pam-arch: Drop pam_faillock counting from fingerprint and smartcard
As mentioned in an fprintd issue comment, we need to make sure that
the stack's error status is taken from the main auth module, i.e.
pam_fprintd
, otherwise GDM will not behave correctly.
Still use pam_faillock
preauth
so that we test whether the account is
locked, but don't use authfail
/authsucc
to log a failure/success so this
stack doesn't participate in triggering the lock.
Ideally we would check which return values we actually want to treat as a reason to lock the account (e.g. fingerprint mismatch) and which are neutral (e.g. no fingerprints enrolled), but that's much more effort.
Should fix FS#71750.
Has been applied downstream since 2021-08-31.
Edited by Jan Alexander Steffens