Details
-
Task
-
Status: Closed (View Workflow)
-
Critical
-
Resolution: Fixed
Description
MariaDB should have support for expiring user passwords manually
via the PASSWORD EXPIRE option for the CREATE USER
and ALTER USER statements. We should also implement global and
per-account policies for automatic password expiration.
Given MySQL 5.7 already has this feature, we should preserve
compatibility in terms of both API and datadir migration.
We should support the following use cases:
CREATE USER user@localhost PASSWORD EXPIRE [option];
|
ALTER USER user@localhost PASSWORD EXPIRE [option];
|
- If no option is specified, the password should be expired with immediate effect.
- If option is DEFAULT, the password is expired every N days since last changed,
where N is set in a system var such as default_password_lifetime. - If option is NEVER, the password is never expired for user@localhost.
- Option can also be INTERVAL N DAY, this way the password is expired
every N days.
The effect of an expired password should be controlled via a new system var
such as disconnect_on_expired_password. When this var is true, new client
connections for the expired account should be refused with the error code ER_MUST_CHANGE_PASSWORD_LOGIN.
If false, new client connections are restricted to use only statements for changing
the password (e.g. ALTER USER, SET PASSWORD). The execution of any other
statement should return ER_MUST_CHANGE_PASSWORD.
Clients should be able to specify whether they can handle a disconnect with an
option for the mysql binary such as --connect-expired-password or by passing
the MYSQL_OPT_CAN_HANDLE_EXPIRED_PASSWORDS flag to mysql_options() for the C
library.
Implementation details:
- The password expiration state of an account should be kept in the JSON Priv column of
mysql.global_priv. The User_table_json class will be enriched with accessors
for reading/writing from/to this JSON field.MariaDB [(none)]> select user, host, Priv from mysql.global_priv where user='user';+-------+-----------+-------------------------------------------------------------------------------------------------------+| user | host | Priv |+-------+-----------+-------------------------------------------------------------------------------------------------------+| user | localhost | {..., "password_expired":true, "password_last_changed":"2019-02-20, 00:00:00", "password_lifetime":5} |+-------+-----------+-------------------------------------------------------------------------------------------------------+1 row in set (0.001 sec)
- To preserve the drop-in replacement property for MySQL 5.7 datadirs, we have to add
similar accessors with the ones above to the User_table_tabular class which
will read/write from/to the password expiration columns in the mysql.user table.
References:
http://dev.mysql.com/doc/refman/5.6/en/password-expiration-sandbox-mode.html
Attachments
Issue Links
- duplicates
-
-
- Closed
-
-
-
- Closed
-
-
-
- Closed
-
- is blocked by
-
-
- Closed
-
- relates to
-
MDEV-18716 Document password expiration
-
- Closed
-
-
-
- Open
-
-
-
- Closed
-
-
-
- Open
-
-
-
- Closed
-
-
-
- Closed
-
-
-
- Closed
-
-
-
- Closed
-
Activity
Hi Ulrich, we are working on it as we speak, so stay tuned.
Thank you for the info,
Robert
Now as I am working on my security talk for New York it comes to my mind that password expiration has some aspects.
First it must be possible to expire a password immediately, e.g. if user forgot his password. An admin can then set a new pasword for the user and expire it immediately.
Second expiring a password after a defined period.
Password expiration should be on by default and the default expiration period set to 90 days as this is what most regulations require.
If the password is expired we need to allow a defined number of grace logins (with all the privileges the user has) or just one with the only command allowed being SET PASSWORD. This is necessary to allow the user to change his password even if it has expired, e.g. he comes back from vacation and the expiration date was some days ago or an admin has set a new password and expired it immediately.
Regulations usually also require that none of the last 5 or 10 passwords may be reused. But I think that is a different requirement and needs additional password history to be implemented.
Hi Ulrich, thanks for the info, it is some great feedback.
Given this is going to be a MySQL compatibility feature, we will try to stay as close as possible to what MySQL's password management looks like.
If you check the mysql docs you'll find that most of the requirements you stated above will be fulfilled, except for the enabled by default part and the password history option which I believe is a different feature altogether.
Nice feature. Hope it will be also on 10.1 version or by database plugin.
This is a feature many people ask for in the classes and consultings. Therefore IMHO it should be implemented asap. Along with this people also ask for a password history so that users cannot just switch between two passwords back and forth.
As to my experience in financial industry regulatory compliance projects this is a regulatory requirement in almost all of about 80 regulations I have analyzed throughout the last years.