MariaDB: Default password authentication not good enough?
I've been researching for a couple of hours the "best practice" to create a second account for the mysql database using password authentication instead of the auth_socket / unix_socket.
By this guide safest and permanent solution to create a new user mariadb, the authentication uses no plugin. In other guides, people add the mysql_native_password as the plugins (e.g. here).
However, by the mariadb documentations about mysql_native_password, they recommend to use ed25519 plugin instead. I have not seen a single guide online to use this one with mariadb.
Now, which authentication method/plugin should is use and whats the big differenece between the no plugin and ed25519?
mysql password authentication plugins mariadb
asked Feb 19 at 11:15
TanckomTanckom
1085
add a comment |
I've been researching for a couple of hours the "best practice" to create a second account for the mysql database using password authentication instead of the auth_socket / unix_socket.
By this guide safest and permanent solution to create a new user mariadb, the authentication uses no plugin. In other guides, people add the mysql_native_password as the plugins (e.g. here).
However, by the mariadb documentations about mysql_native_password, they recommend to use ed25519 plugin instead. I have not seen a single guide online to use this one with mariadb.
Now, which authentication method/plugin should is use and whats the big differenece between the no plugin and ed25519?
mysql password authentication plugins mariadb
asked Feb 19 at 11:15
TanckomTanckom
1085
add a comment |
I've been researching for a couple of hours the "best practice" to create a second account for the mysql database using password authentication instead of the auth_socket / unix_socket.
By this guide safest and permanent solution to create a new user mariadb, the authentication uses no plugin. In other guides, people add the mysql_native_password as the plugins (e.g. here).
However, by the mariadb documentations about mysql_native_password, they recommend to use ed25519 plugin instead. I have not seen a single guide online to use this one with mariadb.
Now, which authentication method/plugin should is use and whats the big differenece between the no plugin and ed25519?
mysql password authentication plugins mariadb
asked Feb 19 at 11:15
TanckomTanckom
1085
I've been researching for a couple of hours the "best practice" to create a second account for the mysql database using password authentication instead of the auth_socket / unix_socket.
By this guide safest and permanent solution to create a new user mariadb, the authentication uses no plugin. In other guides, people add the mysql_native_password as the plugins (e.g. here).
However, by the mariadb documentations about mysql_native_password, they recommend to use ed25519 plugin instead. I have not seen a single guide online to use this one with mariadb.
Now, which authentication method/plugin should is use and whats the big differenece between the no plugin and ed25519?
mysql password authentication plugins mariadb
mysql password authentication plugins mariadb
asked Feb 19 at 11:15
TanckomTanckom
1085
asked Feb 19 at 11:15
TanckomTanckom
1085
edited Feb 19 at 11:42
Tanckom
asked Feb 19 at 11:15
TanckomTanckom
1085
asked Feb 19 at 11:15
TanckomTanckom
1085
asked Feb 19 at 11:15
TanckomTanckom
1085
1085
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
As per your ed25519 plugin link:
MySQL has used SHA-1 based authentication since version 4.1. Since
MariaDB 5.2 this authentication plugin has been called
mysql_native_password. Over the years as computers became faster, new
attacks on SHA-1 were being developed. Nowadays SHA-1 is no longer
considered as secure as it was in 2001. That's why the ed25519
authentication plugin was created.
The ed25519 authentication plugin uses Elliptic Curve Digital
Signature Algorithm to securely store users' passwords and to
authenticate users. The ed25519 algorithm is the same one that is used
by OpenSSH. It is based on the elliptic curve and code created by
Daniel J. Bernstein.
If security is a concern to you and it should, I would follow MariaDB best pratice and use the ed25519 plugin.
By default, without any plugin, Mariadb uses a sha1(sha1("password")), well actually SHA1(UNHEX(SHA1("this_is_a_random_string"))), and sha1 is unsafe. As usual, follow best practice, use the ed25519 plugin - if there is a best practice concerning security, follow it, there usually is a good reason - nobody is gonna write up a best practice for something if there is not a good reason.
answered Feb 19 at 11:56
thecarpythecarpy
23626
I've also read that part, but this is themysql_native_passwordplugin. My big question is about thenon-plugin-method.
– Tanckom
Feb 19 at 12:17
I have amended my answer.
– thecarpy
Feb 19 at 13:49
This explains a lot, however, eventough that ed25519 should be used, it's not supported by phpmyadmin.
