From 91a76db66bb496ba4650ada38df31636297738cf Mon Sep 17 00:00:00 2001
From: DMHalford <161769419+DMHalford@users.noreply.github.com>
Date: Thu, 15 May 2025 15:42:50 -0400
Subject: [PATCH] Prevent erroneous "Login blocked after [negative number]
 attempts" errors

For root, faillock appears to always* return an empty string (i.e. no table headers are present), yielding a zero-initialized pam_faillock_output_count and thus resulting in the calculation of a negative failed_login_counter value.

This can cause erroneous errors of the form "ERROR: Login blocked after [negative number] attempts" during sudo-ing and screen unlocking.

This commit modifies the initialization of failed_login_counter such that it cannot be negative and prevents the display of these incorrect warnings.

* Only rudimentary local tests were conducted
---
 usr/libexec/security-misc/pam-info | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info
index a0e86db..0559ea3 100755
--- a/usr/libexec/security-misc/pam-info
+++ b/usr/libexec/security-misc/pam-info
@@ -164,7 +164,7 @@ pam_faillock_output_count="$(echo "$pam_faillock_output" | wc -l)"
 ## 4
 
 ## Do not count the first two informational textual output lines (starting with "user:" and "When") if present,
-## but ensure failed_login_counter is not set to a negative value.
+## whilst ensuring failed_login_counter is not set to a negative value.
 failed_login_counter=$( [ $(( pam_faillock_output_count - 2 )) -gt 0 ] && echo $(( pam_faillock_output_count - 2 )) || echo "0" )
 
 ## example failed_login_counter: