Description of problem:
At our company we require the password to be 8 characters, and contain three of 
the following (a lower case character, a upper case character, a digit, or a 
special character).  The only way I have been able to implement this on Red Hat 
Linux is to set the following line in /etc/pam.d/system-auth.

password    required      /lib/security/pam_cracklib.so retry=3 minlen=11 
lcredit=1 ucredit=1 dcredit=1 ocredit=1

This works somewhat, but users can still enter 11 lower case characters and it 
works.

I found some documentation that says -1 will require at least one, but that 
does not seem to work in Red Hat.
Here is the link to the documentation I found: 
http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam-6.html#ss6.3

Another problem with pam_cracklib.so in Red Hat is the Red Hat utilities over 
write any changes that were manually entered.  So if someone runs authconfig 
after the above changes were entered, the default settings are put back and any 
changes are deleted.

Version-Release number of selected component (if applicable):
pam-0.75-46.7.3

How reproducible:
1. configure /etc/pam.d/system-auth
2. attempt to change a password with different combinations to see if the 
expected results happen
3. run authconfig, after running check the settings in /etc/pam.d/system-auth, 
they should now be removed
 
    
Actual results:
I can find no configuration were I can setup the min number of characters is 8 
and require the user to enter special characters.  authconfig always removes 
any changes.

Expected results:
I think authconfig needs to either contain a way to set these settings, or it 
needs to not erase changes which have been entered to /etc/pam.d/system-auth.  
I would also like some kind of way to setup password requirements that users 
cannot get around by entering a large number of characters.

Additional info: