Goal: Re-enable logging and displaying failures on login when login is
      compiled with PAM and when FAILLOG_ENAB is set to yes. And create the
      faillog file if it does not exist on postinst (as on Woody).
Depends: 008_login_more_LOG_UNKFAIL_ENAB
Fixes: #192849

Note: It could be removed if pam_tally could report the number of failures
      preceding a successful login.

Index: shadow-4.1.0/src/login.c
===================================================================
--- shadow-4.1.0.orig/src/login.c
+++ shadow-4.1.0/src/login.c
@@ -130,9 +130,9 @@
 static void setup_tty (void);
 static void check_flags (int, char *const *);
 
+static struct faillog faillog;
+
 #ifndef USE_PAM
-static struct faillog faillog;
-
 static void bad_time_notify (void);
 static void check_nologin (void);
 #endif
@@ -673,6 +673,8 @@
 				SYSLOG ((LOG_NOTICE,
 				         "TOO MANY LOGIN TRIES (%d)%s FOR `%s'",
 				         failcount, fromhost, failent_user));
+				if (pwd && getdef_bool("FAILLOG_ENAB"))
+					failure (pwent.pw_uid, tty, &faillog);
 				fprintf(stderr,
 				        _("Maximum number of tries exceeded (%d)\n"),
 				        failcount);
@@ -690,6 +692,13 @@
 				         pam_strerror (pamh, retcode)));
 				failed = true;
 			}
+			  if (pwd && getdef_bool("FAILLOG_ENAB") &&
+			      ! failcheck (pwent.pw_uid, &faillog, failed)) {
+			    SYSLOG((LOG_CRIT,
+			           "exceeded failure limit for `%s' %s",
+			           failent_user, fromhost));
+			    failed = 1;
+			  }
 
 			if (!failed) {
 				break;
@@ -766,6 +731,8 @@
 #endif				/* WITH_AUDIT */
 
 			fprintf (stderr, "\nLogin incorrect\n");
+			if (pwd && getdef_bool("FAILLOG_ENAB"))
+				failure (pwent.pw_uid, tty, &faillog);
 			  if (getdef_str("FTMP_FILE") != NULL) {
 #if HAVE_UTMPX_H
 			    failent = utxent;
@@ -1099,6 +1110,7 @@
 		 */
 #ifndef USE_PAM
 		motd ();	/* print the message of the day */
+#endif
 		if (   getdef_bool ("FAILLOG_ENAB")
 		    && (0 != faillog.fail_cnt)) {
 			failprint (&faillog);
@@ -1112,6 +1124,7 @@
 					 username, (int) faillog.fail_cnt));
 			}
 		}
+#ifndef USE_PAM
 		if (   getdef_bool ("LASTLOG_ENAB")
 		    && (0 != lastlog.ll_time)) {
 			time_t ll_time = lastlog.ll_time;
Index: shadow-4.1.0/lib/getdef.c
===================================================================
--- shadow-4.1.0.orig/lib/getdef.c
+++ shadow-4.1.0/lib/getdef.c
@@ -57,6 +57,7 @@
 	{"ENV_SUPATH", NULL},
 	{"ERASECHAR", NULL},
 	{"FAIL_DELAY", NULL},
+	{"FAILLOG_ENAB", NULL},
 	{"FAKE_SHELL", NULL},
 	{"FTMP_FILE", NULL},
 	{"GID_MAX", NULL},
@@ -93,7 +94,6 @@
 	{"ENV_HZ", NULL},
 	{"ENVIRON_FILE", NULL},
 	{"ENV_TZ", NULL},
-	{"FAILLOG_ENAB", NULL},
 	{"ISSUE_FILE", NULL},
 	{"LASTLOG_ENAB", NULL},
 	{"LOGIN_STRING", NULL},
