Authentication Plugin - ed25519

MySQL has used SHA-1 based authentication since version 4.1. Since MariaDB 5.2 this authentication plugin has been called mysql_native_password. Over the years as computers became faster, new attacks on SHA-1 were being developed. Nowadays SHA-1 is no longer considered as secure as it was in 2001. That's why the ed25519 authentication plugin was created.

The ed25519 authentication plugin uses Elliptic Curve Digital Signature Algorithm (ECDSA) to securely store users' passwords and to authenticate users. The ed25519 algorithm is the same one that is used by OpenSSH. It is based on the elliptic curve and code created by Daniel J. Bernstein.

From a user's perspective, the ed25519 authentication plugin still provides conventional password-based authentication.

Installing the Plugin

Although the plugin's shared library is distributed with MariaDB by default as auth_ed25519.so or auth_ed25519.dll depending on the operating system, the plugin is not actually installed by MariaDB by default. There are two methods that can be used to install the plugin with MariaDB.

The first method can be used to install the plugin without restarting the server. You can install the plugin dynamically by executing INSTALL SONAME or INSTALL PLUGIN. For example:

INSTALL SONAME 'auth_ed25519';

The second method can be used to tell the server to load the plugin when it starts up. The plugin can be installed this way by providing the --plugin-load or the --plugin-load-add options. This can be specified as a command-line argument to mariadbd or it can be specified in a relevant server option group in an option file. For example:

[mariadb]
...
plugin_load_add = auth_ed25519

Uninstalling the Plugin

You can uninstall the plugin dynamically by executing UNINSTALL SONAME or UNINSTALL PLUGIN. For example:

UNINSTALL SONAME 'auth_ed25519';

If you installed the plugin by providing the --plugin-load or the --plugin-load-add options in a relevant server option group in an option file, then those options should be removed to prevent the plugin from being loaded the next time the server is restarted.

Creating Users

MariaDB starting with 10.4

In MariaDB 10.4 and later, you can create a user account by executing the CREATE USER statement and providing the IDENTIFIED VIA clause followied by the the name of the plugin, which is ed25519, and providing the the USING clause followed by the PASSWORD() function with the plain-text password as an argument. For example:

CREATE USER username@hostname IDENTIFIED VIA ed25519 USING PASSWORD('secret');

If SQL_MODE does not have NO_AUTO_CREATE_USER set, then you can also create the user account via GRANT. For example:

GRANT SELECT ON db.* TO username@hostname IDENTIFIED VIA ed25519 USING PASSWORD('secret');
MariaDB until 10.3

In MariaDB 10.3 and before, the PASSWORD() function and SET PASSWORD statement did not work with the ed25519 authentication plugin. Instead, you would have to use the UDF that comes with the authentication plugin to calculate the password hash. For example:

CREATE FUNCTION ed25519_password RETURNS STRING SONAME "auth_ed25519.so";

Now you can calculate a password hash by executing:

SELECT ed25519_password("secret");
+---------------------------------------------+
| SELECT ed25519_password("secret");          |
+---------------------------------------------+
| ZIgUREUg5PVgQ6LskhXmO+eZLS0nC8be6HPjYWR4YJY |
+---------------------------------------------+

Now you can use it to create the user account using the new password hash.

To create a user account via CREATE USER, specify the name of the plugin in the IDENTIFIED VIA clause while providing the password hash as the USING clause. For example:

CREATE USER username@hostname IDENTIFIED VIA ed25519 
  USING 'ZIgUREUg5PVgQ6LskhXmO+eZLS0nC8be6HPjYWR4YJY';

If SQL_MODE does not have NO_AUTO_CREATE_USER set, then you can also create the user account via GRANT. For example:

GRANT SELECT ON db.* TO username@hostname IDENTIFIED VIA ed25519 
  USING 'ZIgUREUg5PVgQ6LskhXmO+eZLS0nC8be6HPjYWR4YJY';

Note that users require a password in order to be able to connect. It is possible to create a user without specifying a password, but they will be unable to connect.

