1

I've been researching for a couple of hours the "best practice" to create a second account for the mysql database using password authentication instead of the auth_socket / unix_socket.

By this guide safest and permanent solution to create a new user mariadb, the authentication uses no plugin. In other guides, people add the mysql_native_password as the plugins (e.g. here).

However, by the mariadb documentations about mysql_native_password, they recommend to use ed25519 plugin instead. I have not seen a single guide online to use this one with mariadb.

Now, which authentication method/plugin should is use and whats the big differenece between the no plugin and ed25519?

Advena
  • 123

1 Answers1

1

As per your ed25519 plugin link:

MySQL has used SHA-1 based authentication since version 4.1. Since MariaDB 5.2 this authentication plugin has been called mysql_native_password. Over the years as computers became faster, new attacks on SHA-1 were being developed. Nowadays SHA-1 is no longer considered as secure as it was in 2001. That's why the ed25519 authentication plugin was created.

The ed25519 authentication plugin uses Elliptic Curve Digital Signature Algorithm to securely store users' passwords and to authenticate users. The ed25519 algorithm is the same one that is used by OpenSSH. It is based on the elliptic curve and code created by Daniel J. Bernstein.

If security is a concern to you and it should, I would follow MariaDB best pratice and use the ed25519 plugin.

By default, without any plugin, Mariadb uses a sha1(sha1("password")), well actually SHA1(UNHEX(SHA1("this_is_a_random_string"))), and sha1 is unsafe. As usual, follow best practice, use the ed25519 plugin - if there is a best practice concerning security, follow it, there usually is a good reason - nobody is gonna write up a best practice for something if there is not a good reason.

Community
  • 1
thecarpy
  • 383
  • 4
  • 12
  • I've also read that part, but this is the mysql_native_password plugin. My big question is about the non-plugin-method. – Advena Feb 19 '19 at 12:17
  • I have amended my answer. – thecarpy Feb 19 '19 at 13:49
  • This explains a lot, however, eventough that ed25519 should be used, it's not supported by phpmyadmin. – Advena Feb 19 '19 at 14:33
  • In that case you should use the potentially unsafe password scheme for the phpadmin user. alter user 'username'@'localhost' identified with mysql_native_password by 'password'; not ideal, but if you have to use phpadmin, no other choice, for the moment ... – thecarpy Feb 21 '19 at 21:18