Comment 3 for bug 1877179

For sysadmin OS user, it can be locked out only when it is used to ssh to the system, and when it is the "su" target user. The failed auth lockout is imposed by the pam tally2 module which is configured to be used by sshd and su. Once configured the rule applies to all users, there is no way to exempt an particular user (other than root) from the rule.

From security point of view, imposing failed auth locked out and unlock it for a short period of time (5 min in current configuration) is a balance between scenarios where, on one side not letting unlimited login attempts, and on the other side not preventing the user login for too long after lockout (thus impact system administration tasks).

So it is decided that we keep the current failed auth lockout rule for sysadmin.