The PAM stack is modified, adding lines for pam_faillock.so.

 

The line with authfail line is inserted “after pam_unix.so”.   When there are alternative authentication methods (ex: pam_krb5.so or pam_sssd.so), this breaks them.

 

It would be better to add this line “before pam_deny.so” instead.   This would still have the desired effect, without breaking alternative authentication methods.

 

What’s the best path to get this change made?

 

Thanks.