Details
-
Task
-
Status: Closed (View Workflow)
-
Critical
-
Resolution: Fixed
Description
MariaDB should have support for expiring user passwords manually
via the PASSWORD EXPIRE option for the CREATE USER
and ALTER USER statements. We should also implement global and
per-account policies for automatic password expiration.
Given MySQL 5.7 already has this feature, we should preserve
compatibility in terms of both API and datadir migration.
We should support the following use cases:
CREATE USER user@localhost PASSWORD EXPIRE [option];
|
ALTER USER user@localhost PASSWORD EXPIRE [option];
|
- If no option is specified, the password should be expired with immediate effect.
- If option is DEFAULT, the password is expired every N days since last changed,
where N is set in a system var such as default_password_lifetime. - If option is NEVER, the password is never expired for user@localhost.
- Option can also be INTERVAL N DAY, this way the password is expired
every N days.
The effect of an expired password should be controlled via a new system var
such as disconnect_on_expired_password. When this var is true, new client
connections for the expired account should be refused with the error code ER_MUST_CHANGE_PASSWORD_LOGIN.
If false, new client connections are restricted to use only statements for changing
the password (e.g. ALTER USER, SET PASSWORD). The execution of any other
statement should return ER_MUST_CHANGE_PASSWORD.
Clients should be able to specify whether they can handle a disconnect with an
option for the mysql binary such as --connect-expired-password or by passing
the MYSQL_OPT_CAN_HANDLE_EXPIRED_PASSWORDS flag to mysql_options() for the C
library.
Implementation details:
- The password expiration state of an account should be kept in the JSON Priv column of
mysql.global_priv. The User_table_json class will be enriched with accessors
for reading/writing from/to this JSON field.MariaDB [(none)]> select user, host, Priv from mysql.global_priv where user='user';+-------+-----------+-------------------------------------------------------------------------------------------------------+| user | host | Priv |+-------+-----------+-------------------------------------------------------------------------------------------------------+| user | localhost | {..., "password_expired":true, "password_last_changed":"2019-02-20, 00:00:00", "password_lifetime":5} |+-------+-----------+-------------------------------------------------------------------------------------------------------+1 row in set (0.001 sec)
- To preserve the drop-in replacement property for MySQL 5.7 datadirs, we have to add
similar accessors with the ones above to the User_table_tabular class which
will read/write from/to the password expiration columns in the mysql.user table.
References:
http://dev.mysql.com/doc/refman/5.6/en/password-expiration-sandbox-mode.html
Attachments
Issue Links
- duplicates
-
-
- Closed
-
-
-
- Closed
-
-
-
- Closed
-
- is blocked by
-
-
- Closed
-
- relates to
-
MDEV-18716 Document password expiration
-
- Closed
-
-
-
- Open
-
-
-
- Closed
-
-
-
- Open
-
-
-
- Closed
-
-
-
- Closed
-
-
-
- Closed
-
-
-
- Closed
-
Activity
| Assignee | Sergei Golubchik [ serg ] |
| Description |
There is a request for adding password expiration functionality to MariaDB. In an earlier discussion it was mentioned that this should be done either in a special authentication plugin or in the server itself. |
There is a request for adding password expiration functionality to MariaDB. In an earlier discussion it was mentioned that this should be done either in a special authentication plugin or in the server itself. Check MySQL 5.6's corresponding functionality: http://dev.mysql.com/doc/refman/5.6/en/password-expiration-sandbox-mode.html |
| Fix Version/s | 10.1 [ 16100 ] | |
| Fix Version/s | 10.1.4 [ 18400 ] |
| Workflow | MariaDB v2 [ 59704 ] | MariaDB v3 [ 64369 ] |
| Fix Version/s | 10.2 [ 14601 ] | |
| Fix Version/s | 10.1 [ 16100 ] |
As this needs changes to mysql.user table, we can as well remove the Password column at the same time (as in 5.7)
Given MDEV-10959, I can probably take this as a backburner task from serg.
| Fix Version/s | 10.2 [ 14601 ] |
| Fix Version/s | 10.3 [ 22126 ] |
Hope for the features for Account Security, they are good for us to build better security system (like ISMS).
https://www.percona.com/blog/2017/11/02/mysql-vs-mariadb-reality-check/
Security – Password expiry
Security – Password last changed? Password lifetime?
