# Pluggable Authentication Overview When a user attempts to log in, the authentication plugin controls how MariaDB Server determines whether the connection is from a legitimate user. When creating or altering a user account with the [GRANT](https://mariadb.com/docs/server/reference/sql-statements/account-management-sql-statements/grant), [CREATE USER](https://mariadb.com/docs/server/reference/sql-statements/account-management-sql-statements/create-user) or [ALTER USER](https://mariadb.com/docs/server/reference/sql-statements/account-management-sql-statements/alter-user) statements, you can specify the authentication plugin you want the user account to use, by providing the `IDENTIFIED VIA` clause. By default, when you create a user account without specifying an authentication plugin, MariaDB uses the [mysql\_native\_password](https://mariadb.com/docs/server/reference/plugins/authentication-plugins/authentication-plugin-mysql_native_password) plugin. {% hint style="success" %} You can specify multiple authentication plugins for each user account. {% endhint %} The `root@localhost` user created by [mariadb-install-db](https://mariadb.com/docs/server/clients-and-utilities/deployment-tools/mariadb-install-db) has the ability to use two authentication plugins: 1. It is configured to try to use the [unix\_socket](https://mariadb.com/docs/server/reference/plugins/authentication-plugins/authentication-plugin-unix-socket) authentication plugin. This allows the `root@localhost` user to log in without a password via the local Unix socket file defined by the [socket](https://mariadb.com/docs/server/server-management/variables-and-modes/server-system-variables#socket) system variable, as long as the login is attempted from a process owned by the operating system `root` user account. 2. If authentication fails with the [unix\_socket](https://mariadb.com/docs/server/reference/plugins/authentication-plugins/authentication-plugin-unix-socket) authentication plugin, it is configured to try to use the [mysql\_native\_password](https://mariadb.com/docs/server/reference/plugins/authentication-plugins/authentication-plugin-mysql_native_password) authentication plugin. However, an invalid password is initially set, so in order to authenticate this way, a password must be set with [SET PASSWORD](https://mariadb.com/docs/server/reference/sql-statements/account-management-sql-statements/set-password). ## Supported Authentication Plugins The authentication process is a conversation between the server and a client. MariaDB implements both server-side and client-side authentication plugins. ### Supported Server Authentication Plugins MariaDB provides seven server-side authentication plugins: * [mysql\_native\_password](https://mariadb.com/docs/server/reference/plugins/authentication-plugins/authentication-plugin-mysql_native_password) * [mysql\_old\_password](https://mariadb.com/docs/server/reference/plugins/authentication-plugins/authentication-plugin-mysql_old_password) * [ed25519](https://mariadb.com/docs/server/reference/plugins/authentication-plugins/authentication-plugin-ed25519) * [gssapi](https://mariadb.com/docs/server/reference/plugins/authentication-plugins/authentication-plugin-gssapi) * [pam](https://mariadb.com/docs/server/reference/plugins/authentication-plugins/authentication-with-pluggable-authentication-modules-pam/authentication-plugin-pam) (Unix only) * [unix\_socket](https://mariadb.com/docs/server/reference/plugins/authentication-plugins/authentication-plugin-unix-socket) (Unix only) * [named\_pipe](https://mariadb.com/docs/server/reference/plugins/authentication-plugins/authentication-plugin-named-pipe) (Windows only) ### Supported Client Authentication Plugins MariaDB provides eight client-side authentication plugins: * [mysql\_native\_password](https://mariadb.com/docs/server/reference/plugins/authentication-plugin-mysql_native_password#client-authentication-plugins) * [mysql\_old\_password](https://mariadb.com/docs/server/reference/plugins/authentication-plugin-mysql_old_password#client-authentication-plugins) * [client\_ed25519](https://mariadb.com/docs/server/reference/plugins/authentication-plugin-ed25519#client-authentication-plugins) * [auth\_gssapi\_client](https://mariadb.com/docs/server/reference/plugins/authentication-plugin-gssapi#client-authentication-plugins) * [dialog](https://mariadb.com/docs/server/reference/plugins/authentication-with-pluggable-authentication-modules-pam/authentication-plugin-pam#client-authentication-plugins) * [mysql\_clear\_password](https://mariadb.com/docs/server/reference/plugins/authentication-with-pluggable-authentication-modules-pam/authentication-plugin-pam#client-authentication-plugins) * [sha256\_password](https://mariadb.com/docs/server/reference/plugins/authentication-plugin-sha-256#client-authentication-plugins) * [caching\_sha256\_password](https://mariadb.com/docs/server/reference/plugins/authentication-plugin-sha-256#client-authentication-plugins) ## Options Related to Authentication Plugins ### Server Options Related to Authentication Plugins MariaDB supports the following server options related to authentication plugins: | Server Option | Description | | --------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [old\_passwords={1 \| 0}](https://mariadb.com/docs/server/server-management/variables-and-modes/server-system-variables#old_passwords) | If set to `1` (`0` is default), MariaDB reverts to using the [mysql\_old\_password](https://mariadb.com/docs/server/reference/plugins/authentication-plugins/authentication-plugin-mysql_old_password) authentication plugin by default for newly created users and passwords, instead of the [mysql\_native\_password](https://mariadb.com/docs/server/reference/plugins/authentication-plugins/authentication-plugin-mysql_native_password) authentication plugin. | | [plugin\_dir=path](https://mariadb.com/docs/server/server-management/variables-and-modes/server-system-variables#plugin_dir) | Path to the [plugin](https://mariadb.com/docs/server/reference/plugins) directory. For security reasons, either make sure this directory can only be read by the server, or set [secure\_file\_priv](https://mariadb.com/docs/server/server-management/variables-and-modes/server-system-variables#secure_file_priv). | | [plugin\_maturity=level](https://mariadb.com/docs/server/server-management/variables-and-modes/server-system-variables#plugin_maturity) | The lowest acceptable [plugin](https://mariadb.com/docs/server/reference/plugins) maturity. MariaDB will not load plugins less mature than the specified level. | | [secure\_auth](https://mariadb.com/docs/server/server-management/variables-and-modes/server-system-variables#secure_auth) | Connections will be blocked if they use the [mysql\_old\_password](https://mariadb.com/docs/server/reference/plugins/authentication-plugins/authentication-plugin-mysql_old_password) authentication plugin. | ### Client Options Related to Authentication Plugins Most [clients and utilities](https://mariadb.com/docs/server/clients-and-utilities) support command-line arguments related to client authentication plugins: | Client Option | Description | | -------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | --connect-expired-password | Notify the server that this client is prepared to handle [expired password sandbox mode](https://mariadb.com/docs/server/security/user-account-management/user-password-expiry) even if --batch was specified. | | --default-auth=name | Default authentication client-side plugin to use. | | --plugin-dir=path | Directory for client-side plugins. | | --secure-auth | Refuse to connect to the server if the server uses the [mysql\_old\_password](https://mariadb.com/docs/server/reference/plugins/authentication-plugins/authentication-plugin-mysql_old_password) authentication plugin. This mode is off by default, which is different from MySQL. | Developers who are using [MariaDB Connector/C](https://app.gitbook.com/s/CjGYMsT2MVP4nd3IyW2L/mariadb-connector-c) can implement similar functionality in their application by setting the following options with the [mysql\_optionsv](https://app.gitbook.com/s/CjGYMsT2MVP4nd3IyW2L/mariadb-connector-c/api-functions/mysql_optionsv) function: * `MYSQL_OPT_CAN_HANDLE_EXPIRED_PASSWORDS` * `MYSQL_PLUGIN_DIR` * `MYSQL_DEFAULT_AUTH` * `MYSQL_SECURE_AUTH` For example: ```ini mysql_optionsv(mysql, MYSQL_OPT_CAN_HANDLE_EXPIRED_PASSWORDS, 1); mysql_optionsv(mysql, MYSQL_DEFAULT_AUTH, "name"); mysql_optionsv(mysql, MYSQL_PLUGIN_DIR, "path"); mysql_optionsv(mysql, MYSQL_SECURE_AUTH, 1); ``` ### Installation Options Related to Authentication Plugins [mariadb-install-db](https://mariadb.com/docs/server/clients-and-utilities/deployment-tools/mariadb-install-db) supports the following