diff -Naur old/authconfig.py new/authconfig.py
--- old/authconfig.py	2017-03-28 14:08:03.601258033 +0200
+++ new/authconfig.py	2017-03-28 14:10:35.055518926 +0200
@@ -353,6 +353,13 @@
                         help=_("require at least one other character in a password"))
                 parser.add_option("--disablereqother", action="store_true",
                         help=_("do not require other characters in a password"))
+                
+		parser.add_option("--enablefaillock", action="store_true",
+			help=_("enable account locking in case of too many consecutive authentication failures"))
+		parser.add_option("--disablefaillock", action="store_true",
+			help=_("disable account locking on too many consecutive authentication failures"))
+		parser.add_option("--faillockargs", metavar=_("<options>"),
+			help=_("the pam_faillock module options"))
 
 		parser.add_option("--nostart", action="store_true",
 			help=_("do not start/stop portmap, ypbind, and nscd"))
@@ -466,7 +473,8 @@
                         "reqlower":"passReqLower",
                         "requpper":"passReqUpper",
                         "reqdigit":"passReqDigit",
-                        "reqother":"passReqOther"}
+                        "reqother":"passReqOther",
+			"faillock":"enableFaillock"}
 
 		string_settings = {"passalgo":"passwordAlgorithm",
 			"hesiodlhs":"hesiodLHS",
@@ -495,7 +503,8 @@
                         "passminlen":"passMinLen",
                         "passminclass":"passMinClass",
                         "passmaxrepeat":"passMaxRepeat",
-                        "passmaxclassrepeat":"passMaxClassRepeat"}
+                        "passmaxclassrepeat":"passMaxClassRepeat",
+			"faillockargs":"faillockArgs"}
 
 		for opt, aival in bool_settings.iteritems():
 			if getattr(self.options, "enable"+opt):
diff -Naur old/authinfo.py new/authinfo.py
--- old/authinfo.py	2017-03-28 14:08:03.599258069 +0200
+++ new/authinfo.py	2017-03-28 14:25:31.403421162 +0200
@@ -489,6 +489,8 @@
 	 "otp",			argv_otp_auth],
 	[False, AUTH,		LOGIC_SUFFICIENT,
 	 "winbind",		argv_winbind_auth],
+	[False,  AUTH,		LOGIC_REQUIRED,
+	 "faillock",		["authfail"]],
 	[True,  AUTH,		LOGIC_REQUIRED,
 	 "deny",		[]],
 # Account management is tricky.  Because we've implicitly committed to
@@ -508,6 +510,8 @@
 # successful call to pam_permit at the end as a requirement.
 	[False, ACCOUNT,	LOGIC_REQUIRED,
 	 "access",		[]],
+	[False, ACCOUNT,	LOGIC_REQUIRED,
+	 "faillock",		[]],
 	[True,  ACCOUNT,	LOGIC_REQUIRED,
 	 "unix",		[]],
 	[False,  ACCOUNT,	LOGIC_SUFFICIENT,
@@ -618,6 +622,8 @@
 	 "deny",		[]],
 	[False, ACCOUNT,	LOGIC_REQUIRED,
 	 "access",		[]],
+	[False, ACCOUNT,	LOGIC_REQUIRED,
+	 "faillock",		[]],
 	[True,  ACCOUNT,	LOGIC_REQUIRED,
 	 "unix",		[]],
 	[False,  ACCOUNT,	LOGIC_SUFFICIENT,
@@ -654,6 +660,8 @@
 	 "ldap",		argv_ldap_password],
 	[False, PASSWORD,	LOGIC_SUFFICIENT,
 	 "winbind",		argv_winbind_password],
+	[False,  AUTH,		LOGIC_REQUIRED,
+	 "faillock",		["authfail"]],
 	[True,  PASSWORD,	LOGIC_REQUIRED,
 	 "deny",		[]],
 	[True,  SESSION,	LOGIC_OPTIONAL,
@@ -689,10 +697,14 @@
 	 "deny",		[]],
 	[False,  AUTH,		LOGIC_SUFFICIENT,
 	 "fprintd",		[]],
+	[False,  AUTH,		LOGIC_REQUIRED,
+	 "faillock",		["authfail"]],
 	[True,  AUTH,		LOGIC_REQUIRED,
 	 "deny",		[]],
 	[False, ACCOUNT,	LOGIC_REQUIRED,
 	 "access",		[]],
+	[False, ACCOUNT,	LOGIC_REQUIRED,
+	 "faillock",		[]],
 	[True,  ACCOUNT,	LOGIC_REQUIRED,
 	 "unix",		[]],
 	[False,  ACCOUNT,	LOGIC_SUFFICIENT,
@@ -748,10 +760,14 @@
 	 "krb5",		argv_krb5_sc_auth],
 	[False, AUTH,		LOGIC_SUFFICIENT,
 	 "permit",		[]],
+	[False,  AUTH,		LOGIC_REQUIRED,
+	 "faillock",		["authfail"]],
 	[True,  AUTH,		LOGIC_REQUIRED,
 	 "deny",		[]],
 	[False, ACCOUNT,	LOGIC_REQUIRED,
 	 "access",		[]],
+	[False, ACCOUNT,	LOGIC_REQUIRED,
+	 "faillock",		[]],
 	[True,  ACCOUNT,	LOGIC_REQUIRED,
 	 "unix",		[]],
 	[False,  ACCOUNT,	LOGIC_SUFFICIENT,
@@ -1392,6 +1408,11 @@
                 self.passReqDigit = None
                 self.passReqOther = None
 
