Password validation plugins, like simple_password_check and cracklib, enforce strong password policies by checking new passwords against defined complexity rules.
This system variable defines the retention period in days for the password history used by the Password Reuse Check Plugin to prevent reuse.
The password_reuse_check_interval system variable is available when the password_reuse_check plugin is installed. It determines the retention period for the password history in days. Zero, the default, means that passwords are never discarded.
Command line: --password_reuse_check_interval=#
Scope: Global
Read-only: No
Data Type: numeric
Default Value: 0
Range: 0 to 36500
This page is licensed: CC BY-SA / Gnu FDL
The Simple Password Check Plugin enforces basic password complexity rules, such as minimum length and required numbers of digits, letters, and special characters.
simple_password_check is a password validation plugin. It can check whether a password contains at least a certain number of characters of a specific type. When first installed, a password is required to be at least eight characters, and requires at least one digit, one uppercase character, one lowercase character, and one character that is neither a digit nor a letter.
Note that passwords can be directly set as a hash, bypassing the password validation, if the strict_password_validation variable is OFF (it is ON by default).
Although the plugin's shared library is distributed with MariaDB by default, the plugin is not actually installed by MariaDB by default. There are two methods that can be used to install the plugin with MariaDB.
The first method can be used to install the plugin without restarting the server. You can install the plugin dynamically by executing or :
The second method can be used to tell the server to load the plugin when it starts up. The plugin can be installed this way by providing the or the options. This can be specified as a command-line argument to mariadbd, or it can be specified in a relevant server in an :
You can uninstall the plugin dynamically by executing or :
If you installed the plugin by providing the or the options in a relevant server in an , then those options should be removed to prevent the plugin from being loaded the next time the server is restarted.
When creating a new password, if the criteria are not met, the following error is returned:
simple_password_check_digitsDescription: A password must contain at least this many digits.
Command line: --simple-password-check-digits=#
Scope: Global
Dynamic: Yes
simple_password_check_letters_same_caseDescription: A password must contain at least this many upper-case and this many lower-case letters.
Command line: --simple-password-check-letters-same-case=#
Scope: Global
Dynamic: Yes
simple_password_check_minimal_lengthDescription: A password must contain at least this many characters.
Command line: --simple-password-check-minimal-length=#
Scope: Global
Dynamic: Yes
simple_password_check_other_charactersDescription: A password must contain at least this many characters that are neither digits nor letters.
Command line: --simple-password-check-other-characters=#
Scope: Global
Dynamic: Yes
simple_password_checkDescription: Controls how the server should treat the plugin when the server starts up.
Valid values are:
OFF - Disables the plugin without removing it from the table.
- use the Cracklib password-strength checking library
This page is licensed: CC BY-SA / Gnu FDL
The Cracklib Password Check Plugin enforces password strength by validating new passwords against the CrackLib library and its dictionary.
cracklib_password_check is a password validation plugin. It uses the CrackLib library to check the strength of new passwords. CrackLib is installed by default in many Linux distributions, since the system's Pluggable Authentication Module (PAM) authentication framework is usually configured to check the strength of new passwords with the pam_cracklib PAM module.
Note that passwords can be directly set as a hash, bypassing the password validation, if the strict_password_validation variable is OFF (it is ON by default).
The plugin requires at least cracklib 2.9.0, so it is not available on Debian/Ubuntu builds before Debian 8 Jessie/Ubuntu 14.04 Trusty, RedHat Enterprise Linux / CentOS 6.
The cracklib_password_check plugin's shared library is included in MariaDB packages as the cracklib_password_check.so or cracklib_password_check.dll shared library on systems where it can be built.
The cracklib_password_check plugin is included in systemd on Linux, but not in the older generic and glibc_214 tarballs.
The cracklib_password_check plugin can also be installed via a package manager on Linux. In order to do so, your system needs to be configured to install from one of the MariaDB repositories.
You can configure your package manager to install it from MariaDB Corporation's MariaDB Package Repository by using the .
You can also configure your package manager to install it from MariaDB Foundation's MariaDB Repository by using the .