installation options related to authentication plugins: | Installation Option | Description | | ---------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | --auth-root-authentication-method={normal \| socket} | If set to `normal` (the default), it creates a `root@localhost` account that authenticates with the [mysql\_native\_password](https://mariadb.com/docs/server/reference/plugins/authentication-plugins/authentication-plugin-mysql_native_password) authentication plugin and that has no initial password set, which can be insecure. If set to `socket`, it creates a `root@localhost` account that authenticates with the [unix\_socket](https://mariadb.com/docs/server/reference/plugins/authentication-plugins/authentication-plugin-unix-socket) authentication plugin. Set to `normal` by default. | | --auth-root-socket-user=USER | Used with `--auth-root-authentication-method=socket`. It specifies the name of the second account to create with [SUPER](https://mariadb.com/docs/server/sql-statements/account-management-sql-statements/grant#global-privileges) privileges in addition to root, as well as of the system account allowed to access it. Defaults to the value of `--user`. | ## Extended SQL Syntax MariaDB has extended the SQL standard [GRANT](https://mariadb.com/docs/server/reference/sql-statements/account-management-sql-statements/grant), [CREATE USER](https://mariadb.com/docs/server/reference/sql-statements/account-management-sql-statements/create-user), and [ALTER USER](https://mariadb.com/docs/server/reference/sql-statements/account-management-sql-statements/alter-user) statements, so that they support specifying different authentication plugins for specific users. An authentication plugin can be specified with these statements by providing the `IDENTIFIED VIA` clause. Examples: ```sql GRANT ON TO IDENTIFIED VIA [ USING ] ``` ```sql CREATE USER IDENTIFIED VIA [ USING ] ``` ```sql ALTER USER IDENTIFIED VIA [ USING ] ``` The optional `USING` clause allows users to provide an authentication string to a plugin. The authentication string's format and meaning is completely defined by the plugin. For example, for the [mysql\_native\_password](https://mariadb.com/docs/server/reference/plugins/authentication-plugins/authentication-plugin-mysql_native_password) authentication plugin, the authentication string should be a password hash: ```sql CREATE USER mysqltest_up1 IDENTIFIED VIA mysql_native_password USING '*E8D46CE25265E545D225A8A6F1BAF642FEBEE5CB'; ``` Since [mysql\_native\_password](https://mariadb.com/docs/server/reference/plugins/authentication-plugins/authentication-plugin-mysql_native_password) is the default authentication plugin, the above is just another way of saying the following: ``` CREATE USER mysqltest_up1 IDENTIFIED BY PASSWORD '*E8D46CE25265E545D225A8A6F1BAF642FEBEE5CB'; ``` In contrast, for the [pam](https://mariadb.com/docs/server/reference/plugins/authentication-plugins/authentication-with-pluggable-authentication-modules-pam/authentication-plugin-pam) authentication plugin, the authentication string should refer to a [PAM service name](https://mariadb.com/docs/server/reference/plugins/authentication-with-pluggable-authentication-modules-pam/authentication-plugin-pam#configuring-the-pam-service): ```sql CREATE USER mysqltest_up1 IDENTIFIED VIA pam USING 'mariadb'; ``` A user account can be associated with multiple authentication plugins. To configure the `root@localhost` user account to try the [unix\_socket](https://mariadb.com/docs/server/reference/plugins/authentication-plugins/authentication-plugin-unix-socket) authentication plugin, followed by the [mysql\_native\_password](https://mariadb.com/docs/server/reference/plugins/authentication-plugins/authentication-plugin-mysql_native_password) authentication plugin as a backup, execute the following query: ```sql CREATE USER root@localhost IDENTIFIED VIA unix_socket OR mysql_native_password USING PASSWORD("verysecret"); ``` See [Authentication](https://mariadb.com/docs/server/security/user-account-management/authentication-from-mariadb-10-4) for more information. ## Authentication Plugins Installed by Default ### Server Authentication Plugins Installed by Default Not all server-side authentication plugins are installed by default. If a specific server-side authentication plugin is not installed by default, then you can find the installation