1

PHP (and by extension WordPress) only supports MySQL native & sha256 password authentication.

MariaDB Server only supports MySQL native & ed25519 password authentication.

Since MySQL native password authentication uses SHA-1 and is not considered secure anymore, there is no actual secure way to use the MariaDB server with PHP.

Am I missing something here?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Joseph Michael
  • 43
  • 5
  • Are you interested in how the password to the database server is hashed? Or how passwords of wordpress users stored in the database are hashed? – Anders Aug 11 '21 at 17:25
  • I suspect you conflate the database connection and it’s authentication, with the web applications password. If you are worried about the database connection, that supports a much wider array of authentication schemes than what you listed here (like host based & X509). The web app has nothing to do with how the DBMS stores stuff, it just cares with how it supplies and retrieved the data. – LvB Aug 11 '21 at 18:08
  • Im concerned with how the passwords to the db server is hashed, not how wordpress stores them in a db record. Obv. the passwords for wordpress users arent dependent on the hashing that the db authentication supports. – Joseph Michael Aug 12 '21 at 12:49
  • I understand that the webapp has nothing to do with how the DBMS stores stuff, I mean that WordPress is PHP-based, and PHP connects to the DBMS and only supports native password authentication (SHA-1). Which is insecure and not recommended anymore. – Joseph Michael Aug 12 '21 at 12:50
  • I know that I can enforce SSL encryption for the connections using REQUIRE SSL or REQUIRE X509, but that doesn't change that the hashing supported between PHP and MariaDB server is still SHA-1. You arent suggesting that its okay if MariaDB only used MD5 hashing for authentication because you can force SSL on the connection, are you? – Joseph Michael Aug 12 '21 at 12:53
  • This would be solved if PHP included an ed25519 auth plugin to connect to MariaDB Server with, but they don't. Or if MariaDB Server supported the SHA256 auth that MySQL and PHP support, but they don't. So the only option is to use native_password or SHA-1. – Joseph Michael Aug 12 '21 at 12:56
  • Where did you find that only those 2 are supported? If I check https://mariadb.com/kb/en/authentication-plugins/ I see a whole list of supported schemes. – LvB Aug 12 '21 at 12:56
  • The authentication you see there is between the client to the server. MariaDB client can connect to Mysql Server with the other auths. But MariaDB server only supports native password and ed22519. You can it clarified as true by mariadb here: https://mariadb.com/kb/en/phpwordpress-auth_ed25519/ So if MariaDB server actually supported sha256, then its own client would be able to connect without modification. But the server program doesn't support that as an auth. – Joseph Michael Aug 12 '21 at 12:58
  • and again here: https://mariadb.com/kb/en/authentication-plugin-sha-256/ in the red callout. – Joseph Michael Aug 12 '21 at 12:59

1 Answers1

0

I guess the answer is, Yes, MariaDB should not be used for any PHP application until either PHP supports ed25519 password authentication and/or MariaDB Server supports sha256 password authentication.

Joseph Michael
  • 43
  • 5
  • Update in Jan 2022: MariaDB Server is still inadvisable to use for any project involving PHP as you are forced to use mysql_native_password which uses SHA-1 hashing. Release notes for MariaDB Server 10.6/10.7/10.8 do not list sha256 password authentication support. Also, PHP has not added support for ed25519 password authentication through its mysql connectors. – Joseph Michael Jan 27 '22 at 16:11