Installing with yum/dnf
On RHEL, CentOS, Fedora, and other similar Linux distributions, it is highly recommended to install the relevant from MariaDB's repository using or . Starting with RHEL 8 and Fedora 22, yum has been replaced by dnf, which is the next major version of yum. However, yum commands still work on many systems that use dnf:
Installing with apt-get
On Debian, Ubuntu, and other similar Linux distributions, it is highly recommended to install the relevant from MariaDB's repository using :
Installing with zypper
On SLES, OpenSUSE, and other similar Linux distributions, it is highly recommended to install the relevant from MariaDB's repository using :
Once the shared library is in place, the plugin is not actually installed by MariaDB by default. There are two methods that can be used to install the plugin with MariaDB.
The first method can be used to install the plugin without restarting the server. You can install the plugin dynamically by executing or :
The second method can be used to tell the server to load the plugin when it starts up. The plugin can be installed this way by providing the or the options. This can be specified as a command-line argument to mariadbd, or it can be specified in a relevant server in an :
You can uninstall the plugin dynamically by executing or :
If you installed the plugin by providing the or the options in a relevant server in an , then those options should be removed to prevent the plugin from being loaded the next time the server is restarted.
If password validation fails, then the original CrackLib error message can be viewed by executing .
When creating a new password, if the criteria are not met, the following error is returned:
When using the standard policy with the set to enforcing, mariadbd does not have access to /usr/share/cracklib, and you may see the following error when attempting to use the cracklib_password_check plugin:
And the SELinux audit.log contains errors like these:
This can be fixed by creating an SELinux policy that allows mysqld to load the CrackLib dictionary:
See for more information.
cracklib_password_check_dictionaryDescription: Sets the path to the CrackLib dictionary. If not set, the default CrackLib dictionary path is used. The parameter expects the base name of a cracklib dictionary (a set of three files with endings .hwm, .pwd, .pwi), not a directory path.
Command line: --cracklib-password-check-dictionary=value
Scope: Global
cracklib_password_checkDescription: Controls how the server should treat the plugin when the server starts up.
Valid values are:
OFF - Disables the plugin without removing it from the table.
- permits the setting of basic criteria for passwords
This page is licensed: CC BY-SA / Gnu FDL
Data Type: numeric
Default Value: 1
Range: 0 to 1000
Data Type: numeric
Default Value: 1
Range: 0 to 1000
Data Type: numeric
Default Value: 8
Range: 0 to 1000
Data Type: numeric
Default Value: 1
Range: 0 to 1000
ON - Enables the plugin. If the plugin cannot be initialized, then the server will still continue starting up, but the plugin will be disabled.FORCE - Enables the plugin. If the plugin cannot be initialized, then the server will fail to start with an error.
FORCE_PLUS_PERMANENT - Enables the plugin. If the plugin cannot be initialized, then the server will fail to start with an error. In addition, the plugin cannot be uninstalled with UNINSTALL SONAME or UNINSTALL PLUGIN while the server is running.
See Plugin Overview: Configuring Plugin Activation at Server Startup for more information.
Command line: --simple-password-check=value
Data Type: enumerated
Default Value: ON
Valid Values: OFF, ON, FORCE, FORCE_PLUS_PERMANENT
Dynamic: No
Data Type: string
Default Value: Depends on the system. Often /usr/share/cracklib/pw_dict
ON - Enables the plugin. If the plugin cannot be initialized, then the server will still continue starting up, but the plugin will be disabled.FORCE - Enables the plugin. If the plugin cannot be initialized, then the server will fail to start with an error.
FORCE_PLUS_PERMANENT - Enables the plugin. If the plugin cannot be initialized, then the server will fail to start with an error. In addition, the plugin cannot be uninstalled with UNINSTALL SONAME or UNINSTALL PLUGIN while the server is running.
See Plugin Overview: Configuring Plugin Activation at Server Startup for more information.
Command line: --cracklib-password-check=value
Data Type: enumerated
Default Value: ON
Valid Values: OFF, ON, FORCE, FORCE_PLUS_PERMANENT
INSTALL SONAME 'simple_password_check';[mariadb]
...
plugin_load_add = simple_password_checkUNINSTALL SONAME 'simple_password_check';SET PASSWORD FOR 'bob'@'%.loc.gov' = PASSWORD('abc');
ERROR 1819 (HY000): Your password does not satisfy the current policy requirementssudo yum install MariaDB-cracklib-password-checksudo apt-get install mariadb-plugin-cracklib-password-checksudo zypper install MariaDB-cracklib-password-checkINSTALL SONAME 'cracklib_password_check';[mariadb]
...