procedure on the documentation page for the specific authentication plugin. The following server-side authentication plugins are installed by default: * The [mysql\_native\_password](https://mariadb.com/docs/server/reference/plugins/authentication-plugins/authentication-plugin-mysql_native_password) and [mysql\_old\_password](https://mariadb.com/docs/server/reference/plugins/authentication-plugins/authentication-plugin-mysql_old_password) authentication plugins authentication plugins are installed by default in all builds. * The [unix\_socket](https://mariadb.com/docs/server/reference/plugins/authentication-plugins/authentication-plugin-unix-socket) authentication plugin is installed by default in all builds on Unix and Linux. * The [named\_pipe](https://mariadb.com/docs/server/reference/plugins/authentication-plugins/authentication-plugin-named-pipe) authentication plugin is installed by default in all builds on Windows. The following server-side authentication plugins are installed by default: * The [mysql\_native\_password](https://mariadb.com/docs/server/reference/plugins/authentication-plugins/authentication-plugin-mysql_native_password) and [mysql\_old\_password](https://mariadb.com/docs/server/reference/plugins/authentication-plugins/authentication-plugin-mysql_old_password) authentication plugins are installed by default in all builds. * The [unix\_socket](https://mariadb.com/docs/server/reference/plugins/authentication-plugins/authentication-plugin-unix-socket) authentication plugin is installed by default in new installations that use the [.deb](https://mariadb.com/docs/server/server-management/install-and-upgrade-mariadb/installing-mariadb/binary-packages/installing-mariadb-deb-files) packages provided by Debian's default repositories and Ubuntu's default repositories in Ubuntu. See [Differences in MariaDB in Debian (and Ubuntu)](https://mariadb.com/docs/server/server-management/install-and-upgrade-mariadb/installing-mariadb/troubleshooting-installation-issues/installation-issues-on-debian-and-ubuntu/differences-in-mariadb-in-debian-and-ubuntu) for more information. * The [named\_pipe](https://mariadb.com/docs/server/reference/plugins/authentication-plugins/authentication-plugin-named-pipe) authentication plugin is installed by default in all builds on Windows. ### Client Authentication Plugins Installed by Default Client-side authentication plugins do not need to be *installed* in the same way that server-side authentication plugins do. If the client uses either the `libmysqlclient` or [MariaDB Connector/C](https://app.gitbook.com/s/CjGYMsT2MVP4nd3IyW2L/mariadb-connector-c) library, then the library automatically loads client-side authentication plugins from the library's plugin directory whenever they are needed. Most [clients and utilities](https://mariadb.com/docs/server/clients-and-utilities) support the `--plugin-dir` command line argument that can be used to set the path to the library's plugin directory: | Client Option | Description | | ----------------- | ---------------------------------- | | --plugin-dir=path | Directory for client-side plugins. | Developers who are using [MariaDB Connector/C](https://app.gitbook.com/s/CjGYMsT2MVP4nd3IyW2L/mariadb-connector-c) can implement similar functionality in their application by setting the `MYSQL_PLUGIN_DIR` option with the [mysql\_optionsv](https://app.gitbook.com/s/CjGYMsT2MVP4nd3IyW2L/mariadb-connector-c/api-functions/mysql_optionsv) function. Example: ```c mysql_optionsv(mysql, MYSQL_PLUGIN_DIR, "path"); ``` If your client encounters errors similar to the following error, you may need to set the path to the library's plugin directory: ``` ERROR 2059 (HY000): Authentication plugin 'dialog' cannot be loaded: /usr/lib/mysql/plugin/dialog.so: cannot open shared object file: No such file or directory ``` If the client does **not** use either the `libmysqlclient` or [MariaDB Connector/C](https://app.gitbook.com/s/CjGYMsT2MVP4nd3IyW2L/mariadb-connector-c) library, then you will have to determine which authentication plugins are supported by the specific client library used by the client. If the client uses either the `libmysqlclient` or [MariaDB Connector/C](https://app.gitbook.com/s/CjGYMsT2MVP4nd3IyW2L/mariadb-connector-c) library, but the client is not bundled with either library's *optional* client authentication plugins, then you can only use