ed25519 authentication plugin

You are viewing an old version of this article. View the current version here.
MariaDB starting with 10.1.22

The ed25519 plugin was first released in MariaDB 10.1.22.

MySQL has used SHA-1 based authentication since version 4.1. Since MariaDB 5.2 this authentication method has been called "mysql_native_password". Over the years as computers became faster, new attacks on SHA-1 were being developed. Nowadays SHA-1 is no longer considered as secure as it was in 2001. That's why the ed25519 plugin was created.

The ed25519 plugin uses Elliptic Curve Digital Signature Algorithm to securely store users' passwords and to authenticate users. The particular algorithm ed25519 is the same as that used by OpenSSH and is based on the elliptic curve and the code created by Daniel J. Bernstein.

From the user point of view it is the conventional password based authentication.

If the plugin is not installed, you need to install it first:

INSTALL SONAME 'auth_ed25519';

In MariaDB 10.1 the PASSWORD() function and SET PASSWORD statement do not work with ed25519 authentication. Use the UDF that comes with the plugin:

CREATE FUNCTION ed25519_password RETURNS STRING SONAME "auth_ed25519.so";

Now you can calculate a password hash as

SELECT ed25519_password("secret");
+---------------------------------------------+
| SELECT ed25519_password("secret");          |
+---------------------------------------------+
| ZIgUREUg5PVgQ6LskhXmO+eZLS0nC8be6HPjYWR4YJY |
+---------------------------------------------+

and use it to create a user:

CREATE USER safe@'%' IDENTIFIED VIA ed25519 USING 'ZIgUREUg5PVgQ6LskhXmO+eZLS0nC8be6HPjYWR4YJY'

Then connect as usual

mysql --user=safe --password=secret

Comments

Comments loading...
Content reproduced on this site is the property of its respective owners, and this content is not reviewed in advance by MariaDB. The views, information and opinions expressed by this content do not necessarily represent those of MariaDB or any other party.