Locking USER Accounts in MySQL


Locking User Accounts in MySQL

For SOX Compliance when an employee, contractor, or vendor leaves your company their account needs to be locked, expired, or removed.  Some of these people may return, and their Account may have many complicated permissions.  In these cases, it would be better to “Lock” their Account while they are no longer doing business with your company. 
However, MySQL does not have the ability to “Lock” or “Expire” a User Account.   The following is a simple procedure to “Lock” and “Unlock” a MySQL Account.

Typically, the one-way encrypted hash value of a users password is stored in a password field  in an user account table.  MySQL supports three builtin one-way hashed functions, PASSWORD(), MD5() and SHA1().  It is recommended not to directly use the PASSWORD() function. Reason, is that prior to PHP 4.1 version, the password function produced a 16 byte value, and afterwards a 41 byte value consisting of a '*' followed by the SHA1 40 byte hashed value. Thus, the password function is not compatible between the two.

To avoid incompatibilities, it is recommended to directly use the SHA1() builtin hash function to produce the same 40 byte hashed value, and add a leading ‘*’ . Note, your password field must be at least 41 characters in length.

Alternatively, one can use the MD5() builtin hash function to produce a 32 byte hashed value. Additionally, both SHA1 and MD5 are builtin PHP functions, so the passwords can be hashed prior to submission to the database, which further reduces exposure to the plaintext value of the password.

When a user logs into an account, the password they enter is passed through the same one-way encrypted hash function, and the resulting hashed value is then compared for a match to the hashed value stored in the password field.

To lock a password in such a way that it is still recoverable, remove the leading ‘*’ in the stored hash value, which will cause subsequent attempts to match the hashed value of an entered password to fail. The password can be later unlocked by adding back the ‘*’.

To Lock the account

mysql>use mysql
mysql> select User,Password from user where User = 'username' and Host = 'localhost';
+---------+-----------+-------------------------------------------+
| User    | Password                                  |
+---------+-------------------------------------------+
| username | *D1856C4478388E9C1D82C215C573310AD7BF5BEA |
+---------+-------------------------------------------+
mysql>update user set Password = ‘D1856C4478388E9C1D82C215C573310AD7BF5BEA’ where User = ‘username’ and Host = ‘localhost’;
mysql>flush privileges;

To restore the Account, do the following:

mysql>use mysql
mysql> select User,Password from user where User = 'username' and Host = 'localhost';
+---------+-----------+-------------------------------------------+
| User    | Password                                  |
+---------+-------------------------------------------+
| username | D1856C4478388E9C1D82C215C573310AD7BF5BEA |
+---------+-------------------------------------------+
mysql>update user set Password = ‘*D1856C4478388E9C1D82C215C573310AD7BF5BEA’ where User = ‘username’ and Host = ‘localhost’;
mysql>flush privileges;

Locating Locked Accounts

Locked accounts can be located by searching the password field for values not starting with the asterisk character ‘*’ used to unlock the account.

mysql>use mysql
mysql> select User,Password from user where User NOT LIKE '*%' and Host = 'localhost';
---------+-----------+-------------------------------------------+
| User    | Password                                  |
+---------+-------------------------------------------+
| username | D1856C4478388E9C1D82C215C573310AD7BF5BEA |
+---------+-------------------------------------------+

These procedures will save the DBA’s time and ensure the returning User to have the same privileges they had previously.


Comments

Post a Comment

Popular posts from this blog

PostgreSQL Database Version 13.4 To MySQL Database Version 8.0.20 Migration by using SQLines Tool

 PostgreSQL to MySQL  ------------------------ This Document will give details about PostgreSQL to MySQL Database . Environment Details :- --------------------------- Server 1 == Source Database == PostgreSQL Database Version == 13.4 Server 2 == Target Database == MySQL Database Version == 8.0.20 Server 3 == Jump host == Where you will install Sqline and connect to Source DB and Target DB. I have consider 3 EC2 Machines from AWS [ RHEL 8.x ]  postgres-source-server == 172.31.30.141 [ Private Ipaddress ] = EC2 Machine = RHEL 8.4 mysql-target-server    == 172.31.17.136 [ Private Ipaddress ] = EC2 Machine = RHEL 8.4 jump-host              == 172.31.27.241 [ Private Ipaddress ] = EC2 Machine = RHEL 8.4 Step - 1  Install PostgreSQL Database Version in Source Server  Step - 2  Install MySQL Database Verion in Target Server  Step - 3  Install / Setup sqline s/w in Jump host server  Step - 4  Loading ...
Read more

MariaDB Database Multi-instance implementation in single machine

--------------------------------------------------------------------- MariaDB Database Multi-instance implementation in single machine --------------------------------------------------------------------- Step - 1 : Install MaariaDB [ First ] instance by using YUM or Repo installation  Step - 2 : Setup for other port numbers [ 3307 , 3308 and 3309 ] Instances for MariaDB  Step - 3 : Start the MariaDB service with new DB instances [ 3307 , 3308 and 3309 ]  Step - 4 : Stop / Shutdown of MariaDB all Instances [ 3306 , 3307 ,3308 and 3309 ] Step - 5 : Connection for all MariaDB instances [ 3306 , 3307 ,3308 and 3309 ] Step - 6 : Setting the password for DB super user for all MariaDB instances [ 3306 , 3307 ,3308 and 3309 ] Step - 7 : MariaDB services creation for all instances [ 3306 , 3307 ,3308 and 3309 ] Step - 8 : Stop / Start / Status / Restart for all MariaDB instances by uising mariadb instance service files -------------------------------------------------------------...
Read more