the conventional authentication plugins (like [mysql\_native\_password](https://mariadb.com/docs/server/reference/plugins/authentication-plugins/authentication-plugin-mysql_native_password) and [mysql\_old\_password](https://mariadb.com/docs/server/reference/plugins/authentication-plugins/authentication-plugin-mysql_old_password)) and the non-conventional authentication plugins that don't require special client-side authentication plugins (like [unix\_socket](https://mariadb.com/docs/server/reference/plugins/authentication-plugins/authentication-plugin-unix-socket) and [named\_pipe](https://mariadb.com/docs/server/reference/plugins/authentication-plugins/authentication-plugin-named-pipe)). ## Default Authentication Plugin ### Default Server Authentication Plugin The [mysql\_native\_password](https://mariadb.com/docs/server/reference/plugins/authentication-plugins/authentication-plugin-mysql_native_password) authentication plugin is currently the default authentication plugin in all versions of MariaDB if the [old\_passwords](https://mariadb.com/docs/server/server-management/variables-and-modes/server-system-variables#old_passwords) system variable is set to `0`, which is the default. On a system with the [old\_passwords](https://mariadb.com/docs/server/server-management/variables-and-modes/server-system-variables#old_passwords) system variable set to `0`, this means that if you create a user account with either the [GRANT](https://mariadb.com/docs/server/reference/sql-statements/account-management-sql-statements/grant) or [CREATE USER](https://mariadb.com/docs/server/reference/sql-statements/account-management-sql-statements/create-user)`statements, and if you do not specify an authentication plugin with the`IDENTIFIED VIA`clause, then MariaDB will use the [mysql_native_password](authentication-plugin-mysql_native_password.md) authentication plugin for the user account.` Creating a user account like this, it uses the [mysql\_native\_password](https://mariadb.com/docs/server/reference/plugins/authentication-plugins/authentication-plugin-mysql_native_password) authentication plugin: ```sql CREATE USER username@hostname; ``` The same is true for this user account: ```sql CREATE USER username@hostname IDENTIFIED BY 'notagoodpassword'; ``` The [mysql\_old\_password](https://mariadb.com/docs/server/reference/plugins/authentication-plugins/authentication-plugin-mysql_old_password) authentication plugin becomes the default authentication plugin in all versions of MariaDB, if the [old\_passwords](https://mariadb.com/docs/server/server-management/variables-and-modes/server-system-variables#old_passwords) system variable is explicitly set to `1`. {% hint style="danger" %} The [mysql\_old\_password](https://mariadb.com/docs/server/reference/plugins/authentication-plugins/authentication-plugin-mysql_old_password) authentication plugin is not considered secure. It is recommended to avoid using this authentication plugin. To help prevent undesired use of the [mysql\_old\_password](https://mariadb.com/docs/server/reference/plugins/authentication-plugins/authentication-plugin-mysql_old_password) authentication plugin, the server supports the [secure\_auth](https://mariadb.com/docs/server/server-management/variables-and-modes/server-system-variables#secure_auth) system variable that configures the server to refuse connections trying to use the [mysql\_old\_password](https://mariadb.com/docs/server/reference/plugins/authentication-plugins/authentication-plugin-mysql_old_password) authentication plugin. Most [clients and utilities](https://github.com/mariadb-corporation/docs-server/blob/test/kb/en/clients-utilities/README.md) support `secure_auth`. {% endhint %} | Server Option | Description | | -------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [old\_passwords={1 \| 0}](https://mariadb.com/docs/server/server-management/variables-and-modes/server-system-variables#old_passwords) | If set to `1` (`0` is default), MariaDB reverts to using the [mysql\_old\_password](https://mariadb.com/docs/server/reference/plugins/authentication-plugins/authentication-plugin-mysql_old_password) authentication plugin by default for newly created users and passwords, instead of the [mysql\_native\_password](https://mariadb.com/docs/server/reference/plugins/authentication-plugins/authentication-plugin-mysql_native_password) authentication