Password Validation插件和組件
在MySQL 8.0之前,MySQL使用的是validate_password插件(plugin)檢測、驗證賬號密碼強度,保障賬號的安全性,而到了MySQL 8.0,引入了服務器組件(Components)這個特性,validate_password插件已用服務器組件重新實現。下面是官方文檔的介紹:
Note
In MySQL 8.0, the validate_password plugin was reimplemented as the validate_password component. (For general information about server components, see Section 5.5, “MySQL Server Components”.) The following instructions describe how to use the component, not the plugin. For instructions on using the plugin form of validate_password, see The Password Validation Plugin in MySQL 5.7 Reference Manual.
The plugin form of validate_password is still available but is deprecated and will be removed in a future version of MySQL. MySQL installations that use the plugin should make the transition to using the component instead. See Section 6.4.3.3, “Transitioning to the Password Validation Component”.
這篇文章會介紹validate_password插件和validate_password組件,測試環境為MySQL 8.0.18,如果有其它版本的測試,會在文中進行標明、注釋。
Password Validation安裝插件
檢查是否安裝了插件/組件
插件:
mysql> SELECT PLUGIN_NAME, PLUGIN_LIBRARY, PLUGIN_STATUS, LOAD_OPTION
-> FROM INFORMATION_SCHEMA.PLUGINS
-> WHERE PLUGIN_NAME = 'validate_password';
Empty set (0.01 sec)
如果已經安裝了MySQL密碼強度審計插件:validate_password的話,可以跳過后面的安裝步驟。
組件:
mysql> SELECT * FROM mysql.component;
安裝/啟用插件
方法1:在參數文件my.cnf中添加參數。
[mysqld]
plugin-load-add=validate_password.so
#ON/OFF/FORCE/FORCE_PLUS_PERMANENT: 是否使用該插件(及強制/永久強制使用)
validate-password=FORCE_PLUS_PERMANENT
注釋:插件庫(plugin library)中的validate_password文件名的后綴名根據平台不同有所差異。 對於Unix和Unix-like系統而言,它的文件后綴名是.so,對於Windows系統而言,它的文件后綴名是.dll。
注意:參數FORCE_PLUS_PERMANENT是為了防止插件在MySQL運行時的時候被卸載,如下所示,當你卸載插件時就會報錯:
mysql> SELECT PLUGIN_NAME, PLUGIN_LIBRARY, PLUGIN_STATUS, LOAD_OPTION
-> FROM INFORMATION_SCHEMA.PLUGINS
-> WHERE PLUGIN_NAME = 'validate_password';
+-------------------+----------------------+---------------+----------------------+
| PLUGIN_NAME | PLUGIN_LIBRARY | PLUGIN_STATUS | LOAD_OPTION |
+-------------------+----------------------+---------------+----------------------+
| validate_password | validate_password.so | ACTIVE | FORCE_PLUS_PERMANENT |
+-------------------+----------------------+---------------+----------------------+
1 row in set (0.00 sec)
mysql> UNINSTALL PLUGIN validate_password;
ERROR 1702 (HY000): Plugin 'validate_password' is force_plus_permanent and can not be unloaded
mysql>
另外,修改參數后必須重啟MySQL服務才能生效。
方法2:運行時命令安裝
mysql> INSTALL PLUGIN validate_password SONAME 'validate_password.so';
Query OK, 0 rows affected, 1 warning (0.11 sec)
注意:此方法也會注冊到元數據,也就是mysql.plugin表中,所以不用擔心MySQL重啟后插件會失效。
注意:MySQL支持在服務器啟動和運行時加載插件。還可以在啟動時控制加載插件的激活狀態,並在運行時卸載它們。在加載插件時,可以從INFORMATION_SCHEMA獲得關於插件的信息。
方法3:命令啟動時,使用參數。這個其實和方法並無什么差異。
# /usr/sbin/mysqld start --plugin-load='validate_password.so'
安裝組件
INSTALL COMPONENT 'file://component_validate_password';
檢查確認
插件:
mysql> SELECT PLUGIN_NAME, PLUGIN_LIBRARY, PLUGIN_STATUS, LOAD_OPTION
-> FROM INFORMATION_SCHEMA.PLUGINS
-> WHERE PLUGIN_NAME = 'validate_password';
+-------------------+----------------------+---------------+-------------+
| PLUGIN_NAME | PLUGIN_LIBRARY | PLUGIN_STATUS | LOAD_OPTION |
+-------------------+----------------------+---------------+-------------+
