MySQL 密码管理之密码过期和账号锁定

运行环境:centos7.4+MySQL5.7.15
Payment Card Industry,即支付卡行业,PCI行业表示借记卡、信用卡、预付卡、电子钱包、ATM和POS卡及相关的业务。 
PCI DSS,即PCI数据安全标准(Payment Card Industry Data Security Standard)是由PCI安全标准委员会制定,旨在使国际上采用一致的数据安全措施。
PCI DSS标准要求用户每隔90天必须更改他们的密码。
在MySQL版本5.6.6版本起,添加了password_expired功能,它允许设置用户的过期时间。
从MySQL 5.7.4版开始,用户的密码过期时间这个特性得以改进,可以通过一个全局变量default_password_lifetime来设置密码过期的策略,此全局变量可以设置一个全局的自动密码过期策略。
MySQL 5.7.6版开始,还可以使用ALTER USER语句修改用户的密码。
在MySQL 5.7.8版开始用户管理方面添加了锁定/解锁用户账户的新特性。
在MySQL8.0版本中新增了密码重用的管理。
密码管理功能包含:
密码过期:密码周期性修改
密码重用限制:防止旧密码被再次使用。
密码强度:需要强壮的密码。

mysql5.7.10(GA)版本之后默认的密码是永不过期的(default_password_lifetime=0)。
mysql> select version();
+------------+
| version()  |
+------------+
| 5.7.15-log |
+------------+
1 row in set (0.00 sec)

mysql> show variables like 'default_password_lifetime';
+---------------------------+-------+
| Variable_name             | Value |
+---------------------------+-------+
| default_password_lifetime | 0     |
+---------------------------+-------+
1 row in set (0.00 sec)

mysql> select version();
+-----------+
| version() |
+-----------+
| 8.0.11    |
+-----------+
1 row in set (0.04 sec)

mysql> show variables like 'default_password_lifetime';
+---------------------------+-------+
| Variable_name             | Value |
+---------------------------+-------+
| default_password_lifetime | 0     |
+---------------------------+-------+
1 row in set (0.01 sec)
--为了演示创建2个账号temp 和backup:
mysql> create user backup@'%' identified by 'temp';
mysql> create user backup@'%' identified by 'backup'  PASSWORD EXPIRE INTERVAL 30 DAY; 

mysql> select host,user,authentication_string,password_expired,password_last_changed,password_lifetime,account_locked from mysql.user where user in ('temp','backup');
+------+--------+-------------------------------------------+------------------+-----------------------+-------------------+----------------+
| host | user   | authentication_string                     | password_expired | password_last_changed | password_lifetime | account_locked |
+------+--------+-------------------------------------------+------------------+-----------------------+-------------------+----------------+
| %    | temp   | *92D3FC821547543FCC854DE4426B7BFD3A0EE2ED | N                | 2018-07-12 10:40:51   |              NULL | N              |
| %    | backup | *1827DC630AAEB1E997DB2B212CC94EFD9C431555 | N                | 2018-07-12 10:40:52   |                30 | N              |
+------+--------+-------------------------------------------+------------------+-----------------------+-------------------+----------------+
2 rows in set (0.00 sec)
可以看到创建的用户password_expired为N表示密码密码不过期,password_lifetime表示密码周期,单位是天,NULL表示使用的默认密码策略,account_locked表示账号是否被锁定。
mysql> alter user backup@'%' PASSWORD EXPIRE NEVER;
Query OK, 0 rows affected (0.01 sec)

