I have two questions about the system-auth file
1) If the /etc/pam.d/system-auth password complexity settings are changed on an existing system, does it invalidate any existing passwords?
2) Is it possible to say that lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 <-- at least three out of the four character groups should be enforced?
Thanks!
edit:
2) is answered here: http://linux.die.net/man/8/pam_passwdqc and http://www.cyberciti.biz/faq/rhel-fedora-centos-linux-password-quality-control/
Ad 1) To the best of my knowledge it does not. You will have changed rules for creating new passwords, not requirements for accepting already set passwords. If you want to force users to change their passwords to one complying with the new rule set age their passwords.
Ad 2) pam_cracklib doesn't give you that kind of flexibility. You either enforce minimum number of characters of given type (Xcredit<0) or you give extra credit (+1 "length") for up to N characters of given type (Xcredit=N>0) and set minlen high enough to be satisfactory even if user choses characters of one type only.