BestHub
Sign in
Databases 8 min read

Using MySQL auth_socket Plugin for Password‑less Authentication

This article explains how the auth_socket (MySQL) and unix_socket (MariaDB) plugins enable password‑less login by mapping operating‑system users to MySQL accounts, walks through installing and enabling the plugins on Debian, Ubuntu, MariaDB, and Percona Server, and demonstrates creating and using socket‑authenticated users.

Aikesheng Open Source Community
Aikesheng Open Source Community
Aikesheng Open Source Community
Using MySQL auth_socket Plugin for Password‑less Authentication

The auth_socket plugin for MySQL and the unix_socket plugin for MariaDB allow users to authenticate without a password by matching the Linux user executing the client to a MySQL account.

Both plugins have been available for a while; MariaDB 10.4 ships unix_socket by default, and Debian‑based MySQL packages create a root user that can use socket authentication.

Installation and verification on Debian/Ubuntu:

After installing MySQL, you can check the maintainer information:

root@app:~# apt-cache show mysql-server-5.7 | grep -i maintainers

Connecting to MySQL as root shows the plugin in use:

mysql> SELECT user, host, plugin FROM mysql.user WHERE user='root';
+------+-----------+-------------+
| user | host      | plugin      |
+------+-----------+-------------+
| root | localhost | auth_socket |
+------+-----------+-------------+

MariaDB behaves similarly, using the unix_socket plugin:

MariaDB [(none)]> SHOW GRANTS;
GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' IDENTIFIED VIA unix_socket WITH GRANT OPTION;

Percona Server packages also configure the auth_socket plugin for the root user.

Enabling the plugin at runtime (if not loaded):

mysql> INSTALL PLUGIN auth_socket SONAME 'auth_socket.so';
Query OK, 0 rows affected

After installation, the plugin appears as ACTIVE:

auth_socket | ACTIVE | AUTHENTICATION | auth_socket.so | GPL

Creating a socket‑authenticated user:

CREATE USER 'vagrant'@'localhost' IDENTIFIED VIA unix_socket;
GRANT ALL PRIVILEGES ON *.* TO 'vagrant'@'localhost' IDENTIFIED VIA unix_socket;

Now the OS user vagrant can log in without a password:

vagrant@host:~$ mysql
Welcome to the MariaDB monitor.

Attempting to log in as the same MySQL user from a different OS account fails, demonstrating that authentication is tied to the operating‑system user:

root@host# mysql -upercona
ERROR 1698 (28000): Access denied for user 'percona'@'localhost'

Conclusion: MySQL’s flexible authentication methods, especially socket‑based plugins, enable password‑less access by leveraging system users, which is useful for scenarios such as migrating from RDS/Aurora to on‑premises MySQL while preserving IAM‑style authentication.

MySQLPerconadatabase securitypasswordlessauth_socketUnix socket authentication
Aikesheng Open Source Community
Written by

Aikesheng Open Source Community

The Aikesheng Open Source Community provides stable, enterprise‑grade MySQL open‑source tools and services, releases a premium open‑source component each year (1024), and continuously operates and maintains them.

0 followers
Reader feedback

How this landed with the community

login Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment