How to set up diferent password rules for regular users and for root on PAM

Question

Bear with me for a moment. I'm doing a college exercise setting up a VM and I'm having a very hard time understanding what PAM is and actually works. All the results that come on google are either too basic or too complex and I really don't know what to look up. My exercise requires me to set up a bunch of rules for both normal users and root:

To set up a strong password policy, you have to comply with the following requirements:

• Your password must be at least 10 characters long.
• It must contain an uppercase letter and a number.
• It must not contain more than 3 consecutive identical characters.
• The password must not include the name of the user.
• The following rule does not apply to the root password: The password must have at least 7 characters that are not part of the former password.
• Of course, your root password has to comply with this policy

I haven't been able to find any good sites that explain how PAM works in a good way however I found that for the normal user I need to edit /etc/pam.d/common-password with:

password        requisite          pam_pwquality.so retry=3 minlen=10 ucredit=-1 dcredit=-1 maxrepeat=3 reject_username difok=7 enforce_for_root

Although I don't understand how PAM works I do understand it's flags. My question is how do I set up different rules for root?

Answer 1

Note that root is not asked for an old password so the checks that compare the old and new password are not performed. So, basically, the phrase

The following rule does not apply to the root password

means you can't make difok=7 work for root and not that you must create a separate rule for root.