| validate_password | validate_password.so | ACTIVE | ON |
+-------------------+----------------------+---------------+-------------+
1 row in set (0.00 sec)
mysql>
mysql> select * from mysql.plugin;
+-------------------+----------------------+
| name | dl |
+-------------------+----------------------+
| CLONE | mysql_clone.so |
| validate_password | validate_password.so |
+-------------------+----------------------+
組件:
mysql> SELECT * FROM mysql.component;
+--------------+--------------------+------------------------------------+
| component_id | component_group_id | component_urn |
+--------------+--------------------+------------------------------------+
| 1 | 1 | file://component_validate_password |
+--------------+--------------------+------------------------------------+
1 row in set (0.00 sec)
如果只安裝了插件,查看插件相關的系統變量,如下所示:
mysql> show variables like 'validate_password%';
+--------------------------------------+--------+
| Variable_name | Value |
+--------------------------------------+--------+
| validate_password_check_user_name | ON |
| validate_password_dictionary_file | |
| validate_password_length | 8 |
| validate_password_mixed_case_count | 1 |
| validate_password_number_count | 1 |
| validate_password_policy | MEDIUM |
| validate_password_special_char_count | 1 |
+--------------------------------------+--------+
7 rows in set (0.00 sec)
mysql>
MySQL 8.0.18上可以同時安裝validate_password插件和validate_password組件,此時查看系統變量時,就會出現這種情形(相信有些不知情同學的看到這種情況的時候,會有點懵逼),其實對於MySQL 8,我們只需安裝validate_password組件即可。
關於插件和組件對應的系統變量說明:
| 選項 |
默認值 |
參數描述 |
| validate_password_check_user_name |
ON |
設置為ON的時候表示能將密碼設置成當前用戶名。 |
| validate_password_dictionary_file |
|
用於檢查密碼的字典文件的路徑名,默認為空 |
| validate_password_length |
8 |
密碼的最小長度,也就是說密碼長度必須大於或等於8 |
| validate_password_mixed_case_count |
1 |
如果密碼策略是中等或更強的,validate_password要求密碼具有的小寫和大寫字符的最小數量。對於給定的這個值密碼必須有那么多小寫字符和那么多大寫字符。 |
| validate_password_number_count |
1 |
密碼必須包含的數字個數 |
| validate_password_policy |
MEDIUM |
密碼強度檢驗等級,可以使用數值0、1、2或相應的符號值LOW、MEDIUM、STRONG來指定。 0/LOW:只檢查長度。 1/MEDIUM:檢查長度、數字、大小寫、特殊字符。 2/STRONG:檢查長度、數字、大小寫、特殊字符、字典文件。 |
| validate_password_special_char_count |
1 |
密碼必須包含的特殊字符個數 |
注意:組件和插件的默認值可能有所不同。例如,MySQL 5.7. validate_password_check_user_name的默認值為OFF。更多詳細具體信息,建議參考官方文檔。
下面我們來看看validate_password插件和validate_password組件會怎么影響賬號創建、密碼修改等行為:
The validate_password component implements these capabilities:
· For SQL statements that assign a password supplied as a cleartext value, validate_password checks the password against the current password policy and rejects the password if it is weak (the statement returns an ER_NOT_VALID_PASSWORD error). This applies to the ALTER USER, CREATE USER, and SET PASSWORD statements.
· For CREATE USER statements, validate_password requires that a password be given, and that it satisfies the password policy. This is true even if an account is locked initially because otherwise unlocking the account later would cause it to become accessible without a password that satisfies the policy.
· validate_password implements a VALIDATE_PASSWORD_STRENGTH() SQL function that assesses the strength of potential passwords. This function takes a password argument and returns an integer from 0 (weak) to 100 (strong).