mysql> select host,user,authentication_string,password_expired,password_last_changed,password_lifetime,account_locked from mysql.user where user in ('temp','backup');
+------+--------+-------------------------------------------+------------------+-----------------------+-------------------+----------------+
| host | user   | authentication_string                     | password_expired | password_last_changed | password_lifetime | account_locked |
+------+--------+-------------------------------------------+------------------+-----------------------+-------------------+----------------+
| %    | temp   | *92D3FC821547543FCC854DE4426B7BFD3A0EE2ED | N                | 2018-07-12 10:40:51   |              NULL | N              |
| %    | backup | *1827DC630AAEB1E997DB2B212CC94EFD9C431555 | N                | 2018-07-12 10:40:52   |                 0 | N              |
+------+--------+-------------------------------------------+------------------+-----------------------+-------------------+----------------+
2 rows in set (0.00 sec)
修改密码永不过期,password_lifetime=0.
mysql> SET GLOBAL default_password_lifetime = 9;
Query OK, 0 rows affected (0.00 sec)
mysql>  SET GLOBAL default_password_lifetime = 0;
Query OK, 0 rows affected (0.00 sec)
密码的默认过期时间也可以设置到my.cnf文件中但是需要重启mysql。
[mysqld]
default_password_lifetime=90
如果要设置密码永不过期的全局策略,可以这样:(注意这是默认值,配置文件中可以不写)
[mysqld]
default_password_lifetime=0


mysql> alter user backup@'%' PASSWORD EXPIRE default;
Query OK, 0 rows affected (0.00 sec)

mysql> select host,user,authentication_string,password_expired,password_last_changed,password_lifetime,account_locked from mysql.user where user in ('temp','backup');
+------+--------+-------------------------------------------+------------------+-----------------------+-------------------+----------------+
| host | user   | authentication_string                     | password_expired | password_last_changed | password_lifetime | account_locked |
+------+--------+-------------------------------------------+------------------+-----------------------+-------------------+----------------+
| %    | temp   | *92D3FC821547543FCC854DE4426B7BFD3A0EE2ED | N                | 2018-07-12 10:40:51   |              NULL | N              |
| %    | backup | *1827DC630AAEB1E997DB2B212CC94EFD9C431555 | N                | 2018-07-12 10:40:52   |              NULL | N              |
+------+--------+-------------------------------------------+------------------+-----------------------+-------------------+----------------+
2 rows in set (0.00 sec)
修改默认的密码策略(可以动态修改)为9天,password_lifetime为NULL。
mysql> alter user temp@'%' PASSWORD EXPIRE;
Query OK, 0 rows affected (0.00 sec)

mysql> select host,user,authentication_string,password_expired,password_last_changed,password_lifetime,account_locked from mysql.user where user in ('temp','backup');
+------+--------+-------------------------------------------+------------------+-----------------------+-------------------+----------------+
| host | user   | authentication_string                     | password_expired | password_last_changed | password_lifetime | account_locked |
+------+--------+-------------------------------------------+------------------+-----------------------+-------------------+----------------+
| %    | temp   | *92D3FC821547543FCC854DE4426B7BFD3A0EE2ED | Y                | 2018-07-12 10:40:51   |              NULL | N              |
| %    | backup | *1827DC630AAEB1E997DB2B212CC94EFD9C431555 | N                | 2018-07-12 10:40:52   |              NULL | N              |
+------+--------+-------------------------------------------+------------------+-----------------------+-------------------+----------------+
2 rows in set (0.00 sec)

password_expired表示密码已经过期,下面通过登录验证密码是否过期。
# mysql -ptemp -utemp -P3312 -S /tmp/mysql.sock 
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 534343
Server version: 5.7.15-log

Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> show databases;
ERROR 1820 (HY000): You must reset your password using ALTER USER statement before executing this statement.
mysql> select user();
ERROR 1820 (HY000): You must reset your password using ALTER USER statement before executing this statement.
mysql> alter user temp@'%' identified by 'xxx';
Query OK, 0 rows affected (0.00 sec)
注释:temp用户需要alter权限否则无法自己修改密码的。
mysql> select host,user,authentication_string,password_expired,password_last_changed,password_lifetime,account_locked from mysql.user where user in ('temp');
+------+------+-------------------------------------------+------------------+-----------------------+-------------------+----------------+
| host | user | authentication_string                     | password_expired | password_last_changed | password_lifetime | account_locked |
+------+------+-------------------------------------------+------------------+-----------------------+-------------------+----------------+
| %    | temp | *3D56A309CD04FA2EEF181462E59011F075C89548 | N                | 2018-07-12 10:56:39   |              NULL | N              |
+------+------+-------------------------------------------+------------------+-----------------------+-------------------+----------------+
1 row in set (0.00 sec)
mysql> ALTER USER USER() IDENTIFIED BY 'YYY';
Query OK, 0 rows affected (0.00 sec)