plugin. | | [secure\_auth](https://mariadb.com/docs/server/server-management/variables-and-modes/server-system-variables#secure_auth) | Connections are blocked if they use the [mysql\_old\_password](https://mariadb.com/docs/server/reference/plugins/authentication-plugins/authentication-plugin-mysql_old_password) authentication plugin. | Developers using [MariaDB Connector/C](https://app.gitbook.com/s/CjGYMsT2MVP4nd3IyW2L/mariadb-connector-c) can implement similar functionality in their application by setting the `MYSQL_SECURE_AUTH` option with the [mysql\_optionsv](https://app.gitbook.com/s/CjGYMsT2MVP4nd3IyW2L/mariadb-connector-c/api-functions/mysql_optionsv) function: ```c mysql_optionsv(mysql, MYSQL_SECURE_AUTH, 1); ``` ### Default Client Authentication Plugin The default client-side authentication plugin depends on these factors: * If a client doesn't explicitly set the default client-side authentication plugin, the client determines which authentication plugin to use, by checking the length of the scramble in the server's handshake packet. * If the server's handshake packet contains a 9-byte scramble, the client defaults to the [mysql\_old\_password](https://mariadb.com/docs/server/reference/plugins/authentication-plugins/authentication-plugin-mysql_old_password) authentication plugin. * If the server's handshake packet contains a 20-byte scramble, the client defaults to the [mysql\_native\_password](https://mariadb.com/docs/server/reference/plugins/authentication-plugins/authentication-plugin-mysql_native_password) authentication plugin. #### Setting the Default Client Authentication Plugin Most [clients and utilities](https://mariadb.com/docs/server/clients-and-utilities) support the `--default-auth` command-line argument that sets the default client-side authentication plugin: | Client Option | Description | | --------------------- | ------------------------------------------------- | | `--default-auth=name` | Default authentication client-side plugin to use. | Developers using [MariaDB Connector/C](https://app.gitbook.com/s/CjGYMsT2MVP4nd3IyW2L/mariadb-connector-c) can implement similar functionality in applications, by setting the `MYSQL_DEFAULT_AUTH` option with the [mysql\_optionsv](https://app.gitbook.com/s/CjGYMsT2MVP4nd3IyW2L/mariadb-connector-c/api-functions/mysql_optionsv) function: ```c mysql_optionsv(mysql, MYSQL_DEFAULT_AUTH, "name"); ``` If you know that your user account is configured to require a client-side authentication plugin other than [mysql\_old\_password](https://mariadb.com/docs/server/reference/plugins/authentication-plugins/authentication-plugin-mysql_old_password) or [mysql\_native\_password](https://mariadb.com/docs/server/reference/plugins/authentication-plugins/authentication-plugin-mysql_native_password), this helps speed up your connection process when you explicitly set the default client-side authentication plugin. According to the [client-server protocol](https://mariadb.com/docs/server/reference/clientserver-protocol), the server first sends the handshake packet to the client, then the client replies with a packet containing the user name of the user account that is requesting access. The server handshake packet initially tells the client to use the default server authentication plugin, and the client reply initially tells the server that it will use the default client authentication plugin. However, the server-side and client-side authentication plugins mentioned in these initial packets may not be the correct ones for this specific user account. The server only knows what authentication plugin to use for this specific user account after reading the user name from the client reply packet and finding the appropriate row for the user account in either the [mysql.user](https://mariadb.com/docs/server/reference/system-tables/the-mysql-database-tables/mysql-user-table) table or the [mysql.global\_priv](https://mariadb.com/docs/server/reference/system-tables/the-mysql-database-tables/mysql-global_priv-table) table, depending on the MariaDB version. If the server finds that either the server-side or client-side default authentication plugin does not match the actual authentication plugin that should be used for the given user account, then the server restarts the authentication on either the server side or the client side. This means that, if you know what client authentication