Sergei Golubchik added a comment - 2016-07-28 14:50 Would it help, if you set strict_password_validation to false? If not, it can be considered a bug.

Robin Peiremans added a comment - 2016-07-29 05:38 Unfortunately that doesn't help: MariaDB [mysql]> show variables like 'strict_password_validation' ; + ----------------------------+-------+ | Variable_name | Value | + ----------------------------+-------+ | strict_password_validation | ON | + ----------------------------+-------+ 1 row in set (0.01 sec)   MariaDB [mysql]> create user myuser@localhost identified via pam using 'mariadb' ; ERROR 1819 (HY000): Your password does not satisfy the current policy requirements MariaDB [mysql]> set global strict_password_validation= 'OFF' ; Query OK, 0 rows affected (0.00 sec)   MariaDB [mysql]> show variables like 'strict_password_validation' ; + ----------------------------+-------+ | Variable_name | Value | + ----------------------------+-------+ | strict_password_validation | OFF | + ----------------------------+-------+ 1 row in set (0.01 sec)   MariaDB [mysql]> create user myuser@localhost identified via pam using 'mariadb' ; ERROR 1819 (HY000): Your password does not satisfy the current policy requirements

Sergei Golubchik added a comment - 2016-07-29 08:49 - edited Okay, thanks. I think we can extend strict_password_validation variable to also cover the case of non-builtin plugins. Password validation works like this: if there is a password — run a validation plugin if there is no password — fail with an error if the password cannot be validated (for example, it was specified as a password hash): if strict_password_validation is OFF — allow it otherwise fail with an error when non-builtin plugins are used, mariadb considered it to be a case 2, but it is arguably a case 3, so should be affected by strict_password_validation variable

Geoff Montee (Inactive) added a comment - 2019-01-14 07:02 The PAM authentication plugin doesn't allow MariaDB to change passwords at all, so MariaDB's password validation is irrelevant to it. I think it would require implementing pam_sm_chauthtok in auth_pam to allow it to change passwords. http://www.linux-pam.org/Linux-PAM-html/mwg-expected-of-module-chauthtok.html Would it make sense to modify the authentication plugin API to create a way to allow authentication plugins like auth_pam to exempt themselves from password validation? Is it likely that auth_pam will ever be capable of changing passwords, so MariaDB's password validation would become relevant? I noticed that MDEV-12321 implemented a way for authentication plugins to hook into the PASSWORD() function, but I don't know if that would be useful for that.

Sergei Golubchik added a comment - 2019-01-14 08:25 Yes, you're right. MDEV-12321 was useful. In fact, this bug was fixed in MDEV-12321 — now password validation only works for plugins that support PASSWORD() function. If a plugin does not support PASSWORD() , it means that plugin does not have a concept of a password and whatever is specified after USING is not a password, and should not be validated as one.