Show
6.2.11 Password ManagementMySQL enables database administrators to expire account passwords manually, and to establish a policy for automatic password expiration. Expiration policy can be established globally, and individual accounts can be set to either defer to the global policy or override the global policy with specific per-account behavior. Internal Versus External Credentials Storage Some authentication plugins store account credentials internally to MySQL, in the
The discussion in this section applies to such authentication plugins because the password-management capabilities described here are based on internal credentials storage handled by MySQL itself. Other authentication plugins store account credentials externally to MySQL. For accounts that use plugins that perform authentication against an external credentials system, password management must be handled externally against that system as well. For information about individual authentication plugins, see Section 6.4.1, “Authentication Plugins”. Password Expiration Policy To expire an account password manually, use the
This operation marks the password expired in the corresponding Password expiration according to policy is automatic and is
based on password age, which for a given account is assessed from the date and time of its most recent password change. The To establish automatic password-expiration policy globally, use the
Note Prior to 5.7.11, the default However, this is easy to miss for clients that automatically connect to the server, such as connections made from scripts. To avoid having such clients suddenly stop working due to a password expiring, make sure to change the password expiration settings for those clients, like this:
Alternatively, set the Examples:
The global password-expiration policy applies to all accounts that have not been set to override it. To establish policy for individual accounts, use the Example account-specific statements:
When a client successfully connects, the server determines whether the account password has expired:
If the password is expired (whether manually or automatically), the server either disconnects the client or restricts the operations permitted to it (see Section 6.2.12, “Server Handling of Expired Passwords”). Operations performed by a restricted client result in an error until the user establishes a new account password:
This restricted mode of operation permits After the client resets the password, the server restores normal access for the session, as well as for subsequent connections that use the account. It is also possible for an administrative user to reset the account password, but any existing restricted sessions for that account remain restricted. A client using the account must disconnect and reconnect before statements can be executed successfully. Note Although it is possible to “reset” an expired password by setting it to its current value, it is preferable, as a matter of good policy, to choose a different password. Which of the following is a special group that provides its members with the ability to run the su and sudo command?The group wheel is a special user group to control access to the su or sudo command. By design, members of the group wheel can run all commands with sudo as root . The following procedure explains how to add a user account to the wheel group.
Which command would you use to unlock a user account?Option 1: Use the command “passwd -u username”. Unlocking password for user username. Option 2: Use the command “usermod -U username”.
Which of the following commands will change the SELinux security context of a file?1. Temporary Changes: chcon. The chcon command changes the SELinux context for files.
What command can you use to view Journald log entries on a system that uses systemd?To see the logs that the journald daemon has collected, use the journalctl command. When used alone, every journal entry that is in the system will be displayed within a pager (usually less ) for you to browse. The oldest entries will be up top: journalctl.
|