Authentication Plugin - SHA-256

MySQL 5.6 added support for the sha256_password authentication plugin, and MySQL 8.0 also added support for the caching_sha2_password authentication plugin.

The caching_sha2_password plugin is now the default authentication plugin in MySQL 8.0.4 and above, based on the value of the default_authentication_plugin system variable.

Support in MariaDB Server

MariaDB Server does not currently support either the sha256_password or the caching_sha2_password authentication plugins. See MDEV-9804 for more information.

MariaDB Server does not support either of these authentication plugins. This is mainly because:

  • To use the protocol, one has to distribute the server's public key to all MariaDB users, which can be cumbersome and impractical.
  • The server gets the password in clear text which can cause problems if the user is convinced to connect to a malicious server.

Client Authentication Plugins

For clients that use the MariaDB Connector/C library, MariaDB provides two client authentication plugins that are compatible with MySQL's SHA-256 authentication plugins:

  • sha256_password
  • caching_sha256_password

When connecting with a client or utility to a server as a user account that authenticates with the sha256_password or caching_sha256_password authentication plugin, you may need to tell the client where to find the relevant client authentication plugin by specifying the --plugin-dir option. For example:

mysql --plugin-dir=/usr/local/mysql/lib64/mysql/plugin --user=alice

For clients that use MariaDB's libmysqlclient library instead of MariaDB Connector/C, these client authentication plugins are not supported.

sha256_password

The sha256_password client authentication plugin is compatible with MySQL's sha256_password authentication plugin, which was added in MySQL 5.6.

caching_sha256_password

The caching_sha256_password client authentication plugin is compatible with MySQL's caching_sha2_password authentication plugin, which was added in MySQL 8.0.

The caching_sha2_password plugin is now the default authentication plugin in MySQL 8.0.4 and above, based on the value of the default_authentication_plugin system variable.

Support in Client Libraries

Using the Plugin with MariaDB Connector/C

MariaDB Connector/C supports sha256_password and caching_sha2_password authentication using the client authentication plugins mentioned in the previous section.

It has supported the sha256_password client authentication plugin since MariaDB Connector/C 3.0.2. See CONC-229 for more information.

It has supported the caching_sha256_password client authentication plugin since MariaDB Connector/C 3.0.8 and MariaDB Connector/C 3.1.0. See CONC-312 for more information.

Using the Plugin with MariaDB Connector/ODBC

MariaDB Connector/ODBC supports sha256_password and caching_sha2_password authentication using the client authentication plugins mentioned in the previous section.

It has supported sha256_password and caching_sha2_password authentication since MariaDB Connector/ODBC 3.1.4. See ODBC-241 for more information.

Using the Plugin with MariaDB Connector/J

MariaDB Connector/J supports sha256_password and caching_sha2_password authentication since MariaDB Connector/J 2.5.0. See CONJ-327 and CONJ-663 for more information.

Using the Plugin with MariaDB Connector/Node.js

MariaDB Connector/Node.js supports sha256_password and caching_sha2_password authentication since MariaDB Connector/Node.js 2.5.0. See CONJS-76 and CONJS-77 for more information.

See Also

Content reproduced on this site is the property of its respective owners, and this content is not reviewed in advance by MariaDB. The views, information and opinions expressed by this content do not necessarily represent those of MariaDB or any other party.

© 2021 MariaDB
Licensed under the Creative Commons Attribution 3.0 Unported License and the GNU Free Documentation License.
https://mariadb.com/kb/en/authentication-plugin-sha-256/