Password Strength Checking
MariaDB starting with 10.1.2
The cracklib_password_check plugin was introduced in MariaDB 10.1.2
Contents
The plugin is not available on Debian/Ubuntu builds before Jessie, as it requires cracklib 2.9.0 (see MDEV-7305).
CrackLib is a password strength checking library. It is installed by default in many Linux distributions and is invoked automatically (by pam_cracklib.so) whenever the user login password is modified. Now, with the cracklib_password_check password validation plugin, one can also use it to check MariaDB account passwords.
The plugin is not installed by default. To install it on CentOS / RedHat, run:
yum -y install MariaDB-cracklib-password-check
from the shell. In Debian / Ubuntu the command would be:
apt-get -y install mariadb-plugin-cracklib-password-check
Then to enable it run:
MariaDB [(none)]> INSTALL SONAME 'cracklib_password_check';
Versions
| Version | Status | Introduced |
|---|---|---|
| 1.0 | Stable | MariaDB 10.1.18 |
| 1.0 | Gamma | MariaDB 10.1.13 |
| 1.0 | Alpha | MariaDB 10.1.2 |
Variables
There are two configuration options for this plugin:
cracklib_password_check_dictionary
- Description: Sets the path to the CrackLib dictionary. If not set, the default CrackLib dictionary path is used (often
/usr/lib/cracklib_dict). - Commandline:
--cracklib-password-check-dictionary=value - Scope: Global
- Dynamic: No
- Data Type:
string - Default Value: Depends on the system. Often
/usr/lib/cracklib_dict - Introduced: MariaDB 10.1.2
cracklib_password_check
- Description: Enables/disables cracklib functionality if the plugin is compiled into the server binary
- Commandline:
--cracklib-password-check=value - Scope: Global
- Dynamic: No
- Data Type:
int - Default Value: 1
- Introduced: MariaDB 10.1.2
If the password validation fails, the original CrackLib error message can be visible in a warning (use SHOW WARNINGS).
Note that passwords can be directly set as a hash, bypassing the password validation, if the strict_password_validation variable is OFF (it is ON by default).
Example
When creating a new password, if the criteria are not met, the following error is returned:
SET PASSWORD FOR 'bob'@'%.loc.gov' = PASSWORD('abc');
ERROR 1819 (HY000): Your password does not satisfy the current policy requirements
Known issues
The cracklib plugin is incompatible with the PAM authentication plugin. As PAM user passwords are not stored into the database, it will be impossible to create new users with PAM authentication.
SELinux
When using the standard SELinux profile (SELINUX=enforcing), mysqld does not have access to /usr/share/cracklib, and you may see the following error when attempting to use cracklib:
MariaDB [(none)]> CREATE USER `user`@`hostname` IDENTIFIED BY 's0mePwd123.'; ERROR 1819 (HY000): Your password does not satisfy the current policy requirements MariaDB [(none)]> show warnings; +---------+------+----------------------------------------------------------------+ | Level | Code | Message | +---------+------+----------------------------------------------------------------+ | Warning | 1819 | cracklib: error loading dictionary | | Error | 1819 | Your password does not satisfy the current policy requirements | | Error | 1396 | Operation CREATE USER failed for 'user'@'hostname' | +---------+------+----------------------------------------------------------------+
In this case you have to copy the CrackLib dictionary files into a path that mysqld is allowed to read from, e.g.
cd /usr/share/mysql cp -R /usr/share/cracklib .
and then set cracklib_password_check_dictionary accordingly:
[mysqld] ... cracklib_password_check_dictionary=/usr/share/mysql/cracklib/pw_dict ...
Note that the parameter expects the base name of a cracklib dictionary (a set of three files with endings .hwm, .pwd, .pwi), not a directory path.
See also
- Password Validation
- simple_password_check plugin - permits the setting of basic criteria for passwords