– Tanckom
Feb 19 at 14:33
In that case you should use the potentially unsafe password scheme for the phpadmin user.alter user 'username'@'localhost' identified with mysql_native_password by 'password';not ideal, but if you have to use phpadmin, no other choice, for the moment ...
– thecarpy
Feb 21 at 21:18
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "89"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1119492%2fmariadb-default-password-authentication-not-good-enough%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
As per your ed25519 plugin link:
MySQL has used SHA-1 based authentication since version 4.1. Since
MariaDB 5.2 this authentication plugin has been called
mysql_native_password. Over the years as computers became faster, new
attacks on SHA-1 were being developed. Nowadays SHA-1 is no longer
considered as secure as it was in 2001. That's why the ed25519
authentication plugin was created.
The ed25519 authentication plugin uses Elliptic Curve Digital
Signature Algorithm to securely store users' passwords and to
authenticate users. The ed25519 algorithm is the same one that is used
by OpenSSH. It is based on the elliptic curve and code created by
Daniel J. Bernstein.
If security is a concern to you and it should, I would follow MariaDB best pratice and use the ed25519 plugin.
By default, without any plugin, Mariadb uses a sha1(sha1("password")), well actually SHA1(UNHEX(SHA1("this_is_a_random_string"))), and sha1 is unsafe. As usual, follow best practice, use the ed25519 plugin - if there is a best practice concerning security, follow it, there usually is a good reason - nobody is gonna write up a best practice for something if there is not a good reason.
answered Feb 19 at 11:56
thecarpythecarpy
23626
I've also read that part, but this is themysql_native_passwordplugin. My big question is about thenon-plugin-method.
– Tanckom
Feb 19 at 12:17
I have amended my answer.
– thecarpy
Feb 19 at 13:49
This explains a lot, however, eventough that ed25519 should be used, it's not supported by phpmyadmin.
– Tanckom
Feb 19 at 14:33
In that case you should use the potentially unsafe password scheme for the phpadmin user.alter user 'username'@'localhost' identified with mysql_native_password by 'password';not ideal, but if you have to use phpadmin, no other choice, for the moment ...
– thecarpy
Feb 21 at 21:18
add a comment |
As per your ed25519 plugin link:
MySQL has used SHA-1 based authentication since version 4.1. Since
MariaDB 5.2 this authentication plugin has been called
mysql_native_password. Over the years as computers became faster, new
attacks on SHA-1 were being developed. Nowadays SHA-1 is no longer
considered as secure as it was in 2001. That's why the ed25519
authentication plugin was created.
The ed25519 authentication plugin uses Elliptic Curve Digital
Signature Algorithm to securely store users' passwords and to
authenticate users. The ed25519 algorithm is the same one that is used
by OpenSSH. It is based on the elliptic curve and code created by
Daniel J. Bernstein.
If security is a concern to you and it should, I would follow MariaDB best pratice and use the ed25519 plugin.
By default, without any plugin, Mariadb uses a sha1(sha1("password")), well actually SHA1(UNHEX(SHA1("this_is_a_random_string"))), and sha1 is unsafe. As usual, follow best practice, use the ed25519 plugin - if there is a best practice concerning security, follow it, there usually is a good reason - nobody is gonna write up a best practice for something if there is not a good reason.
answered Feb 19 at 11:56
thecarpythecarpy
23626
I've also read that part, but this is themysql_native_passwordplugin. My big question is about thenon-plugin-method.
– Tanckom
Feb 19 at 12:17
I have amended my answer.
– thecarpy
Feb 19 at 13:49
This explains a lot, however, eventough that ed25519 should be used, it's not supported by phpmyadmin.
– Tanckom
Feb 19 at 14:33
In that case you should use the potentially unsafe password scheme for the phpadmin user.alter user 'username'@'localhost' identified with mysql_native_password by 'password';not ideal, but if you have to use phpadmin, no other choice, for the moment ...
– thecarpy
Feb 21 at 21:18
add a comment |
As per your ed25519 plugin link:
MySQL has used SHA-1 based authentication since version 4.1. Since
MariaDB 5.2 this authentication plugin has been called
mysql_native_password. Over the years as computers became faster, new
attacks on SHA-1 were being developed. Nowadays SHA-1 is no longer
considered as secure as it was in 2001. That's why the ed25519
authentication plugin was created.
The ed25519 authentication plugin uses Elliptic Curve Digital
Signature Algorithm to securely store users' passwords and to
authenticate users. The ed25519 algorithm is the same one that is used
by OpenSSH. It is based on the elliptic curve and code created by
Daniel J. Bernstein.
If security is a concern to you and it should, I would follow MariaDB best pratice and use the ed25519 plugin.
By default, without any plugin, Mariadb uses a sha1(sha1("password")), well actually SHA1(UNHEX(SHA1("this_is_a_random_string"))), and sha1 is unsafe. As usual, follow best practice, use the ed25519 plugin - if there is a best practice concerning security, follow it, there usually is a good reason - nobody is gonna write up a best practice for something if there is not a good reason.
answered Feb 19 at 11:56
thecarpythecarpy
23626
As per your ed25519 plugin link:
MySQL has used SHA-1 based authentication since version 4.1. Since
MariaDB 5.2 this authentication plugin has been called
mysql_native_password. Over the years as computers became faster, new
attacks on SHA-1 were being developed. Nowadays SHA-1 is no longer
considered as secure as it was in 2001. That's why the ed25519
authentication plugin was created.
The ed25519 authentication plugin uses Elliptic Curve Digital
Signature Algorithm to securely store users' passwords and to
authenticate users. The ed25519 algorithm is the same one that is used
by OpenSSH. It is based on the elliptic curve and code created by
Daniel J. Bernstein.
If security is a concern to you and it should, I would follow MariaDB best pratice and use the ed25519 plugin.
By default, without any plugin, Mariadb uses a sha1(sha1("password")), well actually SHA1(UNHEX(SHA1("this_is_a_random_string"))), and sha1 is unsafe. As usual, follow best practice, use the ed25519 plugin - if there is a best practice concerning security, follow it, there usually is a good reason - nobody is gonna write up a best practice for something if there is not a good reason.
answered Feb 19 at 11:56
thecarpythecarpy
23626
edited Feb 19 at 13:48
answered Feb 19 at 11:56
thecarpythecarpy
23626
answered Feb 19 at 11:56
thecarpythecarpy
23626
answered Feb 19 at 11:56
thecarpythecarpy
23626
23626
I've also read that part, but this is themysql_native_passwordplugin. My big question is about thenon-plugin-method.
– Tanckom
Feb 19 at 12:17
I have amended my answer.
– thecarpy
Feb 19 at 13:49
This explains a lot, however, eventough that ed25519 should be used, it's not supported by phpmyadmin.
– Tanckom
Feb 19 at 14:33
In that case you should use the potentially unsafe password scheme for the phpadmin user.alter user 'username'@'localhost' identified with mysql_native_password by 'password';not ideal, but if you have to use phpadmin, no other choice, for the moment ...
– thecarpy
Feb 21 at 21:18
add a comment |
I've also read that part, but this is themysql_native_passwordplugin. My big question is about thenon-plugin-method.
– Tanckom
Feb 19 at 12:17
I have amended my answer.
– thecarpy
Feb 19 at 13:49
This explains a lot, however, eventough that ed25519 should be used, it's not supported by phpmyadmin.
– Tanckom
Feb 19 at 14:33
In that case you should use the potentially unsafe password scheme for the phpadmin user.alter user 'username'@'localhost' identified with mysql_native_password by 'password';not ideal, but if you have to use phpadmin, no other choice, for the moment ...
– thecarpy
Feb 21 at 21:18
I've also read that part, but this is the
mysql_native_password plugin. My big question is about the non-plugin-method.– Tanckom
Feb 19 at 12:17
I've also read that part, but this is the
mysql_native_password plugin. My big question is about the non-plugin-method.– Tanckom
Feb 19 at 12:17
I have amended my answer.
– thecarpy
Feb 19 at 13:49
I have amended my answer.
– thecarpy
Feb 19 at 13:49
This explains a lot, however, eventough that ed25519 should be used, it's not supported by phpmyadmin.
– Tanckom
Feb 19 at 14:33
This explains a lot, however, eventough that ed25519 should be used, it's not supported by phpmyadmin.
– Tanckom
Feb 19 at 14:33
In that case you should use the potentially unsafe password scheme for the phpadmin user.
alter user 'username'@'localhost' identified with mysql_native_password by 'password'; not ideal, but if you have to use phpadmin, no other choice, for the moment ...– thecarpy
Feb 21 at 21:18
In that case you should use the potentially unsafe password scheme for the phpadmin user.
alter user 'username'@'localhost' identified with mysql_native_password by 'password'; not ideal, but if you have to use phpadmin, no other choice, for the moment ...– thecarpy
Feb 21 at 21:18
add a comment |
Thanks for contributing an answer to Ask Ubuntu!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1119492%2fmariadb-default-password-authentication-not-good-enough%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
