The default behavior was to not do anything (deny=0 - don't lock
account) and replacing with pam_faillog is non trivial to do
automatically.
# TODO
# - fix pdf gen or disable it: No fo2pdf processor installed, skip PDF generation
-# - pam_tally, pam_tally2 are deprecated in favor of pam_faillock
# NOTE: https://github.com/linux-pam/linux-pam/releases/download/v%{version}/Linux-PAM-%{version}-docs.tar.xz
# is not needed here: it contains documentation in target formats (HTML, PDF) built from sources included in main tarball
#
#%PAM-1.0
auth required pam_listfile.so item=user sense=deny file=/etc/security/blacklist onerr=succeed
auth required pam_env.so
-auth required pam_tally.so deny=0 file=/var/log/faillog onerr=succeed
auth required pam_unix.so try_first_pass
-account required pam_tally.so file=/var/log/faillog onerr=succeed
account required pam_time.so
account required pam_unix.so