7.1 Ensure default_authentication_plugin is Set to a Secure Option

Information

The -default-authentication-plugin system variable governs two things:

Authentication plugin used by a new user account if a plugin is not specified explicitly through CREATE USER statement

Initial authentication data payload generated by server in case of a new connection.

Caching SHA-2 Authentication is the new default in MySQL 8.0. It provides stronger password protection than the prior Native Authentication and provides better performance than SHA2 Authentication. Alternatively, there are additional methods to securely connect using Lightweight Directory Access Protocol (LDAP) and Active Directory authentication.

Rationale:

MySQL Native Authentication relies on the Secure Hash Algorithm 1 (SHA1) algorithm and the National Institute of Standards and Technology (NIST) has suggested to stop using it.

The MySQL Native Authentication plugin leverages this weak hashing algorithm that can be quickly brute forced.

Solution

Configure mysql to default to the caching_sha2_password plugin.

Require caching_sha2_password plugin to be used by default for new accounts.
Edit my.cnf, in the section [mysqld] add:

default_authentication_plugin=caching_sha2_password

Determine if any users are using mysql_native_password.

select host, user, plugin from mysql.user;

Migrate these users from mysql_native_password.

ALTER USER user
IDENTIFIED WITH caching_sha2_password IDENTIFIED BY RANDOM PASSWORD PASSWORD EXPIRE;

Provide users the random password value through a secure mechanism - on next login they will be forced to change the password.

Default Value:

New users default to caching_sha2_password. Migrated users will initially be mysql_native or other authentication method.

See Also

https://workbench.cisecurity.org/benchmarks/10139

Item Details

Category: IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|IA-5(1), 800-53|SC-28, 800-53|SC-28(1), CSCv7|16.4

Plugin: MySQLDB

Control ID: 21e1889044342fa1617d08aa92b6a961f6e9d76113d0e3188724a43a6ce53387