Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-7598

Block user accounts after failed login attempts

Details

    Description

      Add functionality to block/disable user accounts if failed login attempts occur. During earlier discussions it was mentioned that this should be done in the server or in a special authentication plugin.

      Attachments

        Issue Links

          causes

          New Feature - A new feature of the product, which has yet to be developed. MDEV-23729 INFORMATION_SCHEMA Table info. about user locked due to max_password_errors

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed
          duplicates

          Task - A task that needs to be done. MDEV-6554 Password security compliance check

          • Major - Major loss of function.
          • Closed

          Task - A task that needs to be done. MDEV-13096 Implement option to lock user accounts after N authentication failures

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed
          relates to

          Task - A task that needs to be done. MDEV-15421 max allowed bad password attempts from ip

          • Major - Major loss of function.
          • Closed

          Task - A task that needs to be done. MDEV-6431 password validation

          • Major - Major loss of function.
          • Closed

          New Feature - A new feature of the product, which has yet to be developed. MDEV-29209 Implement connection response delay after a number of failed login attempts

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Stalled

          Activity

            Ascending order - Click to sort in descending order
            ratzpo Rasmus Johansson (Inactive) added a comment -

            Assigning to you serg for design.

            ratzpo Rasmus Johansson (Inactive) added a comment - Assigning to you serg for design.
            serg Sergei Golubchik added a comment - - edited

            A possible implementation: ACL_USER has a failed_logiins counter. It's incremented when a login fails, it's reset to 0 when a login succeeds. When it reaches a certain limit all future logins fail too. FLUSH PRIVILEGES resets it, obviously. The limit can be set by a global variable.

            It'd need some safeguards to avoid blocking a root user. First, it's per account, so root@localhost can only be blocked if somebody can brute-force from localhost. Second, failed_logins could only be incremented for a failed password, so falied loigins using unix_socket plugin will never block an account.

            serg Sergei Golubchik added a comment - - edited A possible implementation: ACL_USER has a failed_logiins counter. It's incremented when a login fails, it's reset to 0 when a login succeeds. When it reaches a certain limit all future logins fail too. FLUSH PRIVILEGES resets it, obviously. The limit can be set by a global variable. It'd need some safeguards to avoid blocking a root user. First, it's per account, so root@localhost can only be blocked if somebody can brute-force from localhost. Second, failed_logins could only be incremented for a failed password, so falied loigins using unix_socket plugin will never block an account.
            ralf.gebhardt Ralf Gebhardt added a comment -

            When it reaches a certain limit all future logins fail too. FLUSH PRIVILEGES resets it, obviously. The limit can be set by a global variable.

            Couldn't the limit be set per user? Maybe using the global variable just as a default. Per role would be nice. But given that the role can be changed for a user, that would not work.

            ralf.gebhardt Ralf Gebhardt added a comment - When it reaches a certain limit all future logins fail too. FLUSH PRIVILEGES resets it, obviously. The limit can be set by a global variable. Couldn't the limit be set per user? Maybe using the global variable just as a default. Per role would be nice. But given that the role can be changed for a user, that would not work.
            serg Sergei Golubchik added a comment -

            It could be, of course. But we don't have a per-host limit, either — and it seems to work good enough. Different per-user limits look like overengineering to me.

            serg Sergei Golubchik added a comment - It could be, of course. But we don't have a per-host limit, either — and it seems to work good enough. Different per-user limits look like overengineering to me.

            People

              wlad Vladislav Vaintroub
              ratzpo Rasmus Johansson (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.