I had a similar problem ... it turns out it was with the "credits" I was issueing. I was using a credit like you have: dcredit=1 .... this is not correct, it should be: dcredit=-1
*possibly* the reason why you can type in a seven character password (even though you specify minlen=11) at the command line is because you've ALREADY GIVEN CREDIT for 4 characters BEFORE the password is even entered (ucredit=1 lcredit=1 difok=2 == 4; 11 - 4 = 7).
You should change your line to look like this:
Code:
password required /lib/security/pam_cracklib.so retry=5 minlen=11 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 difok=-2
-- Tony