Fail to enforce strong password policy with PAM

I have read https://www.freebsd.org/doc/handbook/security-intro.html, but I found pam_passwdqc does not work as I expected.
I want to enforce 4 kinds of character classes in password: digits, lower-case letters, upper-case letters, and others. So, I modify /etc/pam.d/passwd to be:
Code:
password        requisite       pam_passwdqc.so         min=disabled,disabled,disabled,disabled,8 similar=deny retry=3 enforce=everyone

But I found some issues:
1) The password cannot be used to login through ssh. sshd server always complains: "error: PAM: authentication error for test from 10.156.76.125"
2) I saw passwd command gives me a sample password, but it does not include digits. If I typed it, it was accepted. That is not what I expected.
3) If I specified a weak password, for example, 123456, I only saw a warning, but the system still accepts the weak password.

Anyone know why?
 
I found 'pw' command is also used to set password, and that command does not enforce any password policy, as a result, users can walk around by using 'pw' to set a weak password, even if password cmd follows a strong policy. So, discussing strong password does not make any sense on FreeBSD.
 
The pw(8) tool can only be used by root to set a password. And root can set any password, regardless of policy.

Code:
The pw utility handles updating the
     passwd, master.passwd, group and the secure and insecure password data-
     base files, and must be run as root.
 
Back
Top