So this was pretty straightforward.
But just to elaborate for others
On my system I needed to edit /etc/pam.d/system-login
From this
#%PAM-1.0
auth required pam_tally2.so
auth required pam_shells.so
auth requisite pam_nologin.so
auth include system-auth
account required pam_tally2.so
account required pam_access.so
account required pam_nologin.so
account include system-auth
password include system-auth
session optional pam_loginuid.so
session optional pam_keyinit.so force revoke
session include system-auth
session optional pam_motd.so motd=/etc/motd
session optional pam_mail.so dir=/var/spool/mail standard quiet
-session optional pam_systemd.so
session required pam_env.so
to this
#%PAM-1.0
auth required pam_faillock.so
auth required pam_shells.so
auth requisite pam_nologin.so
auth include system-auth
account required pam_faillock.so
account required pam_access.so
account required pam_nologin.so
account include system-auth
password include system-auth
session optional pam_loginuid.so
session optional pam_keyinit.so force revoke
session include system-auth
session optional pam_motd.so motd=/etc/motd
session optional pam_mail.so dir=/var/spool/mail standard quiet
-session optional pam_systemd.so
session required pam_env.so user_readenv=1
…that is I needed to
- replace 2 instances of
pam_tally2.sowithpam_faillock.so - also added
user_readenv=1to the end of the last line
After a reboot all seems fine.
[KDE if it matters]