[MDEV-7597] Expiration of user passwords Created: 2015-02-17  Updated: 2021-05-17  Resolved: 2019-02-21

Status: Closed
Project: MariaDB Server
Component/s: Authentication and Privilege System
Fix Version/s: 10.4.3

Type: Task Priority: Critical
Reporter: Rasmus Johansson (Inactive) Assignee: Robert Bindar
Resolution: Fixed Votes: 15
Labels: pf5, security

Issue Links:
Blocks
is blocked by MDEV-17658 change the structure of mysql.user table Closed
Duplicate
duplicates MDEV-6554 Password security compliance check Closed
duplicates MDEV-9072 MariaDB Community Edition needs passw... Closed
duplicates MDEV-9244 Add password auto expiration option a... Closed
Relates
relates to MDEV-18716 Document password expiration Closed
relates to MDEV-23280 Establish a grace period for expiry p... Open
relates to MDEV-25703 Add VALIDATE_PASSWORD_STRENGTH function Closed
relates to ODBC-224 Support expired passwords Open
relates to CONJ-660 support expired password Closed
relates to CONJS-61 Permit handling expired password Closed
relates to MDEV-6431 password validation Closed
relates to MDEV-21767 If default_password_lifetime > 0, the... Closed

 Description   

MariaDB should have support for expiring user passwords manually
via the PASSWORD EXPIRE option for the CREATE USER
and ALTER USER statements. We should also implement global and
per-account policies for automatic password expiration.

Given MySQL 5.7 already has this feature, we should preserve
compatibility in terms of both API and datadir migration.

We should support the following use cases:

    CREATE USER user@localhost PASSWORD EXPIRE [option];


    ALTER USER user@localhost PASSWORD EXPIRE [option];

  • If no option is specified, the password should be expired with immediate effect.
  • If option is DEFAULT, the password is expired every N days since last changed,
    where N is set in a system var such as default_password_lifetime.
  • If option is NEVER, the password is never expired for user@localhost.
  • Option can also be INTERVAL N DAY, this way the password is expired
    every N days.

The effect of an expired password should be controlled via a new system var
such as disconnect_on_expired_password. When this var is true, new client
connections for the expired account should be refused with the error code ER_MUST_CHANGE_PASSWORD_LOGIN.
If false, new client connections are restricted to use only statements for changing
the password (e.g. ALTER USER, SET PASSWORD). The execution of any other
statement should return ER_MUST_CHANGE_PASSWORD.

Clients should be able to specify whether they can handle a disconnect with an
option for the mysql binary such as --connect-expired-password or by passing
the MYSQL_OPT_CAN_HANDLE_EXPIRED_PASSWORDS flag to mysql_options() for the C
library.

Implementation details:

  • The password expiration state of an account should be kept in the JSON Priv column of
    mysql.global_priv. The User_table_json class will be enriched with accessors
    for reading/writing from/to this JSON field. 

        MariaDB [(none)]> select user, host, Priv from mysql.global_priv where user='user';
    		 
        +-------+-----------+-------------------------------------------------------------------------------------------------------+
    		 
        | user  | host      | Priv                                                                                                  |
    		 
        +-------+-----------+-------------------------------------------------------------------------------------------------------+
    		 
        | user  | localhost | {..., "password_expired":true, "password_last_changed":"2019-02-20, 00:00:00", "password_lifetime":5} |
    		 
        +-------+-----------+-------------------------------------------------------------------------------------------------------+
    		 
        1 row in set (0.001 sec)

  • To preserve the drop-in replacement property for MySQL 5.7 datadirs, we have to add
    similar accessors with the ones above to the User_table_tabular class which
    will read/write from/to the password expiration columns in the mysql.user table.

References:
http://dev.mysql.com/doc/refman/5.6/en/password-expiration-sandbox-mode.html

 Comments   
Comment by Rasmus Johansson (Inactive) [ 2015-02-17 ]

Assigning to you serg for design.

Comment by Sergei Golubchik [ 2015-11-03 ]

As this needs changes to mysql.user table, we can as well remove the Password column at the same time (as in 5.7)

Comment by Vicențiu Ciorbaru [ 2016-10-07 ]

Given MDEV-10959, I can probably take this as a backburner task from serg.

Comment by Su, Jun-Ming [ 2017-11-06 ]

Hope for the features for Account Security, they are good for us to build better security system (like ISMS).

https://www.percona.com/blog/2017/11/02/mysql-vs-mariadb-reality-check/

Security – Password expiry
Security – Password last changed? Password lifetime?
Security – VALIDATE_PASSWORD _STRENGTH()
Security – ACCOUNT LOCK/UNLOCK

Comment by Ulrich Moser (Inactive) [ 2019-01-21 ]

This is a feature many people ask for in the classes and consultings. Therefore IMHO it should be implemented asap. Along with this people also ask for a password history so that users cannot just switch between two passwords back and forth.
As to my experience in financial industry regulatory compliance projects this is a regulatory requirement in almost all of about 80 regulations I have analyzed throughout the last years.

Comment by Robert Bindar [ 2019-01-22 ]

Hi Ulrich, we are working on it as we speak, so stay tuned.

Thank you for the info,
Robert

Comment by Ulrich Moser (Inactive) [ 2019-01-25 ]

Now as I am working on my security talk for New York it comes to my mind that password expiration has some aspects.

First it must be possible to expire a password immediately, e.g. if user forgot his password. An admin can then set a new pasword for the user and expire it immediately.

Second expiring a password after a defined period.

Password expiration should be on by default and the default expiration period set to 90 days as this is what most regulations require.

If the password is expired we need to allow a defined number of grace logins (with all the privileges the user has) or just one with the only command allowed being SET PASSWORD. This is necessary to allow the user to change his password even if it has expired, e.g. he comes back from vacation and the expiration date was some days ago or an admin has set a new password and expired it immediately.

Regulations usually also require that none of the last 5 or 10 passwords may be reused. But I think that is a different requirement and needs additional password history to be implemented.

Comment by Robert Bindar [ 2019-01-25 ]

Hi Ulrich, thanks for the info, it is some great feedback.
Given this is going to be a MySQL compatibility feature, we will try to stay as close as possible to what MySQL's password management looks like.

If you check the mysql docs you'll find that most of the requirements you stated above will be fulfilled, except for the enabled by default part and the password history option which I believe is a different feature altogether.

Comment by Su, Jun-Ming [ 2019-02-22 ]

Nice feature. Hope it will be also on 10.1 version or by database plugin.

Generated at Thu Feb 08 07:20:49 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.