Cracklib Password Check Plugin

MariaDB starting with 10.1.2

The cracklib_password_check plugin was first released in MariaDB 10.1.2.

The plugin is not available on Debian/Ubuntu builds before Debian 8 Jessie/Ubuntu 14.04 Trusty, as it requires cracklib 2.9.0 (see MDEV-7305).

cracklib_password_check is a password validation plugin. It uses the CrackLib library to check the strength of new passwords. CrackLib is installed by default in many Linux distributions, since the system's Pluggable Authentication Module (PAM) authentication framework is usually configured to check the strength of new passwords with the pam_cracklib PAM module.

Note that passwords can be directly set as a hash, bypassing the password validation, if the strict_password_validation variable is OFF (it is ON by default).

Installing the Plugin's Package

The cracklib_password_check plugin's shared library is included in MariaDB packages as the cracklib_password_check.so or cracklib_password_check.dll shared library on systems where it can be built. The plugin was first included in MariaDB 10.1.2.

Installing on Linux

The cracklib_password_check plugin is included in binary tarballs on Linux.

Installing with a Package Manager

The cracklib_password_check plugin can also be installed via a package manager on Linux. In order to do so, your system needs to be configured to install from one of the MariaDB repositories.

You can configure your package manager to install it from MariaDB Corporation's MariaDB Package Repository by using the MariaDB Package Repository setup script.

You can also configure your package manager to install it from MariaDB Foundation's MariaDB Repository by using the MariaDB Repository Configuration Tool.

Installing with yum/dnf

On RHEL, CentOS, Fedora, and other similar Linux distributions, it is highly recommended to install the relevant RPM package from MariaDB's repository using yum or dnf. Starting with RHEL 8 and Fedora 22, yum has been replaced by dnf, which is the next major version of yum. However, yum commands still work on many systems that use dnf. For example:

sudo yum install MariaDB-cracklib-password-check
Installing with apt-get

On Debian, Ubuntu, and other similar Linux distributions, it is highly recommended to install the relevant DEB package from MariaDB's repository using apt-get. For example:

sudo apt-get install mariadb-plugin-cracklib-password-check
Installing with zypper

On SLES, OpenSUSE, and other similar Linux distributions, it is highly recommended to install the relevant RPM package from MariaDB's repository using zypper. For example:

sudo zypper install MariaDB-cracklib-password-check

Installing the Plugin

Once the shared library is in place, the plugin is not actually installed by MariaDB by default. There are two methods that can be used to install the plugin with MariaDB.

The first method can be used to install the plugin without restarting the server. You can install the plugin dynamically by executing INSTALL SONAME or INSTALL PLUGIN. For example:

INSTALL SONAME 'cracklib_password_check';

The second method can be used to tell the server to load the plugin when it starts up. The plugin can be installed this way by providing the --plugin-load or the --plugin-load-add options. This can be specified as a command-line argument to mysqld or it can be specified in a relevant server option group in an option file. For example:

[mariadb]
...
plugin_load_add = cracklib_password_check

Uninstalling the Plugin

You can uninstall the plugin dynamically by executing UNINSTALL SONAME or UNINSTALL PLUGIN. For example:

UNINSTALL SONAME 'cracklib_password_check';

If you installed the plugin by providing the --plugin-load or the --plugin-load-add options in a relevant server option group in an option file, then those options should be removed to prevent the plugin from being loaded the next time the server is restarted.

Viewing CrackLib Errors

If password validation fails, then the original CrackLib error message can be viewed by executing SHOW WARNINGS.

Example

When creating a new password, if the criteria are not met, the following error is returned:

SET PASSWORD FOR 'bob'@'%.loc.gov' = PASSWORD('abc');
ERROR 1819 (HY000): Your password does not satisfy the current policy requirements

Known Issues

Issues with PAM Authentication Plugin

Prior to MariaDB 10.4.0, all password validation plugins are incompatible with the pam authentication plugin. See Authentication Plugin - PAM: Conflicts with Password Validation for more information.

