I can login 3 times with a bad password as a user, then the fourth time
correctly and the user gets a root shell.
what version of pam are you using?
marking as later just to hide this until it's fixed.
It only seems to occur through login, which minimizes its danger, I suppose.
we have a new shadow that fixes this now.
this is all fixed.