Changing User Passwords

MariaDB starting with 10.4

In MariaDB 10.4 and later, you can change a user account's password by executing the SET PASSWORD statement followed by the PASSWORD() function and providing the plain-text password as an argument. For example:

SET PASSWORD =  PASSWORD('new_secret')

You can also change the user account's password with the ALTER USER statement. You would have to specify the name of the plugin in the IDENTIFIED VIA clause while providing the plain-text password as an argument to the PASSWORD() function in the USING clause. For example:

ALTER USER username@hostname IDENTIFIED VIA ed25519 USING PASSWORD('new_secret');
MariaDB until 10.3

In MariaDB 10.3 and before, the PASSWORD() function and SET PASSWORD statement did not work with the ed25519 authentication plugin. Instead, you would have to use the UDF that comes with the authentication plugin to calculate the password hash. For example:

CREATE FUNCTION ed25519_password RETURNS STRING SONAME "auth_ed25519.so";

Now you can calculate a password hash by executing:

SELECT ed25519_password("secret");
+---------------------------------------------+
| SELECT ed25519_password("secret");          |
+---------------------------------------------+
| ZIgUREUg5PVgQ6LskhXmO+eZLS0nC8be6HPjYWR4YJY |
+---------------------------------------------+

Now you can change the user account's password using the new password hash.

You can change the user account's password with the ALTER USER statement. You would have to specify the name of the plugin in the IDENTIFIED VIA clause while providing the password hash as the USING clause. For example:

ALTER USER username@hostname IDENTIFIED VIA ed25519 
  USING 'ZIgUREUg5PVgQ6LskhXmO+eZLS0nC8be6HPjYWR4YJY';

Client Authentication Plugins

For clients that use the libmysqlclient or MariaDB Connector/C libraries, MariaDB provides one client authentication plugin that is compatible with the ed25519 authentication plugin:

  • client_ed25519

When connecting with a client or utility to a server as a user account that authenticates with the ed25519 authentication plugin, you may need to tell the client where to find the relevant client authentication plugin by specifying the --plugin-dir option. For example:

mysql --plugin-dir=/usr/local/mysql/lib64/mysql/plugin --user=alice

client_ed25519

The client_ed25519 client authentication plugin hashes and signs the password using the Elliptic Curve Digital Signature Algorithm (ECDSA) before sending it to the server.

Support in Client Libraries

Using the Plugin with MariaDB Connector/C

MariaDB Connector/C supports ed25519 authentication using the client authentication plugins mentioned in the previous section since MariaDB Connector/C 3.1.0.

Using the Plugin with MariaDB Connector/ODBC

MariaDB Connector/ODBC supports ed25519 authentication using the client authentication plugins mentioned in the previous section since MariaDB Connector/ODBC 3.1.2.

Using the Plugin with MariaDB Connector/J

MariaDB Connector/J supports ed25519 authentication since MariaDB Connector/J 2.2.1.

Using the Plugin with MariaDB Connector/Node.js

MariaDB Connector/Node.js supports ed25519 authentication since MariaDB Connector/Node.js 2.1.0.

Using the Plugin with MySqlConnector for .NET

MySqlConnector for ADO.NET supports ed25519 authentication since MySqlConnector 0.56.0.

The connector implemented support for this authentication plugin in a separate NuGet package called MySqlConnector.Authentication.Ed25519. After the package is installed, your application must call Ed25519AuthenticationPlugin.Install to enable it.

Versions

VersionStatusIntroduced
1.1StableMariaDB 10.4.0
1.0StableMariaDB 10.3.8, MariaDB 10.2.17, MariaDB 10.1.35
1.0BetaMariaDB 10.2.5, MariaDB 10.1.22

Options

ed25519

  • Description: Controls how the server should treat the plugin when the server starts up.
    • Valid values are:
      • OFF - Disables the plugin without removing it from the mysql.plugins table.
      • ON - Enables the plugin. If the plugin cannot be initialized, then the server will still continue starting up, but the plugin will be disabled.
      • FORCE - Enables the plugin. If the plugin cannot be initialized, then the server will fail to start with an error.
      • FORCE_PLUS_PERMANENT - Enables the plugin. If the plugin cannot be initialized, then the server will fail to start with an error. In addition, the plugin cannot be uninstalled with UNINSTALL SONAME or UNINSTALL PLUGIN while the server is running.
    • See Plugin Overview: Configuring Plugin Activation at Server Startup for more information.
  • Commandline: --ed25519=value
  • Data Type: enumerated
  • Default Value: ON
  • Valid Values: OFF, ON, FORCE, FORCE_PLUS_PERMANENT

Comments

Comments loading...
Content reproduced on this site is the property of its respective owners, and this content is not reviewed in advance by MariaDB. The views, information and opinions expressed by this content do not necessarily represent those of MariaDB or any other party.