MariaDB starting with 10.1.2

The cracklib_password_check plugin was introduced in MariaDB 10.1.2

The plugin is not available on Debian/Ubuntu builds before Jessie, as it requires cracklib 2.9.0 (see MDEV-7305).

CrackLib is a password strength checking library. It is installed by default in many Linux distributions and is invoked automatically (by pam_cracklib.so) whenever the user login password is modified. Now, with the cracklib_password_check password validation plugin, one can also use it to check MariaDB account passwords.

The plugin is not enabled by default. To enable it, run:

INSTALL SONAME 'cracklib_password_check';

Versions

VersionStatusIntroduced
1.0StableMariaDB 10.1.18
1.0GammaMariaDB 10.1.13
1.0AlphaMariaDB 10.1.2

Variables

There are two configuration options for this plugin:

cracklib_password_check_dictionary

  • Description: Sets the path to the CrackLib dictionary. If not set, the default CrackLib dictionary path is used (often /usr/lib/cracklib_dict).
  • Commandline: --cracklib-password-check-dictionary=value
  • Scope: Global
  • Dynamic: No
  • Data Type: string
  • Default Value: Depends on the system. Often /usr/lib/cracklib_dict
  • Introduced: MariaDB 10.1.2

cracklib_password_check

  • Description: Enables/disables cracklib functionality if the plugin is compiled into the server binary
  • Commandline: --cracklib-password-check=value
  • Scope: Global
  • Dynamic: No
  • Data Type: int
  • Default Value: 1
  • Introduced: MariaDB 10.1.2

If the password validation fails, the original CrackLib error message can be visible in a warning (use SHOW WARNINGS).

Note that passwords can be directly set as a hash, bypassing the password validation, if the strict_password_validation variable is OFF (it is ON by default).

Example

When creating a new password, if the criteria are not met, the following error is returned:

SET PASSWORD FOR 'bob'@'%.loc.gov' = PASSWORD('abc');
ERROR 1819 (HY000): Your password does not satisfy the current policy requirements

Known issues

The cracklib plugin is incompatible with the PAM authentication plugin. As PAM user passwords are not stored into the database, it will be impossible to create new users with PAM authentication.

SELinux

When using the standard SELinux profile (SELINUX=enforcing), mysqld does not have access to /usr/share/cracklib, and you may see the following error when attempting to use cracklib:

MariaDB [(none)]> CREATE USER `user`@`hostname` IDENTIFIED BY 's0mePwd123.';
ERROR 1819 (HY000): Your password does not satisfy the current policy requirements

MariaDB [(none)]> show warnings;
+---------+------+----------------------------------------------------------------+
| Level   | Code | Message                                                        |
+---------+------+----------------------------------------------------------------+
| Warning | 1819 | cracklib: error loading dictionary                             |
| Error   | 1819 | Your password does not satisfy the current policy requirements |
| Error   | 1396 | Operation CREATE USER failed for 'user'@'hostname'             |
+---------+------+----------------------------------------------------------------+

In this case you have to copy the CrackLib dictionary files into a path that mysqld is allowed to read from, e.g.

cd /usr/share/mysql
cp -R /usr/share/cracklib .

and then set cracklib_password_check_dictionary accordingly:

[mysqld]
...
cracklib_password_check_dictionary=/usr/share/mysql/cracklib/pw_dict
...

Note that the parameter expects the base name of a cracklib dictionary (a set of three files with endings .hwm, .pwd, .pwi), not a directory path.

See also

Comments

Comments loading...