Authentication Plugin - SHA-256
Contents
MySQL 5.6 added support for the sha256_password
authentication plugin, and MySQL 8.0 also added support for the caching_sha2_password
authentication plugin.
The caching_sha2_password
plugin is now the default authentication plugin in MySQL 8.0.4 and above, based on the value of the default_authentication_plugin
system variable.
Support in MariaDB Server
MariaDB Server does not currently support either the sha256_password
or the caching_sha2_password
authentication plugins. See MDEV-9804 for more information. The rest of this article is mainly about how to use MariaDB clients and connectors to connect to MySQL!
MariaDB Server does not support either of these authentication plugins. This is mainly because:
- To use the protocol, one has to distribute the server's public key to all MariaDB users, which can be cumbersome and impractical.
- The server gets the password in clear text which can cause problems if the user is convinced to connect to a malicious server.
If you are replacing a MySQL instance, that is using SHA-256 authentication, with MariaDB, you should start by changing SHA-256 authentication to use mysql_native_authentication.
ALTER USER user_name IDENTIFIED WITH mysql_native_password BY 'new_password'
Client Authentication Plugins
For clients that use the MariaDB Connector/C library, MariaDB provides two client authentication plugins that are compatible with MySQL's SHA-256 authentication plugins:
sha256_password
caching_sha256_password
When connecting with a client or utility to a server as a user account that authenticates with the sha256_password
or caching_sha256_password
authentication plugin, you may need to tell the client where to find the relevant client authentication plugin by specifying the --plugin-dir
option. For example:
mysql --plugin-dir=/usr/local/mysql/lib64/mysql/plugin --user=alice
For clients that use MariaDB's libmysqlclient
library instead of MariaDB Connector/C, these client authentication plugins are not supported.
sha256_password
The sha256_password
client authentication plugin is compatible with MySQL's sha256_password
authentication plugin, which was added in MySQL 5.6.
caching_sha256_password
The caching_sha256_password
client authentication plugin is compatible with MySQL's caching_sha2_password
authentication plugin, which was added in MySQL 8.0.
The caching_sha2_password
plugin is now the default authentication plugin in MySQL 8.0.4 and above, based on the value of the default_authentication_plugin
system variable.
Support in Client Libraries
Using the Plugin with MariaDB Connector/C
MariaDB Connector/C supports sha256_password
and caching_sha2_password
authentication using the client authentication plugins mentioned in the previous section.
It has supported the sha256_password
client authentication plugin since MariaDB Connector/C 3.0.2. See CONC-229 for more information.
It has supported the caching_sha256_password
client authentication plugin since MariaDB Connector/C 3.0.8 and MariaDB Connector/C 3.1.0. See CONC-312 for more information.
Using the Plugin with MariaDB Connector/ODBC
MariaDB Connector/ODBC supports sha256_password
and caching_sha2_password
authentication using the client authentication plugins mentioned in the previous section.
It has supported sha256_password
and caching_sha2_password
authentication since MariaDB Connector/ODBC 3.1.4. See ODBC-241 for more information.
Using the Plugin with MariaDB Connector/J
MariaDB Connector/J supports sha256_password
and caching_sha2_password
authentication since MariaDB Connector/J 2.5.0. See CONJ-327 and CONJ-663 for more information.
Using the Plugin with MariaDB Connector/Node.js
MariaDB Connector/Node.js supports sha256_password
and caching_sha2_password
authentication since MariaDB Connector/Node.js 2.5.0. See CONJS-76 and CONJS-77 for more information.
See Also
- MDEV-9804 contains the plans to use if we ever decide to support these protocols.
- History of MySQL and MariaDB authentication protocols