Security – VALIDATE_PASSWORD _STRENGTH()
Security – ACCOUNT LOCK/UNLOCK
| Fix Version/s | 10.4 [ 22408 ] | |
| Fix Version/s | 10.3 [ 22126 ] | |
| Labels | pf5 | pf5 security |
| Link |
This issue is blocked by |
| Epic Link | PT-73 [ 68549 ] |
| Comment | [ A comment with security level 'Developers' was removed. ] |
| Priority | Major [ 3 ] | Critical [ 2 ] |
| Rank | Ranked higher |
| Link |
This issue is blocked by |
| Link |
This issue is blocked by |
| Assignee | Sergei Golubchik [ serg ] | Robert Bindar [ robertbindar ] |
This is a feature many people ask for in the classes and consultings. Therefore IMHO it should be implemented asap. Along with this people also ask for a password history so that users cannot just switch between two passwords back and forth.
As to my experience in financial industry regulatory compliance projects this is a regulatory requirement in almost all of about 80 regulations I have analyzed throughout the last years.
Hi Ulrich, we are working on it as we speak, so stay tuned.
Thank you for the info,
Robert
| Description |
There is a request for adding password expiration functionality to MariaDB. In an earlier discussion it was mentioned that this should be done either in a special authentication plugin or in the server itself. Check MySQL 5.6's corresponding functionality: http://dev.mysql.com/doc/refman/5.6/en/password-expiration-sandbox-mode.html |
MariaDB should have support for expiring user passwords manually
via the _PASSWORD EXPIRE_ option for the _CREATE USER_ and _ALTER USER_ statements. We should also implement global and per-account policies for automatic password expiration. Given MySQL 5.7 already has this feature, we should preserve compatibility in terms of both API and datadir migration. We should support the following use cases: {noformat} CREATE USER user@localhost PASSWORD EXPIRE [option]; {noformat} {noformat} ALTER USER user@localhost PASSWORD EXPIRE [option]; {noformat} *If no option is specified, the password should be expired with immediate effect. *If option is _DEFAULT_, the password is expired every *N* days since last changed, where *N* is set in a system var such as *default_password_lifetime*. *If option is _NEVER_, the password is never expired for user@localhost. *Option can also be _INTERVAL_ *N* _DAY_, this way the password is expired every *N* days. The effect of an expired password should be controlled via a new system var such as *disconnect_on_expired_password*. When this var is true, new client connections for the expired account should be refused with the error code _ER_MUST_CHANGE_PASSWORD_LOGIN_. If false, new client connections are restricted to use only statements for changing the password (e.g. _ALTER USER_, _SET PASSWORD_). The execution of any other statement should return _ER_MUST_CHANGE_PASSWORD_. Clients should be able to specify whether they can handle a disconnect with an option for the mysql binary such as *--connect-expired-password* or by passing the *MYSQL_OPT_CAN_HANDLE_EXPIRED_PASSWORDS* flag to _mysql_options()_ for the _C_ library. |
| Description |
MariaDB should have support for expiring user passwords manually
via the _PASSWORD EXPIRE_ option for the _CREATE USER_ and _ALTER USER_ statements. We should also implement global and per-account policies for automatic password expiration. Given MySQL 5.7 already has this feature, we should preserve compatibility in terms of both API and datadir migration. We should support the following use cases: {noformat} CREATE USER user@localhost PASSWORD EXPIRE [option]; {noformat} {noformat} ALTER USER user@localhost PASSWORD EXPIRE [option]; {noformat} *If no option is specified, the password should be expired with immediate effect. *If option is _DEFAULT_, the password is expired every *N* days since last changed, where *N* is set in a system var such as *default_password_lifetime*. *If option is _NEVER_, the password is never expired for user@localhost. *Option can also be _INTERVAL_ *N* _DAY_, this way the password is expired every *N* days. The effect of an expired password should be controlled via a new system var such as *disconnect_on_expired_password*. When this var is true, new client connections for the expired account should be refused with the error code _ER_MUST_CHANGE_PASSWORD_LOGIN_. If false, new client connections are restricted to use only statements for changing the password (e.g. _ALTER USER_, _SET PASSWORD_). The execution of any other statement should return _ER_MUST_CHANGE_PASSWORD_. Clients should be able to specify whether they can handle a disconnect with an option for the mysql binary such as *--connect-expired-password* or by passing the *MYSQL_OPT_CAN_HANDLE_EXPIRED_PASSWORDS* flag to _mysql_options()_ for the _C_ library. |
MariaDB should have support for expiring user passwords manually
