From 75cd44e94032b13bba41539737d6ac63623217e1 Mon Sep 17 00:00:00 2001
From: Mikle Kolyada <zlogene@gentoo.org>
Date: Thu, 18 Jun 2020 13:02:10 +0300
Subject: move faillock last in auth

Signed-off-by: Mikle Kolyada <zlogene@gentoo.org>
---
 system-auth.in  | 12 ++++++------
 system-login.in | 11 ++++++-----
 2 files changed, 12 insertions(+), 11 deletions(-)

diff --git a/system-auth.in b/system-auth.in
index 6eea7bc..9ae09e4 100644
--- a/system-auth.in
+++ b/system-auth.in
@@ -2,12 +2,6 @@
 auth		required	pam_env.so DEBUG
 #endif
 
-#if HAVE_FAILLOCK
-auth            required        pam_faillock.so preauth silent audit deny=3 unlock_time=600
-auth            sufficient      pam_unix.so nullok try_first_pass
-auth            [default=die]   pam_faillock.so authfail audit deny=3 unlock_time=600
-#endif
-
 #if HAVE_PAM_SSH
 auth		sufficient	pam_ssh.so
 #endif
@@ -18,6 +12,12 @@ auth		required	pam_unix.so try_first_pass LIKEAUTH NULLOK DEBUG
 /* This is needed to make sure that the Kerberos skip-on-success won't cause a bad jump. */
 auth		optional	pam_permit.so
 
+#if HAVE_FAILLOCK
+auth            required        pam_faillock.so preauth silent audit deny=3 unlock_time=600
+auth            sufficient      pam_unix.so nullok try_first_pass
+auth            [default=die]   pam_faillock.so authfail audit deny=3 unlock_time=600
+#endif
+
 #if HAVE_KRB5
 account		KRB5_CONTROL	pam_krb5.so KRB5_PARAMS
 #endif
diff --git a/system-login.in b/system-login.in
index 9e82d60..ee03613 100644
--- a/system-login.in
+++ b/system-login.in
@@ -1,8 +1,3 @@
-#if HAVE_FAILLOCK
-auth            required        pam_faillock.so preauth silent audit deny=3 unlock_time=600
-auth            sufficient	pam_unix.so nullok try_first_pass
-auth            [default=die]   pam_faillock.so authfail audit deny=3 unlock_time=600
-#endif
 
 #if HAVE_SHELLS
 auth		required	pam_shells.so DEBUG
@@ -12,6 +7,12 @@ auth		required	pam_nologin.so DEBUG_NOLOGIN
 #endif
 auth		include		system-auth
 
+#if HAVE_FAILLOCK
+auth            required        pam_faillock.so preauth silent audit deny=3 unlock_time=600
+auth            sufficient      pam_unix.so nullok try_first_pass
+auth            [default=die]   pam_faillock.so authfail audit deny=3 unlock_time=600
+#endif
+
 #if HAVE_ACCESS
 account		required	pam_access.so DEBUG
 #endif
-- 
cgit v1.2.3-65-gdbad