Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-9804

Implement a caching_sha256_password plugin

Details

    • Q2/2025 Development

    Description

      In MySQL 5.6 and 5.7, you have the option of using the SHA256 password algorithm. The current method (mysql_native_password) leverages SHA1 and this has been proven to be no longer as secure as one would expect today.

      Find out more here:

      UPDATE:
      https://dev.mysql.com/doc/mysql-security-excerpt/8.0/en/sha256-pluggable-authentication.html

      Attachments

        Issue Links

          is duplicated by

          New Feature - A new feature of the product, which has yet to be developed. MDEV-36382 mariadb支持caching_sha2_password

          • Major - Major loss of function.
          • Closed
          is part of

          Task - A task that needs to be done. MDEV-28906 MySQL 8.0 desired compatibility

          • Major - Major loss of function.
          • Open
          relates to

          Task - A task that needs to be done. CONC-229 SHA256 authentication plugin

          • Major - Major loss of function.
          • Closed

          Task - A task that needs to be done. CONJ-327 Handle sha256_password plugin

          • Major - Major loss of function.
          • Closed

          Task - A task that needs to be done. CONJS-76 Implement sha256_password support

          • Major - Major loss of function.
          • Closed

          Task - A task that needs to be done. CONJS-77 Implement caching_sha256_password support

          • Major - Major loss of function.
          • Closed

          Task - A task that needs to be done. MDEV-12160 Modern alternative to the SHA1 authentication plugin

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          New Feature - A new feature of the product, which has yet to be developed. MXS-1325 Add sha256_password authenticator

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Closed

          New Feature - A new feature of the product, which has yet to be developed. MXS-4270 ed25519 authentication support

          • Major - Major loss of function.
          • Closed

          Task - A task that needs to be done. ODBC-241 Add parameter that corresponds to MYSQL_SERVER_PUBLIC_KEY option from MariaDB Connector/C

          • Major - Major loss of function.
          • Closed

          Task - A task that needs to be done. CONC-312 Implement caching_sha2_password plugin

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          Task - A task that needs to be done. CONJ-663 Implement caching_sha2_password plugin

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          Activity

            Ascending order - Click to sort in descending order
            serg Sergei Golubchik added a comment -

            Still needed for MySQL compatibility, but as far as security is concerned, we have a secure ed25519 plugin as an alternative to the old SHA1 auth.

            serg Sergei Golubchik added a comment - Still needed for MySQL compatibility, but as far as security is concerned, we have a secure ed25519 plugin as an alternative to the old SHA1 auth.
            otto Otto Kekäläinen added a comment -

            If a security certification specifically asks for something related to this, such as one particular I was reading the other day requires support for SCRAM-SHA-384/512, this plugin might be useful (though it would need higher hash key length).

            However, seems that most security certifications also accept the ed25519 (~EdDSA ~ECDSA) with the key lengths MariaDB already has, so the utility of sha256_password in MariaDB might be very marginal.

            otto Otto Kekäläinen added a comment - If a security certification specifically asks for something related to this, such as one particular I was reading the other day requires support for SCRAM-SHA-384/512, this plugin might be useful (though it would need higher hash key length). However, seems that most security certifications also accept the ed25519 (~EdDSA ~ECDSA) with the key lengths MariaDB already has, so the utility of sha256_password in MariaDB might be very marginal.
            ralf.gebhardt Ralf Gebhardt added a comment -

            As MySQL deprecated the sha256_password plugin I am changing the scope to only implement the caching_sha256_password plugin

            ralf.gebhardt Ralf Gebhardt added a comment - As MySQL deprecated the sha256_password plugin I am changing the scope to only implement the caching_sha256_password plugin

            People

              serg Sergei Golubchik
              colin Colin Charles
              Votes:
              11 Vote for this issue
              Watchers:
              18 Start watching this issue

              Dates

                Created:
                Updated:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.