via the _PASSWORD EXPIRE_ option for the _CREATE USER_ and _ALTER USER_ statements. We should also implement global and per-account policies for automatic password expiration. Given MySQL 5.7 already has this feature, we should preserve compatibility in terms of both API and datadir migration. We should support the following use cases: {noformat} CREATE USER user@localhost PASSWORD EXPIRE [option]; {noformat} {noformat} ALTER USER user@localhost PASSWORD EXPIRE [option]; {noformat} * If no option is specified, the password should be expired with immediate effect. * If option is _DEFAULT_, the password is expired every *N* days since last changed, where *N* is set in a system var such as *default_password_lifetime*. * If option is _NEVER_, the password is never expired for user@localhost. * Option can also be _INTERVAL_ *N* _DAY_, this way the password is expired every *N* days. The effect of an expired password should be controlled via a new system var such as *disconnect_on_expired_password*. When this var is true, new client connections for the expired account should be refused with the error code _ER_MUST_CHANGE_PASSWORD_LOGIN_. If false, new client connections are restricted to use only statements for changing the password (e.g. _ALTER USER_, _SET PASSWORD_). The execution of any other statement should return _ER_MUST_CHANGE_PASSWORD_. Clients should be able to specify whether they can handle a disconnect with an option for the mysql binary such as *--connect-expired-password* or by passing the *MYSQL_OPT_CAN_HANDLE_EXPIRED_PASSWORDS* flag to _mysql_options()_ for the _C_ library. Implementation details: * The password expiration state of an account should be kept in the JSON Priv column of mysql.global_priv. The User_table_json class will be enriched with accessors for reading/writing from/to this JSON field. {noformat} MariaDB [(none)]> select user, host, Priv from mysql.global_priv where user='user'; +-------+-----------+-------------------------------------------------------------------------------------------------------+ | user | host | Priv | +-------+-----------+-------------------------------------------------------------------------------------------------------+ | user | localhost | {..., "password_expired":true, "password_last_changed":"2019-02-20, 00:00:00", "password_lifetime":5} | +-------+-----------+-------------------------------------------------------------------------------------------------------+ 1 row in set (0.001 sec) {noformat} * To preserve the drop-in replacement for MySQL 5.7 datadirs, we have to add similar accessors with the ones above to the User_table_tabular class which will read/write from/to the password expiration columns in the mysql.user table. References: http://dev.mysql.com/doc/refman/5.6/en/password-expiration-sandbox-mode.html |
| Description |
MariaDB should have support for expiring user passwords manually
via the _PASSWORD EXPIRE_ option for the _CREATE USER_ and _ALTER USER_ statements. We should also implement global and per-account policies for automatic password expiration. Given MySQL 5.7 already has this feature, we should preserve compatibility in terms of both API and datadir migration. We should support the following use cases: {noformat} CREATE USER user@localhost PASSWORD EXPIRE [option]; {noformat} {noformat} ALTER USER user@localhost PASSWORD EXPIRE [option]; {noformat} * If no option is specified, the password should be expired with immediate effect. * If option is _DEFAULT_, the password is expired every *N* days since last changed, where *N* is set in a system var such as *default_password_lifetime*. * If option is _NEVER_, the password is never expired for user@localhost. * Option can also be _INTERVAL_ *N* _DAY_, this way the password is expired every *N* days. The effect of an expired password should be controlled via a new system var such as *disconnect_on_expired_password*. When this var is true, new client connections for the expired account should be refused with the error code _ER_MUST_CHANGE_PASSWORD_LOGIN_. If false, new client connections are restricted to use only statements for changing the password (e.g. _ALTER USER_, _SET PASSWORD_). The execution of any other statement should return _ER_MUST_CHANGE_PASSWORD_. Clients should be able to specify whether they can handle a disconnect with an option for the mysql binary such as *--connect-expired-password* or by passing the *MYSQL_OPT_CAN_HANDLE_EXPIRED_PASSWORDS* flag to _mysql_options()_ for the _C_ library. Implementation details: * The password expiration state of an account should be kept in the JSON Priv column of mysql.global_priv. The User_table_json class will be enriched with accessors for reading/writing from/to this JSON field. {noformat} MariaDB [(none)]> select user, host, Priv from mysql.global_priv where user='user'; +-------+-----------+-------------------------------------------------------------------------------------------------------+ | user | host | Priv | +-------+-----------+-------------------------------------------------------------------------------------------------------+ | user | localhost | {..., "password_expired":true, "password_last_changed":"2019-02-20, 00:00:00", "password_lifetime":5} | +-------+-----------+-------------------------------------------------------------------------------------------------------+ 1 row in set (0.001 sec) {noformat} * To preserve the drop-in replacement for MySQL 5.7 datadirs, we have to add similar accessors with the ones above to the User_table_tabular class which will read/write from/to the password expiration columns in the mysql.user table. References: http://dev.mysql.com/doc/refman/5.6/en/password-expiration-sandbox-mode.html |
MariaDB should have support for expiring user passwords manually
