Authentication Plugin - SHA-256

MySQL 5.6 added support for the sha256_password authentication plugin, and MySQL 8.0 also added support for the caching_sha2_password authentication plugin.

The caching_sha2_password plugin is now the default authentication plugin in MySQL 8.0.4 and above, based on the value of the default_authentication_plugin system variable.

Support in MariaDB Server

MariaDB Server does not currently support either the sha256_password or the caching_sha2_password authentication plugins. See MDEV-9804 for more information.

MariaDB Server does not support either of these authentication plugins. This is mainly because:

  • To use the protocol, one has to distribute the server's public key to all MariaDB users, which can be cumbersome and impractical.
  • The server gets the password in clear text which can cause problems if the user is convinced to connect to a malicious server.

Client Authentication Plugins

For clients that use the MariaDB Connector/C library, MariaDB provides two client authentication plugins that are compatible with MySQL's SHA-256 authentication plugins:

  • sha256_password
  • caching_sha256_password

When connecting with a client or utility to a server as a user account that authenticates with the sha256_password or caching_sha256_password authentication plugin, you may need to tell the client where to find the relevant client authentication plugin by specifying the --plugin-dir option. For example:

mysql --plugin-dir=/usr/local/mysql/lib64/mysql/plugin --user=alice

For clients that use MariaDB's libmysqlclient library instead of MariaDB Connector/C, these client authentication plugins are not supported.

sha256_password

The sha256_password client authentication plugin is compatible with MySQL's sha256_password authentication plugin, which was added in MySQL 5.6.

caching_sha256_password

The caching_sha256_password client authentication plugin is compatible with MySQL's caching_sha2_password authentication plugin, which was added in MySQL 8.0.

The caching_sha2_password plugin is now the default authentication plugin in MySQL 8.0.4 and above, based on the value of the default_authentication_plugin system variable.

Support in Client Libraries

Using the Plugin with MariaDB Connector/C

MariaDB Connector/C supports sha256_password and caching_sha2_password authentication using the client authentication plugins mentioned in the previous section.

It has supported the sha256_password client authentication plugin since MariaDB Connector/C 3.0.2. See CONC-229 for more information.

It has supported the caching_sha256_password client authentication plugin since MariaDB Connector/C 3.0.8 and MariaDB Connector/C 3.1.0. See CONC-312 for more information.

Using the Plugin with MariaDB Connector/ODBC

MariaDB Connector/ODBC does not support these authentication plugins. See ODBC-241 for more information.

Using the Plugin with MariaDB Connector/J

MariaDB Connector/J does not support these authentication plugins. See CONJ-327 and CONJ-663.

Using the Plugin with MariaDB Connector/Node.js

MariaDB Connector/Node.js does not yet support these authentication plugins. See CONJS-76 and CONJS-77 for more information.

See Also

Comments

Comments loading...