Comment 1 for bug 138654

After a bit more reading-up I see most of this should be possible by simply updating the default configuration in /etc/pam.d

The delay can be removed by adding parameter to common-auth's pam_unix, and the counting by using pam_tally. I can't figure out how to add a growing timeout; perhaps a new module is needed, that might need a new module.

I'm moving this to pam-runtime, as it's a PAM configuration issue rather than a sudo problem. I see pam-runtime owns /etc/pam.d/other, but I can't figure out which package owns the /etc/pam.d/common-* files; pam-runtime has them listed in /usr/share/pam, but I don't know how they get into /etc/pam.d. Please leave a note if you know.