plugin your user account requires, then you can avoid an unnecessary authentication restart and you can save two packets and two round-trips.between the client and server by configuring your client to use the correct authentication plugin by default. ## Available Authentication Plugins ### Server Authentication Plugins #### `mysql_native_password` The [mysql\_native\_password](https://mariadb.com/docs/server/reference/plugins/authentication-plugins/authentication-plugin-mysql_native_password) authentication plugin uses the same password hashing algorithm used by the [PASSWORD()](https://mariadb.com/docs/server/reference/sql-functions/secondary-functions/encryption-hashing-and-compression-functions/password) function when [old\_passwords](https://mariadb.com/docs/server/server-management/variables-and-modes/server-system-variables#old_passwords) is set. This hashing algorithm is based on [SHA-1](https://en.wikipedia.org/wiki/SHA-1). #### `mysql_old_password` The [mysql\_old\_password](https://mariadb.com/docs/server/reference/plugins/authentication-plugins/authentication-plugin-mysql_old_password) authentication plugin uses the same hashing algorithm used by the [OLD\_PASSWORD()](https://mariadb.com/docs/server/reference/sql-functions/secondary-functions/encryption-hashing-and-compression-functions/old_password) function and by the [PASSWORD()](https://mariadb.com/docs/server/reference/sql-functions/secondary-functions/encryption-hashing-and-compression-functions/password) function when [old\_passwords=1](https://mariadb.com/docs/server/server-management/variables-and-modes/server-system-variables#old_passwords) is set. #### `ed25519` The [ed25519](https://mariadb.com/docs/server/reference/plugins/authentication-plugins/authentication-plugin-ed25519) authentication plugin uses the [Elliptic Curve Digital Signature Algorithm](https://en.wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_Algorithm) to securely store users' passwords and to authenticate users. The [ed25519](https://en.wikipedia.org/wiki/EdDSA#Ed25519) algorithm is the same one that is [used by OpenSSH](https://www.openssh.com/txt/release-6.5). It is based on the elliptic curve and code created by [Daniel J. Bernstein](https://en.wikipedia.org/wiki/Daniel_J._Bernstein). #### `gssapi` The [gssapi](https://mariadb.com/docs/server/reference/plugins/authentication-plugins/authentication-plugin-gssapi) authentication plugin allows authenticating with services that use the [Generic Security Services Application Program Interface (GSSAPI)](https://en.wikipedia.org/wiki/Generic_Security_Services_Application_Program_Interface). Windows has a slightly different but very similar API called [Security Support Provider Interface (SSPI)](https://docs.microsoft.com/en-us/windows/desktop/secauthn/sspi). On Windows, this authentication plugin supports [Kerberos](https://docs.microsoft.com/en-us/windows/desktop/secauthn/microsoft-kerberos) and [NTLM](https://docs.microsoft.com/en-us/windows/desktop/secauthn/microsoft-ntlm) authentication. Windows authentication is supported regardless of whether a [domain](https://en.wikipedia.org/wiki/Windows_domain) is used in the environment. On Unix systems, the most dominant GSSAPI service is [Kerberos](https://en.wikipedia.org/wiki/Kerberos_\(protocol\)). However, it is less commonly used on Unix systems than it is on Windows. Regardless, this authentication plugin also supports Kerberos authentication on Unix. The [gssapi](https://mariadb.com/docs/server/reference/plugins/authentication-plugins/authentication-plugin-gssapi) authentication plugin is most often used for authenticating with [Microsoft Active Directory](https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/get-started/virtual-dc/active-directory-domain-services-overview). #### `pam` The [pam](https://mariadb.com/docs/server/reference/plugins/authentication-plugins/authentication-with-pluggable-authentication-modules-pam/authentication-plugin-pam) authentication plugin allows MariaDB to offload user authentication to the system's [Pluggable Authentication Module (PAM)](https://en.wikipedia.org/wiki/Pluggable_authentication_module) framework. PAM is an authentication framework used by Linux, FreeBSD, Solaris, and other Unix-like operating systems. #### `unix_socket` The [unix\_socket](https://mariadb.com/docs/server/reference/plugins/authentication-plugins/authentication-plugin-unix-socket) authentication