MySQL Authentication – What is mysql_native_password?

authenticationmysql-5.7plugins

I was trying to set password for root. When I run:

mysql> SELECT * from mysql.user where User="root";

It shows:

+-----------+------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+------------+-----------------+------------+------------+--------------+------------+-----------------------+------------------+--------------+-----------------+------------------+------------------+----------------+---------------------+--------------------+------------------+------------+--------------+------------------------+----------+------------+-------------+--------------+---------------+-------------+-----------------+----------------------+-----------------------+-----------------------+------------------+-----------------------+-------------------+----------------+
| Host      | User | Select_priv | Insert_priv | Update_priv | Delete_priv | Create_priv | Drop_priv | Reload_priv | Shutdown_priv | Process_priv | File_priv | Grant_priv | References_priv | Index_priv | Alter_priv | Show_db_priv | Super_priv | Create_tmp_table_priv | Lock_tables_priv | Execute_priv | Repl_slave_priv | Repl_client_priv | Create_view_priv | Show_view_priv | Create_routine_priv | Alter_routine_priv | Create_user_priv | Event_priv | Trigger_priv | Create_tablespace_priv | ssl_type | ssl_cipher | x509_issuer | x509_subject | max_questions | max_updates | max_connections | max_user_connections | plugin                | authentication_string | password_expired | password_last_changed | password_lifetime | account_locked |
+-----------+------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+------------+-----------------+------------+------------+--------------+------------+-----------------------+------------------+--------------+-----------------+------------------+------------------+----------------+---------------------+--------------------+------------------+------------+--------------+------------------------+----------+------------+-------------+--------------+---------------+-------------+-----------------+----------------------+-----------------------+-----------------------+------------------+-----------------------+-------------------+----------------+
| localhost | root | Y           | Y           | Y           | Y           | Y           | Y         | Y           | Y             | Y            | Y         | Y          | Y               | Y          | Y          | Y            | Y          | Y                     | Y                | Y            | Y               | Y                | Y                | Y              | Y                   | Y                  | Y                | Y          | Y            | Y                      |          |            |             |              |             0 |           0 |               0 |                    0 | mysql_native_password |                       | N                | 2018-06-13 15:11:59   |              NULL | N              |
+-----------+------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+------------+-----------------+------------+------------+--------------+------------+-----------------------+------------------+--------------+-----------------+------------------+------------------+----------------+---------------------+--------------------+------------------+------------+--------------+------------------------+----------+------------+-------------+--------------+---------------+-------------+-----------------+----------------------+-----------------------+-----------------------+------------------+-----------------------+-------------------+----------------+

This Document says that,

The mysql_native_password native authentication plugin is backward
compatible. Older clients that do not support authentication plugins
do use the native authentication protocol, so they can connect to
servers that support pluggable authentication.

But technically I'm not getting much. Does it have to do anything with root user password?

ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY '<password>';

and

ALTER USER 'root'@'localhost' IDENTIFIED BY '<password>';

Does it make any difference?

Best Answer

For a long time, MySQL has supported different authentication plugins, basically programable pieces of code to demonstrate that a mysql accounts is onwed by whever claims so.

The original way to do that is to setup a password, hash it in a particular way, and store it on the mysql.user table. However, it is not the only way you can authenticate, for example:

The unix socket authentication allows login to uses on the local machine with the same unix name than the mysql account. That is commonly used for admin accounts for things like monitoring or other tasks without needing to maintain a password. It has that name because it only works with socket connections (not remotelly)
A PAM autentication plugin allows to set up, for example, an LDAP backed system and use that to authenticate (nice to integrate it into an existing organization)
The latest versions of mysql (8.0) use a less trivial authentication method (caching_sha2_password), which in theory is more secure (I am not saying it is or it is not, but certainly the default "native" one was quite bad), but may require updates of client drivers and applications, so you can always revert to the older one for compatibility reasons.

On the "Enterprise" world, there is many times special needs for very special authentication methods, beyond a user and password.

Basically, mysql_native_password is the traditional method to authenticate- it is not very secure (it uses just a hash of the password), but it is compatible with older drivers. If you are going to start a new mysql service, you probably want to use the new plugin from the start (and TLS). If you have special needs, you can use other method- you can even program one if you have certain special needs).

You can chose a different method for each individual user- for example, your normal applications can use mysql_native_password or the new sha2 one, but you can make sure your admin accounts use a 2-factor authentication token, and unix_socket for a monitoring user gathering statistics on the mysql server. Those other authentication methods may or may not use the password field on the mysql.user table, like the native one does (they may store the password elswhere, or they may not even have a concept of a password!).

ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY '<password>';

and

ALTER USER 'root'@'localhost' IDENTIFIED BY '<password>';

Are essentially the same, mysql_native_password is normally the default authentication method. With WITH you can decide which method to use. For example, if you use GRANT USAGE ON *.* TO root@localhost IDENTIFIED WITH socket_auth, you are setting that user to use unix socket authentication. MariaDB uses a slightly different syntax: VIA unix_socket. Running those command mainly results in an update of the mysql.user table.

Note ALTER / GRANT works automatically on next user login, while UPDATEing directly the mysql.user table may require a FLUSH PRIVILEGES, and has some issues on certain scenarios (Galera, etc.).

Related Solutions

Mysql – Error log – What does this mean and what can I do about it

My first answer is: why is your database even accessible from outside through the Internet? That network traffic really ought to be blocked by router Internet gateway router or firewall.

If you really need to allow some connections from the Internet to your database, then limit it to the valid IP address who should be connecting.

At this point that's not really a dba question but a network admin question.

Oracle Authentication – Reasons for Locked Oracle Account

Provided audit trail is turned on, then I prefer to use the following to help track down login failures (which is usually the cause of locked accounts):

select * from dba_audit_trail where returncode in (1017, 28000) order by timestamp desc;

returncode is the ORA- error that would be returned from the database: 1017 is "invalid usercode or password" and 28000 is "account is locked".

This view provides valuable information such as the time the login failures occurred, the computer where the error originated from, as well as the OS user.

If you do not have audit_trail turned on, which you can verify with:

show parameter audit_trail;

then obviously, the above query will not help with past login failures, but you may want to consider turning it on to help with future failures. Also, keep in mind that this change requires a bounce of the database to go into effect.

You can refer to this document in order to set this environment variable to a value that is appropriate to your environment: http://docs.oracle.com/cd/B28359_01/server.111/b28320/initparams017.htm

You would set this parameter as follows:

alter system set audit_trail='DB' scope=spfile;

Keep in mind that if you do turn on audit_trail, consider periodically clean out older records out of the audit table or the table can grow to be pretty unwieldy. There is an informative blog that talks about that here: http://www.oradba.ch/2011/05/database-audit-and-audit-trail-purging/

As for another possible cause:

If you are running in a distributed environment (multiple databases connected by database links), then proxy database links (null user/password) could be your problem since such database links attempt to login to the destination database with the credentials that are passed from the source database.

If the credentials are different between the source and the destination, ORA-1017 is returned which counts against the login attempts on the destination DB (provided the usercode was the same, and just the passwords are different).

In addition, if the source DB user is logged in via a proxy user, then proxy DB links will ALWAYS fail with ORA-1017 regardless of whether or not the passwords match.

Best Answer

Related Solutions

Mysql – Error log – What does this mean and what can I do about it

Oracle Authentication – Reasons for Locked Oracle Account

Related Question