驗證測試:
mysql> create user test@'192.168.%' identified by '12345678';
ERROR 1819 (HY000): Your password does not satisfy the current policy requirements
mysql> show variables like 'validate_password%';
+--------------------------------------+--------+
| Variable_name | Value |
+--------------------------------------+--------+
| validate_password.check_user_name | ON |
| validate_password.dictionary_file | |
| validate_password.length | 8 |
| validate_password.mixed_case_count | 1 |
| validate_password.number_count | 1 |
| validate_password.policy | MEDIUM |
| validate_password.special_char_count | 1 |
+--------------------------------------+--------+
7 rows in set (0.00 sec)
mysql> set global validate_password.policy=LOW; #注意,如果是插件的話,SQL為set global validate_password_policy=LOW
Query OK, 0 rows affected (0.00 sec)
mysql> create user test@'192.168.%' identified by '12345678';
Query OK, 0 rows affected (0.01 sec)
修改密碼驗證安全強度(插件)
SET GLOBAL validate_password_policy=LOW;
SET GLOBAL validate_password_policy=MEDIUM;
SET GLOBAL validate_password_policy=STRONG;
SET GLOBAL validate_password_policy=0; // For LOW
SET GLOBAL validate_password_policy=1; // For MEDIUM
SET GLOBAL validate_password_policy=2; // For HIGH
修改密碼驗證安全強度(組件)
SET GLOBAL validate_password.policy=LOW;
SET GLOBAL validate_password.policy=MEDIUM;
SET GLOBAL validate_password.policy=STRONG;
SET GLOBAL validate_password.policy = 0; // For LOW
SET GLOBAL validate_password.policy = 1; // For MEDIUM
SET GLOBAL validate_password.policy = 2; // For HIGH
另外,如果你創建密碼是遇到“Your password does not satisfy the current policy requirements”,可以通過函數組件去檢測密碼是否滿足條件: 0-100,當評估在100時就是說明使用上了最基本的規則:大寫+小寫+特殊字符+數字組成的8位以上密碼
mysql> SELECT VALIDATE_PASSWORD_STRENGTH('medium');
+--------------------------------------+
| VALIDATE_PASSWORD_STRENGTH('medium') |
+--------------------------------------+
| 25 |
+--------------------------------------+
1 row in set (0.00 sec)
mysql> SELECT VALIDATE_PASSWORD_STRENGTH('K354*45jKd5');
+-------------------------------------------+
| VALIDATE_PASSWORD_STRENGTH('K354*45jKd5') |
+-------------------------------------------+
| 100 |
+-------------------------------------------+
1 row in set (0.00 sec)
注意:如果沒有安裝validate_password組件或插件的話,那么這個函數永遠都返回0。 關於密碼復雜度對應的密碼復雜度策略。如下表格所示:
| Password Test |
Return Value |
| Length < 4 |
0 |
| Length ≥ 4 and < validate_password.length |
25 |
| Satisfies policy 1 (LOW) |
50 |
| Satisfies policy 2 (MEDIUM) |
75 |
| Satisfies policy 3 (STRONG) |
100 |
注意:如果想要使用字典過濾弱口令的話,系統變量validate_password.policy必須為STRONG。官方文檔介紹如下,一般最多設置密碼策略強度為STRONG,很少啟用字典過濾口令。
The path name of the dictionary file that validate_password uses for checking passwords. This variable is unavailable unless validate_password is installed.
By default, this variable has an empty value and dictionary checks are not performed. For dictionary checks to occur, the variable value must be nonempty. If the file is named as a relative path, it is interpreted relative to the server data directory. File contents should be lowercase, one word per line. Contents are treated as having a character set of utf8. The maximum permitted file size is 1MB.
For the dictionary file to be used during password checking, the password policy must be set to 2 (STRONG); see the description of the validate_password.policy system variable. Assuming that is true, each substring of the password of length 4 up to 100 is compared to the words in the dictionary file. Any match causes the password to be rejected. Comparisons are not case sensitive.
組件的 Status Variables
如果是插件的話,是沒有相對應的狀態變量,只有組件有對應的系統變量。
mysql> SHOW STATUS LIKE 'validate_password%';
mysql> show status like 'validate_pass%';
+-----------------------------------------------+---------------------+
| Variable_name | Value |
+-----------------------------------------------+---------------------+
| validate_password_dictionary_file_last_parsed | 2020-08-13 11:33:47 |
| validate_password_dictionary_file_words_count | 0 |
+-----------------------------------------------+---------------------+
2 rows in set (0.00 sec)
mysql>
卸載插件
mysql> UNINSTALL PLUGIN validate_password;
Query OK, 0 rows affected, 1 warning (0.01 sec)
卸載組件
mysql> UNINSTALL COMPONENT 'file://component_validate_password';
Query OK, 0 rows affected (0.02 sec)
參考資料:
https://dev.mysql.com/doc/refman/8.0/en/plugin-loading.html
https://dev.mysql.com/doc/refman/8.0/en/validate-password.html
https://dev.mysql.com/doc/refman/8.0/en/validate-password.html
https://dev.mysql.com/doc/refman/8.0/en/uninstall-plugin.html
https://dev.mysql.com/doc/refman/8.0/en/validate-password-options-variables.html