Database Account Two-Factor Authentication (2FA)
This page is part of MariaDB's MariaDB Documentation.
The parent of this page is: Options
Topics on this page:
MariaDB SkySQL supports database account 2FA (two-factor authentication) as an option:
This feature is not enabled by default. By default, database users are authenticated by single factor, password.
When enabled, users are authenticated by password and a second factor via PAM.
Database Account 2FA is available to Power Tier customers.
Single Node Analytics
Single Node Transactions
Enable Database Account 2FA
Launch the SkySQL service to be linked.
Contact SkySQL Support to request database account 2FA:
Provide the SkySQL Service name.
Additional instructions on configuration and usage are provided by SkySQL Support.
Service Configuration for PHP
When database account 2FA is enabled for a SkySQL service that uses MariaDB Enterprise Server, the service requires extra configuration to accept connections from PHP.
By default, Enterprise Server's
pam authentication plugin tells the client to provide the password or authentication token using the
dialog client authentication plugin. PHP does not currently support the
dialog client authentication plugin, so PHP applications can not authenticate via
pam with the default service configuration. When authentication is attempted, a warning or error is raised with the following message:
mysqli_connect(): The server requested authentication method unknown to the client [dialog] in SOURCE_FILE on line SOURCE_LINE
However, PHP does support the
mysql_clear_password client authentication plugin, which can be used instead of the
dialog client authentication plugin.
MariaDB Enterprise Server can be configured to use
mysql_clear_password instead of
dialog by enabling the
pam_use_cleartext_plugin system variable. The
pam_use_cleartext_plugin system variable can be enabled as a custom configuration. For more information, contact MariaDB Support.