Authentication Plugin - SHA-256
Contents
MySQL 5.6 added support for the sha256_password
authentication plugin, and MySQL 8.0 also added support for the caching_sha2_password
authentication plugin.
The caching_sha2_password
plugin is now the default authentication plugin in MySQL 8.0.4 and above, based on the value of the default_authentication_plugin
system variable.
Support in MariaDB Server
MariaDB Server does not currently support either the sha256_password
or the caching_sha2_password
authentication plugins. See MDEV-9804 for more information. The rest of this article is mainly about how to use MariaDB clients and connectors to connect to a MySQL server!
MariaDB Server does not support either of these authentication plugins. This is mainly because:
- To use the protocol, one has to distribute the server's public key to all MariaDB users, which can be cumbersome and impractical.
- The server gets the password in clear text which can cause problems if the user is convinced to connect to a malicious server.
If you are replacing a MySQL instance, that is using SHA-256 authentication, with MariaDB, you should start by changing SHA-256 authentication to use mysql_native_authentication.
ALTER USER user_name IDENTIFIED WITH mysql_native_password BY 'new_password'
Client Authentication Plugins
For clients that use the MariaDB Connector/C library, MariaDB provides two client authentication plugins that are compatible with MySQL's SHA-256 authentication plugins:
sha256_password
caching_sha256_password
When connecting with a client or utility to a server as a user account that authenticates with the sha256_password
or caching_sha256_password
authentication plugin, you may need to tell the client where to find the relevant client authentication plugin by specifying the --plugin-dir
option. For example:
mysql --plugin-dir=/usr/local/mysql/lib64/mysql/plugin --user=alice
For clients that use MariaDB's libmysqlclient
library instead of MariaDB Connector/C, these client authentication plugins are not supported.
sha256_password
The sha256_password
client authentication plugin is compatible with MySQL's sha256_password
authentication plugin, which was added in MySQL 5.6.
caching_sha256_password
The caching_sha256_password
client authentication plugin is compatible with MySQL's caching_sha2_password
authentication plugin, which was added in MySQL 8.0.
The caching_sha2_password
plugin is now the default authentication plugin in MySQL 8.0.4 and above, based on the value of the default_authentication_plugin
system variable.
Support in Client Libraries
Using the Plugin with MariaDB Connector/C
MariaDB Connector/C supports sha256_password
and caching_sha2_password
authentication using the client authentication plugins mentioned in the previous section.
It has supported the sha256_password
client authentication plugin since MariaDB Connector/C 3.0.2. See CONC-229 for more information.
It has supported the caching_sha256_password
client authentication plugin since MariaDB Connector/C 3.0.8 and MariaDB Connector/C 3.1.0. See CONC-312 for more information.
Using the Plugin with MariaDB Connector/ODBC
MariaDB Connector/ODBC supports sha256_password
and caching_sha2_password
authentication using the client authentication plugins mentioned in the previous section.
It has supported sha256_password
and caching_sha2_password
authentication since MariaDB Connector/ODBC 3.1.4. See ODBC-241 for more information.
Using the Plugin with MariaDB Connector/J
MariaDB Connector/J supports sha256_password
and caching_sha2_password
authentication since MariaDB Connector/J 2.5.0. See CONJ-327 and CONJ-663 for more information.
Using the Plugin with MariaDB Connector/Node.js
MariaDB Connector/Node.js supports sha256_password
and caching_sha2_password
authentication since MariaDB Connector/Node.js 2.5.0. See CONJS-76 and CONJS-77 for more information.
See Also
- MDEV-9804 contains the plans to use if we ever decide to support these protocols.
- History of MySQL and MariaDB authentication protocols