled with UNINSTALL SONAME or UNINSTALL PLUGIN while the server is running.
See Plugin Overview: Configuring Plugin Activation at Server Startup for more information.
Command line: --ed25519=value
Data Type: enumerated
Default Value: ON
Valid Values: OFF, ON, FORCE, FORCE_PLUS_PERMANENT
INSTALL SONAME 'auth_ed25519';[mariadb]
...
plugin_load_add = auth_ed25519UNINSTALL SONAME 'auth_ed25519';CREATE USER username@hostname IDENTIFIED VIA ed25519 USING PASSWORD('secret');GRANT SELECT ON db.* TO username@hostname IDENTIFIED VIA ed25519 USING PASSWORD('secret');CREATE FUNCTION ed25519_password RETURNS STRING SONAME "auth_ed25519.so";SELECT ed25519_password("secret");
+---------------------------------------------+
| SELECT ed25519_password("secret"); |
+---------------------------------------------+
| ZIgUREUg5PVgQ6LskhXmO+eZLS0nC8be6HPjYWR4YJY |
+---------------------------------------------+CREATE USER username@hostname IDENTIFIED VIA ed25519
USING 'ZIgUREUg5PVgQ6LskhXmO+eZLS0nC8be6HPjYWR4YJY';GRANT SELECT ON db.* TO username@hostname IDENTIFIED VIA ed25519
USING 'ZIgUREUg5PVgQ6LskhXmO+eZLS0nC8be6HPjYWR4YJY';SET PASSWORD = PASSWORD('new_secret')ALTER USER username@hostname IDENTIFIED VIA ed25519 USING PASSWORD('new_secret');CREATE FUNCTION ed25519_password RETURNS STRING SONAME "auth_ed25519.so";SELECT ed25519_password("secret");
+---------------------------------------------+
| SELECT ed25519_password("secret"); |
+---------------------------------------------+
| ZIgUREUg5PVgQ6LskhXmO+eZLS0nC8be6HPjYWR4YJY |
+---------------------------------------------+ALTER USER username@hostname IDENTIFIED VIA ed25519
USING 'ZIgUREUg5PVgQ6LskhXmO+eZLS0nC8be6HPjYWR4YJY';mysql --plugin-dir=/usr/local/mysql/lib64/mysql/plugin --user=alice