After upgrading to sys-auth/pambase-20201010 sys-libs/pam-1.4.0_p20200829 I cannot login via ssh + pw. ssh + keys still works, which is currently the only way I have access to this server. Log: Oct 13 08:29:24 xxx sshd[7408]: pam_krb5(sshd:auth): user xxx authenticated as xxx@XXX.DE Oct 13 08:29:24 xxx sshd[7408]: pam_faillock(sshd:auth): Unknown option: conf Oct 13 08:29:24 xxx sshd[7408]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=xxx Oct 13 08:29:25 xxx sshd[7391]: error: PAM: Permission denied for xxx from x.x.x.x Which seems to be caused by 4. line in /etc/pam.d/system-login: auth required pam_faillock.so preauth conf=/etc/security/faillock.conf Reproducible: Always ================================================================= Package Settings ================================================================= sys-libs/pam-1.4.0_p20200829::gentoo was built with the following: USE="berkdb filecaps nis pie (split-usr) -audit -debug (-selinux)" ABI_X86="(64) -32 (-x32)" CFLAGS="-O2 -pipe" CXXFLAGS="-O2 -pipe" FEATURES="assume-digests binpkg-docompress binpkg-dostrip binpkg-logs binpkg-multi-instance buildpkg config-protect-if-modified distlocks ebuild-locks fixlafiles ipc-sandbox merge-sync multilib-strict network-sandbox news parallel-fetch pid-sandbox preserve-libs protect-owned qa-unresolved-soname-deps sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr" sys-auth/pambase-20201010::gentoo was built with the following: USE="nullok pam_krb5 passwdqc sha512 -caps -debug -elogind -gnome-keyring -minimal -mktemp -pam_ssh -pwhistory -pwquality -securetty (-selinux) -systemd" ABI_X86="(64)" CFLAGS="-O2 -pipe" CXXFLAGS="-O2 -pipe" FEATURES="assume-digests binpkg-docompress binpkg-dostrip binpkg-logs binpkg-multi-instance buildpkg config-protect-if-modified distlocks ebuild-locks fixlafiles ipc-sandbox merge-sync multilib-strict network-sandbox news parallel-fetch pid-sandbox preserve-libs protect-owned qa-unresolved-soname-deps sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"
After looking at the source of pam_faillock, I realize, that it has nothing to do with the fail. pam_faillock looks at first for the conf-paremeter and uses it. But it does not drop it from its parameter list. After that a regular loop parses all parameters, but this loop does not know about 'conf'. So it outputs the warning, without any bad side-effect. I reported the login-failure as separate Bug #748405
Fixed in new release.