Authentication Plugin - mysql_native_password

The mysql_native_password authentication plugin is the default authentication plugin that will be used for an account created when no authentication plugin is explicitly mentioned and old_passwords=0 is set. It uses the password hashing algorithm introduced in MySQL 4.1, which is also used by the PASSWORD() function when old_passwords=0 is set. This hashing algorithm is based on SHA-1.

It is not recommended to use the mysql_native_password authentication plugin for new installations that require high password security. If someone is able to both listen to the connection protocol and get a copy of the mysql.user table, then the person would be able to use this information to connect to the MariaDB server. The ed25519 authentication plugin is a more modern authentication plugin that provides simple password authentication using a more secure algorithm.

Installing the Plugin

The mysql_native_password authentication plugin is statically linked into the server, so no installation is necessary.

Creating Users

The easiest way to create a user account with the mysql_native_password authentication plugin is to make sure that is set, and then create a user account via that does not specify an authentication plugin, but does specify a password via the clause:

If does not have NO_AUTO_CREATE_USER set, then you can also create the user account via :

You can also create the user account by providing a password hash via the clause, and MariaDB will validate whether the password hash is one that is compatible with mysql_native_password:

Similar to all other , you could also specify the name of the plugin in the clause while providing the password hash as the USING clause:

Changing User Passwords

You can change a user account's password with the statement while providing the plain-text password as an argument to the function:

You can also change the user account's password with the statement. You would have to make sure that is set, and then you would have to specify a password via the clause:

Client Authentication Plugins

For clients that use the libmysqlclient or libraries, MariaDB provides one client authentication plugin that is compatible with the mysql_native_password authentication plugin:

• mysql_native_password

When connecting with a to a server as a user account that authenticates with the mysql_native_password authentication plugin, you may need to tell the client where to find the relevant client authentication plugin by specifying the --plugin-dir option:

However, the mysql_native_password client authentication plugin is generally statically linked into client libraries like libmysqlclient or , so this is not usually necessary.

mysql_native_password

The mysql_native_password client authentication plugin hashes the password before sending it to the server.

Support in Client Libraries

The mysql_native_password authentication plugin is one of the conventional authentication plugins, so all client libraries should support it.

Known Old Issues (Only Relevant for Old Installations)

Mismatches Between Password and authentication_string Columns

For compatibility reasons, the mysql_native_password authentication plugin tries to read the password hash from both the Password and authentication_string columns in the table. This has caused issues in the past if one of the columns had a different value than the other.

See Also

• secure connection plugin

_{This page is licensed: CC BY-SA / Gnu FDL}