SELinux

When using the standard SELinux policy with the mode set to enforcing, mysqld does not have access to /usr/share/cracklib, and you may see the following error when attempting to use the cracklib_password_check plugin:

CREATE USER `user`@`hostname` IDENTIFIED BY 's0mePwd123.';
ERROR 1819 (HY000): Your password does not satisfy the current policy requirements

SHOW WARNINGS;
+---------+------+----------------------------------------------------------------+
| Level   | Code | Message                                                        |
+---------+------+----------------------------------------------------------------+
| Warning | 1819 | cracklib: error loading dictionary                             |
| Error   | 1819 | Your password does not satisfy the current policy requirements |
| Error   | 1396 | Operation CREATE USER failed for 'user'@'hostname'             |
+---------+------+----------------------------------------------------------------+

And the SELinux audit.log will contain errors like the following:

type=AVC msg=audit(1548371977.821:66): avc:  denied  { read } for  pid=3537 comm="mysqld" name="pw_dict.pwd" dev="xvda2" ino=564747 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:crack_db_t:s0 tclass=file
type=SYSCALL msg=audit(1548371977.821:66): arch=c000003e syscall=2 success=no exit=-13 a0=7fdd2a674580 a1=0 a2=1b6 a3=1b items=0 ppid=1 pid=3537 auid=4294967295 uid=995 gid=992 euid=995 suid=995 fsuid=995 egid=992 sgid=992 fsgid=992 tty=(none) ses=4294967295 comm="mysqld" exe="/usr/sbin/mysqld" subj=system_u:system_r:mysqld_t:s0 key=(null)

This can be fixed by creating an SELinux policy that allows mysqld to load the CrackLib dictionary. For example:

cd /usr/share/mysql/policy/selinux/
tee ./mariadb-plugin-cracklib-password-check.te <<EOF

module mariadb-plugin-cracklib-password-check 1.0;

require {
        type mysqld_t;
        type crack_db_t;
        class file { execute setattr read create getattr execute_no_trans write ioctl open append unlink };
        class dir { write search getattr add_name read remove_name open };
}

allow mysqld_t crack_db_t:dir { search read open };
allow mysqld_t crack_db_t:file { getattr read open };
EOF
sudo yum install selinux-policy-devel
make -f /usr/share/selinux/devel/Makefile mariadb-plugin-cracklib-password-check.pp
sudo semodule -i mariadb-plugin-cracklib-password-check.pp

See MDEV-18374 for more information.

Versions

VersionStatusIntroduced
1.0StableMariaDB 10.1.18
1.0GammaMariaDB 10.1.13
1.0AlphaMariaDB 10.1.2

System Variables

cracklib_password_check_dictionary

  • Description: Sets the path to the CrackLib dictionary. If not set, the default CrackLib dictionary path is used. The parameter expects the base name of a cracklib dictionary (a set of three files with endings .hwm, .pwd, .pwi), not a directory path.
  • Commandline: --cracklib-password-check-dictionary=value
  • Scope: Global
  • Dynamic: No
  • Data Type: string
  • Default Value: Depends on the system. Often /usr/share/cracklib/pw_dict
  • Introduced: MariaDB 10.1.2

Options

cracklib_password_check

  • Description: Controls how the server should treat the plugin when the server starts up.
    • Valid values are:
      • OFF - Disables the plugin without removing it from the mysql.plugins table.
      • ON - Enables the plugin. If the plugin cannot be initialized, then the server will still continue starting up, but the plugin will be disabled.
      • FORCE - Enables the plugin. If the plugin cannot be initialized, then the server will fail to start with an error.
      • FORCE_PLUS_PERMANENT - Enables the plugin. If the plugin cannot be initialized, then the server will fail to start with an error. In addition, the plugin cannot be uninstalled with UNINSTALL SONAME or UNINSTALL PLUGIN while the server is running.
    • See Plugin Overview: Configuring Plugin Activation at Server Startup for more information.
  • Commandline: --cracklib-password-check=value
  • Data Type: enumerated
  • Default Value: ON
  • Valid Values: OFF, ON, FORCE, FORCE_PLUS_PERMANENT
  • Introduced: MariaDB 10.1.2

See Also

Comments

Comments loading...
Content reproduced on this site is the property of its respective owners, and this content is not reviewed in advance by MariaDB. The views, information and opinions expressed by this content do not necessarily represent those of MariaDB or any other party.