I'm trying to configure the pam_passwdqc.so module in /etc/pam.d/system-auth. I've added the pam_passwdqc.so line in the config file and commented out the line for pam_cracklib.so as shown below:

password required pam_passwdqc.so min=disable,disable,disable,8,7 passphrase=0 random=0 similar=permit
#password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password required pam_deny.so

But now when I attempt to change a user password I get the following:

[test3@api01r5v ~]$ passwd
Changing password for user test3.
System configuration error. Please contact your administrator.
Changing password for test3
(current) UNIX password:
passwd: Critical error - immediate abort

I'm sure I'm probably missing a simple step but I just can see it. Any suggestion would be greatly appreciated.

Try the logfiles for more detail eg /var/log/messages, /var/log/secure

I'm working with a user account called "test3" on this system. I open 2 ssh sessions to the server named "api01r5v" and run tail -f /var/log/secure in one session while logging in as test3 in the second session and then try to change the password. I did the same thing with /var/log/messages. Nothing is logged to either file. So ran "grep -r test3 /var/log" to do a recursive search for the user account. I find the following in /var/log/audit/audit.log:

Looks like chauthtok is failing, but I don't know why.

Well, that's the SELinux log, so I'd check the SELinux attributes for the new pam module http://wiki.centos.org/HowTos/SELinux and anything else closely involved eg the /etc/pam.d/system-auth file.

No, SELinux is set to permissive. But I found my issue, it was something much simpler.

in my min= options is used "disable" when I should have used "disabled" (note the "d" at the end). Changing that fixed my problem. Thanks all who took a look.