via the _PASSWORD EXPIRE_ option for the _CREATE USER_ and _ALTER USER_ statements. We should also implement global and per-account policies for automatic password expiration. Given MySQL 5.7 already has this feature, we should preserve compatibility in terms of both API and datadir migration. We should support the following use cases: {noformat} CREATE USER user@localhost PASSWORD EXPIRE [option]; {noformat} {noformat} ALTER USER user@localhost PASSWORD EXPIRE [option]; {noformat} * If no option is specified, the password should be expired with immediate effect. * If option is _DEFAULT_, the password is expired every *N* days since last changed, where *N* is set in a system var such as *default_password_lifetime*. * If option is _NEVER_, the password is never expired for user@localhost. * Option can also be _INTERVAL_ *N* _DAY_, this way the password is expired every *N* days. The effect of an expired password should be controlled via a new system var such as *disconnect_on_expired_password*. When this var is true, new client connections for the expired account should be refused with the error code _ER_MUST_CHANGE_PASSWORD_LOGIN_. If false, new client connections are restricted to use only statements for changing the password (e.g. _ALTER USER_, _SET PASSWORD_). The execution of any other statement should return _ER_MUST_CHANGE_PASSWORD_. Clients should be able to specify whether they can handle a disconnect with an option for the mysql binary such as *--connect-expired-password* or by passing the *MYSQL_OPT_CAN_HANDLE_EXPIRED_PASSWORDS* flag to _mysql_options()_ for the _C_ library. Implementation details: * The password expiration state of an account should be kept in the JSON Priv column of mysql.global_priv. The User_table_json class will be enriched with accessors for reading/writing from/to this JSON field. {noformat} MariaDB [(none)]> select user, host, Priv from mysql.global_priv where user='user'; +-------+-----------+-------------------------------------------------------------------------------------------------------+ | user | host | Priv | +-------+-----------+-------------------------------------------------------------------------------------------------------+ | user | localhost | {..., "password_expired":true, "password_last_changed":"2019-02-20, 00:00:00", "password_lifetime":5} | +-------+-----------+-------------------------------------------------------------------------------------------------------+ 1 row in set (0.001 sec) {noformat} * To preserve the drop-in replacement property for MySQL 5.7 datadirs, we have to add similar accessors with the ones above to the User_table_tabular class which will read/write from/to the password expiration columns in the mysql.user table. References: http://dev.mysql.com/doc/refman/5.6/en/password-expiration-sandbox-mode.html |
| Status | Open [ 1 ] | In Progress [ 3 ] |
Now as I am working on my security talk for New York it comes to my mind that password expiration has some aspects.
First it must be possible to expire a password immediately, e.g. if user forgot his password. An admin can then set a new pasword for the user and expire it immediately.
Second expiring a password after a defined period.
Password expiration should be on by default and the default expiration period set to 90 days as this is what most regulations require.
If the password is expired we need to allow a defined number of grace logins (with all the privileges the user has) or just one with the only command allowed being SET PASSWORD. This is necessary to allow the user to change his password even if it has expired, e.g. he comes back from vacation and the expiration date was some days ago or an admin has set a new password and expired it immediately.
Regulations usually also require that none of the last 5 or 10 passwords may be reused. But I think that is a different requirement and needs additional password history to be implemented.
Hi Ulrich, thanks for the info, it is some great feedback.
Given this is going to be a MySQL compatibility feature, we will try to stay as close as possible to what MySQL's password management looks like.
If you check the mysql docs you'll find that most of the requirements you stated above will be fulfilled, except for the enabled by default part and the password history option which I believe is a different feature altogether.
| Assignee | Robert Bindar [ robertbindar ] | Sergei Golubchik [ serg ] |
| Status | In Progress [ 3 ] | In Review [ 10002 ] |
| Assignee | Sergei Golubchik [ serg ] | Robert Bindar [ robertbindar ] |
| Status | In Review [ 10002 ] | Stalled [ 10000 ] |
| Assignee | Robert Bindar [ robertbindar ] | Sergei Golubchik [ serg ] |
| Component/s | Authentication and Privilege System [ 13101 ] | |
| Component/s | Plugins [ 10118 ] | |
| Fix Version/s | 10.4.3 [ 23230 ] | |
| Fix Version/s | 10.4 [ 22408 ] | |
| Resolution | Fixed [ 1 ] | |
| Status | Stalled [ 10000 ] | Closed [ 6 ] |
| Assignee | Sergei Golubchik [ serg ] | Robert Bindar [ robertbindar ] |
Nice feature. Hope it will be also on 10.1 version or by database plugin.
| Link |
This issue relates to |
| Link |
This issue relates to |
| Link | This issue relates to MDEV-23280 [ MDEV-23280 ] |
| Link |
This issue relates to |
| Workflow | MariaDB v3 [ 64369 ] | MariaDB v4 [ 132519 ] |
| Zendesk Related Tickets | 132255 |
Assigning to you serg for design.