1

I've been researching for a couple of hours the "best practice" to create a second account for the mysql database using password authentication instead of the auth_socket / unix_socket.

By this guide safest and permanent solution to create a new user mariadb, the authentication uses no plugin. In other guides, people add the mysql_native_password as the plugins (e.g. here).

However, by the mariadb documentations about mysql_native_password, they recommend to use ed25519 plugin instead. I have not seen a single guide online to use this one with mariadb.

Now, which authentication method/plugin should is use and whats the big differenece between the no plugin and ed25519?

Advena
  • 123

1 Answers1

1

As per your ed25519 plugin link:

MySQL has used SHA-1 based authentication since version 4.1. Since MariaDB 5.2 this authentication plugin has been called mysql_native_password. Over the years as computers became faster, new attacks on SHA-1 were being developed. Nowadays SHA-1 is no longer considered as secure as it was in 2001. That's why the ed25519 authentication plugin was created.

The ed25519 authentication plugin uses Elliptic Curve Digital Signature Algorithm to securely store users' passwords and to authenticate users. The ed25519 algorithm is the same one that is used by OpenSSH. It is based on the elliptic curve and code created by Daniel J. Bernstein.

If security is a concern to you and it should, I would follow MariaDB best pratice and use the ed25519 plugin.

By default, without any plugin, Mariadb uses a sha1(sha1("password")), well actually SHA1(UNHEX(SHA1("this_is_a_random_string"))), and sha1 is unsafe. As usual, follow best practice, use the ed25519 plugin - if there is a best practice concerning security, follow it, there usually is a good reason - nobody is gonna write up a best practice for something if there is not a good reason.

Community
  • 1
thecarpy
  • 405