Ouch, thanks Marc! Indeed our previous seddery was broken, it should have left the pam_deny/pam_permit lines. With this it works just fine:
--- /tmp/common-auth.orig 2022-04-01 07:16:26.072608984 +0200 +++ /tmp/common-auth.faillock 2022-04-01 07:14:20.246707861 +0200 @@ -16,6 +16,8 @@ # here are the per-package modules (the "Primary" block) auth [success=2 default=ignore] pam_unix.so nullok auth [success=1 default=ignore] pam_sss.so use_first_pass +auth [default=die] pam_faillock.so authfail deny=4 +auth sufficient pam_faillock.so authsucc deny=4 # here's the fallback if no module succeeds auth requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; Sorry for the noise! ** Changed in: pam (Ubuntu Jammy) Status: New => Invalid -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1966416 Title: pam_faillock does not actually deny login after given number of failures To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pam/+bug/1966416/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs