Locking USER Accounts in MySQL


Locking User Accounts in MySQL

For SOX Compliance when an employee, contractor, or vendor leaves your company their account needs to be locked, expired, or removed.  Some of these people may return, and their Account may have many complicated permissions.  In these cases, it would be better to “Lock” their Account while they are no longer doing business with your company. 
However, MySQL does not have the ability to “Lock” or “Expire” a User Account.   The following is a simple procedure to “Lock” and “Unlock” a MySQL Account.

Typically, the one-way encrypted hash value of a users password is stored in a password field  in an user account table.  MySQL supports three builtin one-way hashed functions, PASSWORD(), MD5() and SHA1().  It is recommended not to directly use the PASSWORD() function. Reason, is that prior to PHP 4.1 version, the password function produced a 16 byte value, and afterwards a 41 byte value consisting of a '*' followed by the SHA1 40 byte hashed value. Thus, the password function is not compatible between the two.

To avoid incompatibilities, it is recommended to directly use the SHA1() builtin hash function to produce the same 40 byte hashed value, and add a leading ‘*’ . Note, your password field must be at least 41 characters in length.

Alternatively, one can use the MD5() builtin hash function to produce a 32 byte hashed value. Additionally, both SHA1 and MD5 are builtin PHP functions, so the passwords can be hashed prior to submission to the database, which further reduces exposure to the plaintext value of the password.

When a user logs into an account, the password they enter is passed through the same one-way encrypted hash function, and the resulting hashed value is then compared for a match to the hashed value stored in the password field.

To lock a password in such a way that it is still recoverable, remove the leading ‘*’ in the stored hash value, which will cause subsequent attempts to match the hashed value of an entered password to fail. The password can be later unlocked by adding back the ‘*’.

To Lock the account

mysql>use mysql
mysql> select User,Password from user where User = 'username' and Host = 'localhost';
+---------+-----------+-------------------------------------------+
| User    | Password                                  |
+---------+-------------------------------------------+
| username | *D1856C4478388E9C1D82C215C573310AD7BF5BEA |
+---------+-------------------------------------------+
mysql>update user set Password = ‘D1856C4478388E9C1D82C215C573310AD7BF5BEA’ where User = ‘username’ and Host = ‘localhost’;
mysql>flush privileges;

To restore the Account, do the following:

mysql>use mysql
mysql> select User,Password from user where User = 'username' and Host = 'localhost';
+---------+-----------+-------------------------------------------+
| User    | Password                                  |
+---------+-------------------------------------------+
| username | D1856C4478388E9C1D82C215C573310AD7BF5BEA |
+---------+-------------------------------------------+
mysql>update user set Password = ‘*D1856C4478388E9C1D82C215C573310AD7BF5BEA’ where User = ‘username’ and Host = ‘localhost’;
mysql>flush privileges;

Locating Locked Accounts

Locked accounts can be located by searching the password field for values not starting with the asterisk character ‘*’ used to unlock the account.

mysql>use mysql
mysql> select User,Password from user where User NOT LIKE '*%' and Host = 'localhost';
---------+-----------+-------------------------------------------+
| User    | Password                                  |
+---------+-------------------------------------------+
| username | D1856C4478388E9C1D82C215C573310AD7BF5BEA |
+---------+-------------------------------------------+

These procedures will save the DBA’s time and ensure the returning User to have the same privileges they had previously.


Comments

Post a Comment

Popular posts from this blog

PostgreSQL Database Version 13.4 To MySQL Database Version 8.0.20 Migration by using SQLines Tool

 PostgreSQL to MySQL  ------------------------ This Document will give details about PostgreSQL to MySQL Database . Environment Details :- --------------------------- Server 1 == Source Database == PostgreSQL Database Version == 13.4 Server 2 == Target Database == MySQL Database Version == 8.0.20 Server 3 == Jump host == Where you will install Sqline and connect to Source DB and Target DB. I have consider 3 EC2 Machines from AWS [ RHEL 8.x ]  postgres-source-server == 172.31.30.141 [ Private Ipaddress ] = EC2 Machine = RHEL 8.4 mysql-target-server    == 172.31.17.136 [ Private Ipaddress ] = EC2 Machine = RHEL 8.4 jump-host              == 172.31.27.241 [ Private Ipaddress ] = EC2 Machine = RHEL 8.4 Step - 1  Install PostgreSQL Database Version in Source Server  Step - 2  Install MySQL Database Verion in Target Server  Step - 3  Install / Setup sqline s/w in Jump host server  Step - 4  Loading sample data in Source Database i.e PostgreSQL Database  Step - 5  Create Super User / Remote u
Read more

RDS MySQL / MariaDB SSL Connection by using Workbench and command line

Image
In this blog , i am going to explain how to connect RDS MySQL With SSL Connections from MySQL Workbench and MySQL / MariaDB client utility by using command line  --> Make sure RDS MySQL / MariaDB instance is ready for usage. Connection Established from MySQL / MariaDB client by using cmd line C:\Program Files\MySQL\MySQL Server 8.0\bin>mysql -u admin -p -h ssl-test-server.cz8z9jo4bowe.us-east-1.rds.amazonaws.com Enter password: ************* Welcome to the MySQL monitor.  Commands end with ; or \g.Your MySQL connection id is 25.Server version: 8.0.23 Source distribution.Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners.Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> show variables like '%ssl%'; +-------------------------------------+----------------
Read more

Install Mydumper and Myloader Software for Backup of MySQL / MariaDB Databases and Usage of commands

Mydumper and Myloader Installation  ---------------------------------- Comparison of MySQL backup tools: 1. mysqldump: belongs to logical backup, there will be lock tables, but considering that the amount of data is relatively large, the time to lock the tables will be longer, business is not allowed... 2. xtrabackup: It is a physical backup, and there is no lock table, but considering that the two DBs use shared table spaces, and when the database of business B is restored, one is that the time is relatively long, and the other is that the data is definitely incorrect.... 3. mydumper: belongs to logical backup. It is a multi-threaded, high-performance data logical backup and recovery tool, and the lock table time is very short (40G data, within 10 minutes), and it will record binlog file and position at the same time.... Mydumper & Myloader installation in RHEL for MariaDB / MySQL Backups utilities - Third party Tools ---------------------------------------------------------------
Read more