When a user attempts to log in, the authentication plugin controls how MariaDB Server determines whether the connection is from a legitimate user.
When creating or altering a user account with the
CREATE USER or
ALTER USER statements, you can specify the authentication plugin you want the user account to use by providing the
IDENTIFIED VIA clause. By default, when you issue one of these statements for a user account without specifying an authentication plugin, MariaDB uses the
MariaDB starting with 10.4
In MariaDB 10.4 and later, there are some notable changes, such as:
- You can specify multiple authentication plugins for each user account.
root@localhostuser created by
mysql_install_dbis created with the ability to use two authentication plugins. First, it is configured to try to use the
unix_socketauthentication plugin. This allows the the
root@localhostuser to login without a password via the local Unix socket file defined by the
socketsystem variable, as long as the login is attempted from a process owned by the operating system
rootuser account. Second, if authentication fails with the
unix_socketauthentication plugin, then it is configured to try to use the
mysql_native_passwordauthentication plugin. However, an invalid password is initially set, so in order to authenticate this way, a password must be set with
Pluggable Authentication OverviewThe authentication of users is delegated to plugins.
Authentication Plugin - mysql_native_passwordUses the password hashing algorithm introduced in MySQL 4.1.
Authentication Plugin - mysql_old_passwordThe mysql_old_password authentication plugin uses the pre-MySQL 4.1 password hashing algorithm.
Authentication Plugin - ed25519Uses the Elliptic Curve Digital Signature Algorithm to securely store users' passwords.
Authentication Plugin - GSSAPIThe gssapi authentication plugin uses the GSSAPI interface to authenticate with Kerberos or NTLM.
Authentication with Pluggable Authentication Modules (PAM)Uses the Pluggable Authentication Module (PAM) framework to authenticate MariaDB users.
Authentication Plugin - Unix SocketUses the user name that owns the process connected to MariaDB's unix socket file.
Authentication Plugin - Named PipeUses the user name that owns the process connected to MariaDB's named pipe on Windows.
Authentication Plugin - SHA-256MySQL supports the sha256_password and caching_sha2_password authentication plugins.