1.密码策略
在mysql 5.6对密码的强度进行了加强,推出了validate_password 插件。支持密码的强度要求。
(1)安装插件
[root@localhost ~]# ll /usr/local/mysql/lib/plugin/validate_password.so
-rwxr-xr-x 1 mysql mysql 204359 Sep 14 01:27 /usr/local/mysql/lib/plugin/validate_password.so
mysql> install plugin validate_password soname \'validate_password.so\';
Query OK, 0 rows affected (0.11 sec)
mysql> show plugins;
+----------------------------+----------+--------------------+----------------------+---------+
| Name | Status | Type | Library | License |
+----------------------------+----------+--------------------+----------------------+---------+
| binlog | ACTIVE | STORAGE ENGINE | NULL | GPL |
| mysql_native_password | ACTIVE | AUTHENTICATION | NULL | GPL |
| sha256_password | ACTIVE | AUTHENTICATION | NULL | GPL |
.....................省略
| validate_password | ACTIVE | VALIDATE PASSWORD | validate_password.so | GPL |
+----------------------------+----------+--------------------+----------------------+---------+
45 rows in set (0.00 sec)
(2)添加配置
[root@localhost ~]# cat /etc/my.cnf
[mysqld]
datadir=/data1/mysql/data
plugin-load=validate_password.so
validate_password_policy=2
validate-password=FORCE_PLUS_PERMANENT
(3)检测配置
mysql> SHOW VARIABLES LIKE \'validate_password%\';
+--------------------------------------+--------+
| Variable_name | Value |
+--------------------------------------+--------+
| validate_password_check_user_name | OFF |
| validate_password_dictionary_file | |
| validate_password_length | 8 |
| validate_password_mixed_case_count | 1 |
| validate_password_number_count | 1 |
| validate_password_policy | STRONG |
| validate_password_special_char_count | 1 |
+--------------------------------------+--------+
7 rows in set (0.02 sec)
mysql> set password=password(\'abc\');
ERROR 1819 (HY000): Your password does not satisfy the current policy requirements
mysql> set password=password(\'mysql2017\');
ERROR 1819 (HY000): Your password does not satisfy the current policy requirements
mysql> set password=password(\'mysql@)!&\');
ERROR 1819 (HY000): Your password does not satisfy the current policy requirements
mysql> set password=password(\'MY@)!&sql2017\');
Query OK, 0 rows affected, 1 warning (0.00 sec)
2.策略详解
mysql> SHOW VARIABLES LIKE \'validate_password%\';
+--------------------------------------+--------+
| Variable_name | Value |
+--------------------------------------+--------+
| validate_password_check_user_name | OFF |
| validate_password_dictionary_file | |
| validate_password_length | 8 |
| validate_password_mixed_case_count | 1 |
| validate_password_number_count | 1 |
| validate_password_policy | STRONG |
| validate_password_special_char_count | 1 |
+--------------------------------------+--------+
说明:
validate-password=ON/OFF/FORCE/FORCE_PLUS_PERMANENT: 决定是否使用该插件(及强制/永久强制使用)。
validate_password_dictionary_file:插件用于验证密码强度的字典文件路径。
validate_password_length:密码最小长度。
validate_password_mixed_case_count:密码至少要包含的小写字母个数和大写字母个数。
validate_password_number_count:密码至少要包含的数字个数。
validate_password_policy:密码强度检查等级,0/LOW、1/MEDIUM、2/STRONG。
validate_password_special_char_count:密码至少要包含的特殊字符数。
关于validate_password_policy-密码强度检查等级:
Policy Tests Performed
0 or LOW Length
1 or MEDIUM Length; numeric, lowercase/uppercase, and special characters
2 or STRONG Length; numeric, lowercase/uppercase, and special characters; dictionary file
3.用户资源限制
(1)max_user_connections
该参数作用是设置所有用户在同一时间连接MySQL实例的最大连接数限制。但这个参数无法对每个用户区别对待。
mysql> show global variables like \'%max_user_connect%\';
+----------------------+-------+
| Variable_name | Value |
+----------------------+-------+
| max_user_connections | 0 |
+----------------------+-------+
1 row in set (0.00 sec)
mysql> set global max_user_connections=2;
Query OK, 0 rows affected (0.00 sec)
mysql> show global variables like \'%max_user_connect%\';
+----------------------+-------+
| Variable_name | Value |
+----------------------+-------+
| max_user_connections | 2 |
+----------------------+-------+
1 row in set (0.00 sec)
(2)max_queries_per_hour
该参数设置一个用户在一小时内可以执行查询的次数(基本包含所有语句)。
(3)max_updates_per_hour
该参数设置一个用户在一小时内可以执行修改的次数(仅包含修改数据库或表的语句)。
(4)max_connections_per_hour
该参数设置一个用户在一小时内可以连接MySQL的时间。
从5.0.3版本开始,对用户‘test’@\'%.test.com\'的资源限制是指所有通过test.com域名主机连接test用户的连接,而不是分别指host1.test.com和host2.test.com主机过来的连接。
(5)设置用户资源限制
mysql> create user \'test1\'@\'localhost\' identified by \'MYsql20!&\'
-> with max_queries_per_hour 20
-> max_updates_per_hour 10
-> max_user_connections 2;
Query OK, 0 rows affected (0.00 sec)
mysql> alter user \'test1\'@\'localhost\' with max_queries_per_hour 100;
Query OK, 0 rows affected (0.00 sec)
取消某项资源限制既把原先的值改成0.
当某个用户的max_user_connections非0时,则忽略全局系统参数对应的配置,反之则使用全局参数。
4.密码过期策略
mysql> show global variables like \'%password%\';
+---------------------------------------+--------+
| Variable_name | Value |
+---------------------------------------+--------+
| default_password_lifetime | 0 |
| disconnect_on_expired_password | ON |
| log_builtin_as_identified_by_password | OFF |
| mysql_native_password_proxy_users | OFF |
| old_passwords | 0 |
| report_password | |
| sha256_password_proxy_users | OFF |
| validate_password_check_user_name | OFF |
| validate_password_dictionary_file | |
| validate_password_length | 8 |
| validate_password_mixed_case_count | 1 |
| validate_password_number_count | 1 |
| validate_password_policy | STRONG |
| validate_password_special_char_count | 1 |
+---------------------------------------+--------+
14 rows in set (0.01 sec)
说明:
1)default_password_lifetime
设置所有用户密码过期时间,0为永不过期;
若为单独用户设置了密码过期策略,则会覆盖该参数;
alter user \'test3\'@\'localhost\' password expire interval 90 day;
alter user \'test3\'@\'localhost\' password expire never; (永不过期)
alter user \'test3\'@\'localhost\' password expire default; (默认过期策略)
2)手动强制过期
alter user \'test3\'@\'localhost\' password expire;
5.用户lock机制
通过执行create user/alter user命令中带account lock/unlock子句设置用户的lock状态;
默认创建用户是unlock状态;
mysql> create user abc2@localhost identified by \'MY20sql!&\' account lock;
Query OK, 0 rows affected (0.00 sec)
mysql> quit
Bye
[root@localhost ~]# mysql -uabc2 -p
Enter password:
ERROR 3118 (HY000): Access denied for user \'abc2\'@\'localhost\'. Account is locked.
mysql> alter user \'abc2\'@\'localhost\' account unlock;
Query OK, 0 rows affected (0.00 sec)
mysql> quit
Bye
[root@localhost ~]# mysql -uabc2 -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \\g.
Your MySQL connection id is 7