"The last 4 passwords must be different"
This is controlled by PAM using the pam_unix.so (or pam_unix2.so) module, which ships as default in Debian. In the config file
/etc/pam.d/common-passwordthe line containing "pam_unix.so" needs to include "remember-4", eg
password requisite pam_unix.so obscure use_authtok try_first_pass sha512 remember=4
"Passwords must contain more than 7 characters, and must be a mixture of upper and lowercase letters, and numbers"
Passwords can be tested with the PAM module pam_cracklib.so.
On debian/ubuntu, this can be installed with
# apt-get install libpam-crackliband this will generate an entry in the config file found at /etc/pam.d/common-password along the lines of
password requisite pam_cracklib.so retry=3 minlen=11 lcredit=1 ucredit=1 dcredit=1 ocredit=1What we're interested in here is primarily minlen - but it's not exactly the minumum length of the password as you might expect. Rather, it's a total of the number of characters in the password, plus scores from lcredit, ucredit, dcredit and ocredit, where the parameters mean
- maximum credit allowed from required lower-case characters
- number of required upper-case characters
- number of required digits
- number of required other characters (non-alphanumeric)
"Passwords must be changed every 45 days"
Aha, an easy one. In /etc/login.defs , set
"Accounts are made inactive 90 days after last login"
Also straightforwards. In /etc/default/useradd , set
"Sessions timeout after 15 mins inactivity"
Within /etc/bash.bashrc , set
"Account locks out for 30 mins after 6 failed login attempts"
For this one, we need to install fail2ban (apt-get install fail2ban), and then create a file at /etc/fail2ban/jail.local which contains the following:
[DEFAULT]Remember to restart fail2ban after you've made the config change.
bantime = 1800