From 8b104f544a9e4e8da1691659fefa4999a4f6f085 Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@whonix.org>
Date: Wed, 1 Sep 2021 15:45:36 -0400
Subject: [PATCH] fix, add sshd to pam_service_exclusion_list

to avoid faillock
---
 usr/libexec/security-misc/pam_faillock_not_if_x | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/usr/libexec/security-misc/pam_faillock_not_if_x b/usr/libexec/security-misc/pam_faillock_not_if_x
index 4f18f03..26cbc43 100755
--- a/usr/libexec/security-misc/pam_faillock_not_if_x
+++ b/usr/libexec/security-misc/pam_faillock_not_if_x
@@ -19,11 +19,9 @@ true "PAM_SERVICE: $PAM_SERVICE"
 ## "when used with a stack of modules, the module's return status will not contribute to the return code the application obtains."
 ## http://www.linux-pam.org/Linux-PAM-html/sag-configuration-file.html
 
-## - Failed dovecot logins should not result in account getting locked.
-## - Failed SSH public key authentication attempts do not increase pam_faillock
-##   counter for some reason.
+## - Failed dovecot ssh logins from malicious remotes should not result in account getting locked.
 ## This list can later be extended as needed.
-pam_service_exclusion_list="dovecot"
+pam_service_exclusion_list="dovecot sshd"
 
 for pam_service_exclusion_item in $pam_service_exclusion_list ; do
    if [ "$PAM_SERVICE" = "$pam_service_exclusion_item" ]; then