+		# Faillock
+		self.enableFaillock = None
+		self.faillockArgs = "deny=4 unlock_time=1200"
+
+
 		# Not really options.
 		self.joinUser = ""
 		self.joinPassword = ""
@@ -1453,6 +1474,7 @@
 		("enableNIS3", "b"), ("enableNIS", "b"), ("enableIPAv2", "b"),
 		("enableSSSD", "b"), ("preferDNSinHosts", "b"), ("implicitSSSD", "b")]),
 	SaveGroup(self.writePAM, None, [("pwqualityArgs", "c"), ("passwdqcArgs", "c"),
+		("faillockArgs", "c"), ("enableFaillock", "b"),
 		("localuserArgs", "c"), ("pamAccessArgs", "c"), ("enablePAMAccess", "b"),
 		("mkhomedirArgs", "c"), ("enableMkHomeDir", "b"), ("algoRounds", "c"),
 		("passwordAlgorithm", "i"), ("enableShadow", "b"), ("enableNIS", "b"),
@@ -1470,6 +1492,7 @@
 		("enableEcryptfs", "b"), ("enableSmartcard", "b"), ("forceSmartcard", "b"),
 		("enableWinbindAuth", "b"), ("enableWinbind", "b"), ("winbindKrb5", "b"), ("enableDB", "b"),
 		("enableHesiod", "b"), ("enablePWQuality", "b"), ("enablePasswdQC", "b"),
+		("enableFaillock", "b"), ("faillockArgs", "c"),
 		("enableLocAuthorize", "b"), ("enablePAMAccess", "b"), ("enableCacheCreds", "b"),
 		("enableMkHomeDir", "b"), ("enableSysNetAuth", "b"), ("enableFprintd", "b"),
 		("enableSSSD", "b"), ("enableSSSDAuth", "b"), ("enableForceLegacy", "b"),
@@ -2247,6 +2270,12 @@
 			if stack == "auth":
 				if module.startswith("pam_unix"):
 					self.setParam("enableNullOk", args.find("nullok") >= 0, ref)
+				if module.startswith("pam_faillock"):
+					self.setParam("enableFaillock", True, ref)
+					if args:
+						args.replace('authfail', '').strip()
+						self.setParam("faillockArgs", args, ref)
+					continue
 			if stack == "account":
 				if module.startswith("pam_unix"):
 					self.setParam("brokenShadow", args.find("broken_shadow") >= 0, ref)
@@ -2305,6 +2334,11 @@
 			except ValueError:
 				pass
 			try:
+				self.enableFaillock = shv.getBoolValue("USEFAILLOCK")
+				self.faillockArgs = shv.getValue("FAILLOCKARGS")
+			except ValueError:
+				pass
+			try:
 				self.enableEcryptfs = shv.getBoolValue("USEECRYPTFS")
 			except ValueError:
 				pass
@@ -3912,6 +3946,8 @@
 					if (self.forceBrokenShadow or self.enableLDAPAuth or
 						self.enableKerberos or self.enableWinbindAuth):
 						output += " broken_shadow"
+			if name == "faillock" and stack == "auth":
+				args = " ".join(module[ARGV]) + " " + self.faillockArgs
 			if args:
 				output += " " + args
 		output += "\n"
@@ -3978,6 +4014,7 @@
 					(self.enableAFS and module[NAME] == "afs") or
 					(self.enableAFSKerberos and module[NAME] == "afs.krb") or
 					(self.enablePWQuality and module[NAME] == "pwquality") or
+					(self.enableFaillock and module[NAME] == "faillock") or
 					(self.enableEcryptfs and module[NAME] == "ecryptfs") or
 					(self.enableEPS and module[NAME] == "eps") or
 					((self.enableKerberos and not self.implicitSSSDAuth)and module[NAME] == "krb5" and
@@ -4039,6 +4076,8 @@
 			return False
 
 		shv.setBoolValue("USEPWQUALITY", self.enablePWQuality)
+		shv.setBoolValue("USEFAILLOCK", self.enableFaillock)
+		shv.setValue("FAILLOCKARGS", self.faillockArgs)
 		shv.setBoolValue("USEDB", self.enableDB)
 		shv.setBoolValue("USEHESIOD", self.enableHesiod)
 		shv.setBoolValue("USELDAP", self.enableLDAP)
@@ -4314,6 +4353,8 @@
 			self.passwdqcArgs)
 		print "pam_access is %s (%s)" % (formatBool(self.enablePAMAccess),
 			self.pamAccessArgs)
+		print "pam_faillock is %s (%s)" % (formatBool(self.enableFaillock),
+			self.faillockArgs)
 		print "pam_mkhomedir or pam_oddjob_mkhomedir is %s (%s)" % (formatBool(self.enableMkHomeDir),
 			self.mkhomedirArgs)
 		print "Always authorize local users is %s (%s)" % (formatBool(self.enableLocAuthorize),