Prevent erroneous "Login blocked after [negative number] attempts" errors

For root, faillock appears to always* return an empty string (i.e. no table headers are present), yielding a zero-initialized pam_faillock_output_count and thus resulting in the calculation of a negative failed_login_counter value.

This can cause erroneous errors of the form "ERROR: Login blocked after [negative number] attempts" during sudo-ing and screen unlocking.

This commit modifies the initialization of failed_login_counter such that it cannot be negative and prevents the display of these incorrect warnings.

* Only rudimentary tests were conducted

usr/libexec/security-misc/pam-info

@@ -163,9 +163,9 @@ pam_faillock_output_count="$(echo "$pam_faillock_output" | wc -l)"
 ## example pam_faillock_output_count:
 ## 4
 
-## Do not count the first two informational textual output lines
-## (starting with "user:" and "When").
-failed_login_counter=$(( pam_faillock_output_count - 2 ))
+## Do not count the first two informational textual output lines (starting with "user:" and "When") if present,
+## but ensure failed_login_counter is not set to a negative value.
+failed_login_counter=$( [ $(( pam_faillock_output_count - 2 )) -gt 0 ] && echo $(( pam_faillock_output_count - 2 )) || echo "0" )
 
 ## example failed_login_counter:
 ## 2