MariaDB 5.5 -- how to customize password rules

Question

I am using RHEL 7, which includes MariaDB 5.5.

I want to set up minimum requirements for passwords: minimums length 15, 1 lowercase, 1 uppercase, 1 symbol, 1 number.

I figure that I am probably not the first person using Rhel 7 to face this problem. Does anyone have some guidance on the best approach to add the above password rules to MariaDB 5.5 under Rhel 7?

I have so far pieced together these facts. (Some I am not so sure are correct.) I believe these facts indicate my best option is to just do whatever 5.5. allows.

• MariaDB 5.5 doesn't do this. There is no plugin.
• MariaDB 5.7 introduced new password features.
• MariaDB 10.1 and later has password plugin with this functionality.
• Installing an updated MariaDB on Rhel 7 would requiring making my own RPM and possibly put the system security at risk.
• I could write my own password routines and put them in the database. But this is not recommended, because it is easy to introduce a security flaw.
• I can configure 5.5 to work with Linux's PAM, or use the standard linux-user-name-matches-the-mysql-account-name authentication.

Answer 1

A couple of comments:

• Re: "the standard linux-user-name-matches-the-mysql-account-name authentication" - I assume you mean using the unix_socket plugin for authentication. This only works on localhost, i.e. the user has to be logged in on the database server.
• There is no MariaDB 5.7, but there is however a MySQL 5.7.
• There is no need to build your own RPM for MariaDB 10.x on RHEL7. You can just add the relevant MariaDB 10.x .repo file to your /etc/yum.repos.d/ directory. You can use the repo config tool on mariadb.org.

It's up to you to decide whether it's worth the effort to upgrade to MariaDB 10.1+ and thereby be able to use the password checking plugins - simple_password_check and cracklib_password_check. (10.4 is now GA, though at the moment this is still relatively new, so you may want to consider 10.3 or older as a more stable release.)