plugin allows the user to use operating system credentials when connecting to MariaDB via the local Unix socket file. This Unix socket file is defined by the [socket](https://mariadb.com/docs/server/server-management/variables-and-modes/server-system-variables#socket) system variable. The [unix\_socket](https://mariadb.com/docs/server/reference/plugins/authentication-plugins/authentication-plugin-unix-socket) authentication plugin works by calling the [getsockopt](https://man7.org/linux/man-pages/man7/socket.7.html) system call with the `SO_PEERCRED` socket option, which allows it to retrieve the `uid` of the process that is connected to the socket. It is then able to get the user name associated with that `uid`. Once it has the user name, it will authenticate the connecting user as the MariaDB account that has the same user name. For example: ```bash $ mysql -uroot MariaDB []> CREATE USER serg IDENTIFIED VIA unix_socket; MariaDB []> CREATE USER monty IDENTIFIED VIA unix_socket; MariaDB []> quit Bye $ whoami serg $ mysql --user=serg Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 2 Server version: 5.2.0-MariaDB-alpha-debug Source distribution MariaDB []> quit Bye $ mysql --user=monty ERROR 1045 (28000): Access denied for user 'monty'@'localhost' (using password: NO) ``` In this example, a user `serg` is already logged into the operating system and has full shell access. The user has already authenticated with the operating system and the MariaDB account is configured to use the [unix\_socket](https://mariadb.com/docs/server/reference/plugins/authentication-plugins/authentication-plugin-unix-socket) authentication plugin, so the user does not need to authenticate again for the database. MariaDB accepts the user's operating system credentials and allows connecting. However, any attempt to connect to the database as another operating system user will be denied. #### `named_pipe` The [named\_pipe](https://mariadb.com/docs/server/reference/plugins/authentication-plugins/authentication-plugin-named-pipe) authentication plugin allows the user to use operating system credentials when connecting to MariaDB via named pipe on Windows. Named pipe connections are enabled by the [named\_pipe](https://mariadb.com/docs/server/server-management/variables-and-modes/server-system-variables#named_pipe) system variable. The [named\_pipe](https://mariadb.com/docs/server/reference/plugins/authentication-plugins/authentication-plugin-named-pipe) authentication plugin works by using [named pipe impersonation](https://msdn.microsoft.com/en-us/library/windows/desktop/aa378618\(v=vs.85\).aspx) and calling `GetUserName()` to retrieve the user name of the process that is connected to the named pipe. Once it has the user name, it authenticates the connecting user as the MariaDB account that has the same user name: ```sql CREATE USER wlad IDENTIFIED VIA named_pipe; CREATE USER monty IDENTIFIED VIA named_pipe; quit C:\>echo %USERNAME% wlad C:\> mysql --user=wlad --protocol=PIPE Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 4 Server version: 10.1.12-MariaDB-debug Source distribution Copyright (c) 2000, 2015, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MariaDB [(none)]> quit Bye C:\> mysql --user=monty --protocol=PIPE ERROR 1698 (28000): Access denied for user 'monty'@'localhost' ``` ## See Also * [GRANT](https://mariadb.com/docs/server/reference/sql-statements/account-management-sql-statements/grant) * [CREATE USER](https://mariadb.com/docs/server/reference/sql-statements/account-management-sql-statements/create-user) * [ALTER USER](https://mariadb.com/docs/server/reference/sql-statements/account-management-sql-statements/alter-user) * [Authentication from MariaDB 10.4](https://mariadb.com/docs/server/security/user-account-management/authentication-from-mariadb-10-4) * [Who are you? The history of MySQL and MariaDB authentication protocols from 1997 to 2017](https://mariadb.org/history-of-mysql-mariadb-authentication-protocols/) * [MySQL 5.6 Reference Manual: Pluggable Authentication](https://dev.mysql.com/doc/refman/5.6/en/pluggable-authentication.html) * [MySQL 5.6 Reference Manual: Writing Authentication Plugins](https://dev.mysql.com/doc/refman/5.6/en/writing-authentication-plugins.html) *This page is licensed: CC BY-SA / Gnu FDL* {% @marketo/form formId="4316" %}