Goal: Do not hardcode pam_fail_delay and let pam_unix do its
      job to set a delay...or not

Fixes: #87648

Status wrt upstream: Forwarded but not applied yet

Note: If removed, FAIL_DELAY must be re-added to /etc/login.defs

Index: shadow-4.4/src/login.c
===================================================================
--- shadow-4.4.orig/src/login.c
+++ shadow-4.4/src/login.c
@@ -525,7 +525,6 @@ int main (int argc, char **argv)
 #if defined(HAVE_STRFTIME) && !defined(USE_PAM)
 	char ptime[80];
 #endif
-	unsigned int delay;
 	unsigned int retries;
 	bool subroot = false;
 #ifndef USE_PAM
@@ -546,6 +545,7 @@ int main (int argc, char **argv)
 	pid_t child;
 	char *pam_user = NULL;
 #else
+	unsigned int delay;
 	struct spwd *spwd = NULL;
 #endif
 	/*
@@ -708,7 +708,6 @@ int main (int argc, char **argv)
 	}
 
 	environ = newenvp;	/* make new environment active */
-	delay   = getdef_unum ("FAIL_DELAY", 1);
 	retries = getdef_unum ("LOGIN_RETRIES", RETRIES);
 
 #ifdef USE_PAM
@@ -724,8 +723,7 @@ int main (int argc, char **argv)
 
 	/*
 	 * hostname & tty are either set to NULL or their correct values,
-	 * depending on how much we know. We also set PAM's fail delay to
-	 * ours.
+	 * depending on how much we know.
 	 *
 	 * PAM_RHOST and PAM_TTY are used for authentication, only use
 	 * information coming from login or from the caller (e.g. no utmp)
@@ -734,10 +732,6 @@ int main (int argc, char **argv)
 	PAM_FAIL_CHECK;
 	retcode = pam_set_item (pamh, PAM_TTY, tty);
 	PAM_FAIL_CHECK;
-#ifdef HAS_PAM_FAIL_DELAY
-	retcode = pam_fail_delay (pamh, 1000000 * delay);
-	PAM_FAIL_CHECK;
-#endif
 	/* if fflg, then the user has already been authenticated */
 	if (!fflg) {
 		unsigned int failcount = 0;
@@ -778,12 +772,6 @@ int main (int argc, char **argv)
 			bool failed = false;
 
 			failcount++;
-#ifdef HAS_PAM_FAIL_DELAY
-			if (delay > 0) {
-				retcode = pam_fail_delay(pamh, 1000000*delay);
-				PAM_FAIL_CHECK;
-			}
-#endif
 
 			retcode = pam_authenticate (pamh, 0);
 
@@ -1106,14 +1094,17 @@ int main (int argc, char **argv)
 		free (username);
 		username = NULL;
 
+#ifndef USE_PAM
 		/*
 		 * Wait a while (a la SVR4 /usr/bin/login) before attempting
 		 * to login the user again. If the earlier alarm occurs
 		 * before the sleep() below completes, login will exit.
 		 */
+		delay = getdef_unum ("FAIL_DELAY", 1);
 		if (delay > 0) {
 			(void) sleep (delay);
 		}
+#endif
 
 		(void) puts (_("Login incorrect"));
 
Index: shadow-4.4/lib/getdef.c
===================================================================
--- shadow-4.4.orig/lib/getdef.c
+++ shadow-4.4/lib/getdef.c
@@ -85,7 +85,6 @@ static struct itemdef def_table[] = {
 	{"ENV_PATH", NULL},
 	{"ENV_SUPATH", NULL},
 	{"ERASECHAR", NULL},
-	{"FAIL_DELAY", NULL},
 	{"FAILLOG_ENAB", NULL},
 	{"FAKE_SHELL", NULL},
 	{"FTMP_FILE", NULL},