plugin_load_add = cracklib_password_checkUNINSTALL SONAME 'cracklib_password_check';SET PASSWORD FOR 'bob'@'%.loc.gov' = PASSWORD('abc');
ERROR 1819 (HY000): Your password does not satisfy the current policy requirementsCREATE USER `user`@`hostname` IDENTIFIED BY 's0mePwd123.';
ERROR 1819 (HY000): Your password does not satisfy the current policy requirements
SHOW WARNINGS;
+---------+------+----------------------------------------------------------------+
| Level | Code | Message |
+---------+------+----------------------------------------------------------------+
| Warning | 1819 | cracklib: error loading dictionary |
| Error | 1819 | Your password does not satisfy the current policy requirements |
| Error | 1396 | Operation CREATE USER failed for 'user'@'hostname' |
+---------+------+----------------------------------------------------------------+type=AVC msg=audit(1548371977.821:66): avc: denied { read } for pid=3537 comm="mysqld" name="pw_dict.pwd" dev="xvda2" ino=564747 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:crack_db_t:s0 tclass=file
type=SYSCALL msg=audit(1548371977.821:66): arch=c000003e syscall=2 success=no exit=-13 a0=7fdd2a674580 a1=0 a2=1b6 a3=1b items=0 ppid=1 pid=3537 auid=4294967295 uid=995 gid=992 euid=995 suid=995 fsuid=995 egid=992 sgid=992 fsgid=992 tty=(none) ses=4294967295 comm="mysqld" exe="/usr/sbin/mysqld" subj=system_u:system_r:mysqld_t:s0 key=(null)cd /usr/share/mysql/policy/selinux/
tee ./mariadb-plugin-cracklib-password-check.te <<EOF
module mariadb-plugin-cracklib-password-check 1.0;
require {
type mysqld_t;
type crack_db_t;
class file { execute setattr read create getattr execute_no_trans write ioctl open append unlink };
class dir { write search getattr add_name read remove_name open };
}
allow mysqld_t crack_db_t:dir { search read open };
allow mysqld_t crack_db_t:file { getattr read open };
EOF
sudo yum install selinux-policy-devel
make -f /usr/share/selinux/devel/Makefile mariadb-plugin-cracklib-password-check.pp
sudo semodule -i mariadb-plugin-cracklib-password-check.ppThe Password Reuse Check Plugin prevents users from reusing previous passwords, with a retention policy controlled by the password_reuse_check_interval variable.
The plugin is used to prevent a user from reusing a password, which can be a requirement in some security policies. The system variable determines the retention period, in days, for a password. By default, this is zero, meaning unlimited retention. Old passwords are stored in the .
Note that passwords can be directly set as a hash, bypassing the password validation, if the variable is OFF (it is ON by default).
Although the plugin's shared library is distributed with MariaDB by default, the plugin is not actually installed by MariaDB by default.
You can install the plugin dynamically, without restarting the server, by executing or :
The second method can be used to tell the server to load the plugin when it starts up. The plugin can be installed this way by providing the or the options. This can be specified as a command-line argument to or it can be specified in a relevant server in an :
You can uninstall the plugin dynamically by executing or :
If you installed the plugin by providing the or the options in a relevant server in an , then those options should be removed to prevent the plugin from being loaded the next time the server is restarted.
The bump to version 2.0 required the change of the stored format to mitigate an implementation weakness () and as such the bump from 1.0 to 2.0 will invalidate previously saved password reuse protections.
(MariaDB Foundation blog post)
This page is licensed: CC BY-SA / Gnu FDL
1.0
Alpha
1.0
Beta
1.0
Gamma
2.0
Stable
, , ,
INSTALL SONAME 'password_reuse_check';[mariadb]
...
plugin_load_add = password_reuse_checkUNINSTALL SONAME 'password_reuse_check';INSTALL SONAME 'password_reuse_check';
GRANT SELECT ON *.* TO user1@localhost identified by 'pwd1';
Query OK, 0 rows affected (0.038 sec)
GRANT SELECT ON *.* TO user1@localhost identified by 'pwd1';
ERROR 1819 (HY000): Your password does not satisfy the current policy requirements
GRANT SELECT ON *.* TO user1@localhost identified by 'pwd2';
Query OK, 0 rows affected (0.003 sec)
GRANT SELECT ON *.* TO user1@localhost identified by 'pwd1';
ERROR 1819 (HY000): Your password does not satisfy the current policy requirements