MySQL 5.6 added support for the sha256_password authentication plugin, and MySQL 8.0 also added support for the caching_sha2_password authentication plugin.
The caching_sha2_password
plugin is now the default authentication plugin in MySQL 8.0.4 and above, based on the value of the default_authentication_plugin system variable.
MariaDB Server supports neither the sha256_password nor the caching_sha2_password authentication plugins. See MDEV-9804 for more information.
Reasons for not supporting the SHA-256 plugin:
To use the protocol, you have to distribute the server's public key to all MariaDB users, which can be cumbersome and impractical.
The server receives the password in clear text, which can cause problems if the user connects to a malicious server.
If you are migrating from a MySQL instance that is using SHA-256 authentication, you have to change the SHA-256 authentication to mysql_native_authentication
:
ALTER USER user_name IDENTIFIED WITH mysql_native_password BY 'new_password'
For clients that use the MariaDB Connector/C library, MariaDB provides client authentication plugins that are compatible with MySQL's SHA-256 authentication plugins:
sha256_password
caching_sha256_password
When connecting with a client or utility to a server, using a user account that authenticates with the sha256_password
or caching_sha256_password
authentication plugin, you may need to tell the client where to find the relevant client authentication plugin by specifying the --plugin-dir
option:
mysql --plugin-dir=/usr/local/mysql/lib64/mysql/plugin --user=alice
For clients that use MariaDB's libmysqlclient
library instead of MariaDB Connector/C, those authentication plugins are not supported.
sha256_password
The sha256_password
client authentication plugin is compatible with MySQL's sha256_password authentication plugin, which was added in MySQL 5.6.
caching_sha256_password
The caching_sha256_password
client authentication plugin is compatible with MySQL's caching_sha2_password authentication plugin, which was added in MySQL 8.0.
The caching_sha2_password
plugin is now the default authentication plugin in MySQL 8.0.4 and above, based on the value of the default_authentication_plugin system variable.
MariaDB Connector/C supports sha256_password
and caching_sha2_password
authentication using the client authentication plugins mentioned in the previous section.
It has supported the sha256_password
client authentication plugin since MariaDB Connector/C 3.0.2. See CONC-229 for more information.
It has supported the caching_sha256_password
client authentication plugin since MariaDB Connector/C 3.0.8 and MariaDB Connector/C 3.1.0. See CONC-312 for more information.
MariaDB Connector/ODBC supports sha256_password
and caching_sha2_password
authentication using the client authentication plugins mentioned in the previous section.
It has supported sha256_password
and caching_sha2_password
authentication since MariaDB Connector/ODBC 3.1.4. See ODBC-241 for more information.
MariaDB Connector/J supports sha256_password
and caching_sha2_password
authentication since MariaDB Connector/J 2.5.0. See CONJ-327 and CONJ-663 for more information.
note: The version 3.x being a rewrite of the connector, only caching_sha2_password is implemented, since sha256_password is only implemented on EOL version.
MariaDB Connector/Node.js supports sha256_password
and caching_sha2_password
authentication since MariaDB Connector/Node.js 2.5.0. See CONJS-76 and CONJS-77 for more information.
MDEV-9804 contains the plans to use if we ever decide to support these protocols.
This page is licensed: CC BY-SA / Gnu FDL