diff -up authconfig-6.2.8/authinfo.py.infoleak authconfig-6.2.8/authinfo.py
--- authconfig-6.2.8/authinfo.py.infoleak	2017-04-25 12:54:38.801372776 +0200
+++ authconfig-6.2.8/authinfo.py	2017-04-25 12:57:42.698560450 +0200
@@ -368,7 +368,7 @@ argv_otp_auth = [
 argv_succeed_if_auth = [
 	"uid >=",
 	"500", # this must be the second arg - to be replaced
-	"quiet_success"
+	"quiet_success"  # this will be replaced in the first entry
 ]
 
 argv_succeed_if_account = [
@@ -438,6 +438,10 @@ argv_lastlog_not_gdm = [
 	"showfailed"
 ]
 
+argv_faildelay = [
+	"delay=2000000"
+]
+
 # Password hashing algorithms.
 password_algorithms = ["descrypt", "bigcrypt", "md5", "sha256", "sha512"]
 
@@ -457,6 +461,8 @@ pam_modules = [[] for service in (STANDA
 pam_modules[STANDARD] = [
 	[True,  AUTH,		LOGIC_REQUIRED,
 	 "env",			[]],
+	[True,  AUTH,		LOGIC_REQUIRED,
+	 "faildelay",		argv_faildelay],
 	[False,  AUTH,          LOGIC_SKIPNEXT,
 	 "succeed_if",		argv_succeed_if_nonlogin],
 	[False,  AUTH,          LOGIC_PKCS11,
@@ -468,6 +474,8 @@ pam_modules[STANDARD] = [
 	[False,  AUTH,          LOGIC_SUFFICIENT,
 	 "fprintd",		[]],
 	[False, AUTH,		LOGIC_SKIPNEXT_ON_FAILURE,
+	 "succeed_if",		argv_succeed_if_auth],
+	[False, AUTH,		LOGIC_SKIPNEXT_ON_FAILURE,
 	 "localuser",		[]],
 	[True,  AUTH,		LOGIC_SUFFICIENT,
 	 "unix",		argv_unix_auth],
@@ -594,9 +602,13 @@ pam_modules[POSTLOGIN] = [
 pam_modules[PASSWORD_ONLY] = [
 	[True,  AUTH,		LOGIC_REQUIRED,
 	 "env",			[]],
+	[True,  AUTH,		LOGIC_REQUIRED,
+	 "faildelay",		argv_faildelay],
 	[False, AUTH,		LOGIC_REQUIRED,
 	 "deny",		[]],
 	[False, AUTH,		LOGIC_SKIPNEXT_ON_FAILURE,
+	 "succeed_if",		argv_succeed_if_auth],
+	[False, AUTH,		LOGIC_SKIPNEXT_ON_FAILURE,
 	 "localuser",		[]],
 	[True,  AUTH,		LOGIC_SUFFICIENT,
 	 "unix",		argv_unix_auth],
@@ -3948,6 +3960,8 @@ class AuthInfo:
 						output += " broken_shadow"
 			if name == "faillock" and stack == "auth":
 				args = " ".join(module[ARGV]) + " " + self.faillockArgs
+			if name == "succeed_if" and stack == "auth" and logic == LOGIC_SKIPNEXT_ON_FAILURE:
+				args = args.replace("quiet_success", "quiet")
 			if args:
 				output += " " + args
 		output += "\n"
@@ -4035,7 +4049,9 @@ class AuthInfo:
 					(self.enableWinbindAuth and module[NAME] == "winbind") or
 					((self.enableSSSDAuth or self.implicitSSSDAuth or self.enableIPAv2) and module[NAME] == "sss" and module[ARGV] != argv_sssd_missing_name) or
 					((self.enableSSSDAuth or self.implicitSSSDAuth or self.enableIPAv2) and
-						(not self.enableNIS) and module[NAME] == "localuser" and module[STACK] == AUTH) or
+						(not self.enableNIS) and (module[NAME] == "localuser" or
+						    (module[NAME] == "succeed_if" and module[LOGIC] == LOGIC_SKIPNEXT_ON_FAILURE and not self.enableSysNetAuth))
+						and module[STACK] == AUTH) or
 					(self.enableLocAuthorize and module[NAME] == "localuser" and module[STACK] == ACCOUNT) or
 					(self.enablePAMAccess and module[NAME] == "access") or
 					(self.enableMkHomeDir and module[NAME] == "mkhomedir") or