mysql> select host,user,authentication_string,password_expired,password_last_changed,password_lifetime,account_locked from mysql.user where user in ('temp');
+------+------+-------------------------------------------+------------------+-----------------------+-------------------+----------------+
| host | user | authentication_string                     | password_expired | password_last_changed | password_lifetime | account_locked |
+------+------+-------------------------------------------+------------------+-----------------------+-------------------+----------------+
| %    | temp | *6A1F4E06FBADDD79831769EF2B9D785D5A5F6113 | N                | 2018-07-12 10:59:13   |              NULL | N              |
+------+------+-------------------------------------------+------------------+-----------------------+-------------------+----------------+
1 row in set (0.00 sec)

mysql> alter user temp@'%' account lock;
Query OK, 0 rows affected (0.00 sec)

mysql> select host,user,authentication_string,password_expired,password_last_changed,password_lifetime,account_locked from mysql.user where user in ('temp');
+------+------+-------------------------------------------+------------------+-----------------------+-------------------+----------------+
| host | user | authentication_string                     | password_expired | password_last_changed | password_lifetime | account_locked |
+------+------+-------------------------------------------+------------------+-----------------------+-------------------+----------------+
| %    | temp | *6A1F4E06FBADDD79831769EF2B9D785D5A5F6113 | N                | 2018-07-12 10:59:13   |              NULL | Y              |
+------+------+-------------------------------------------+------------------+-----------------------+-------------------+----------------+
1 row in set (0.01 sec)
此时重新登录则报错: ERROR 3118 (HY000) Account is locked.
# mysql -utemp -pYYY -P3312 -h 172.16.1.86           
mysql: [Warning] Using a password on the command line interface can be insecure.
ERROR 3118 (HY000): Access denied for user 'temp'@'172.16.1.86'. Account is locked.

密码可以给锁定,也可以解锁:
mysql> alter user temp@'%' account unlock;
Query OK, 0 rows affected (0.00 sec)

mysql> select host,user,authentication_string,password_expired,password_last_changed,password_lifetime,account_locked from mysql.user where user in ('temp');
+------+------+-------------------------------------------+------------------+-----------------------+-------------------+----------------+
| host | user | authentication_string                     | password_expired | password_last_changed | password_lifetime | account_locked |
+------+------+-------------------------------------------+------------------+-----------------------+-------------------+----------------+
| %    | temp | *6A1F4E06FBADDD79831769EF2B9D785D5A5F6113 | N                | 2018-07-12 10:59:13   |              NULL | N              |
+------+------+-------------------------------------------+------------------+-----------------------+-------------------+----------------+
1 row in set (0.00 sec)

账户锁定也可以在创建用的时候锁定:
create user 'test'@'%' identified by 'test' account lock;
mysql> create user 'test'@'%' identified by 'test' account lock;
Query OK, 0 rows affected (0.00 sec)

mysql> select host,user,authentication_string,password_expired,password_last_changed,password_lifetime,account_locked from mysql.user where user in ('temp','test');
+------+------+-------------------------------------------+------------------+-----------------------+-------------------+----------------+
| host | user | authentication_string                     | password_expired | password_last_changed | password_lifetime | account_locked |
+------+------+-------------------------------------------+------------------+-----------------------+-------------------+----------------+
| %    | temp | *6A1F4E06FBADDD79831769EF2B9D785D5A5F6113 | N                | 2018-07-12 10:59:13   |              NULL | N              |
| %    | test | *94BDCEBE19083CE2A1F959FD02F964C7AF4CFC29 | N                | 2018-07-12 11:07:50   |              NULL | Y              |
+------+------+-------------------------------------------+------------------+-----------------------+-------------------+----------------+
2 rows in set (0.00 sec)
此时查询的account_locked的值为Y。

你可能感兴趣的:(MySQL)