gentoo pam system-auth changes no longer prompt for TOTP

[ThiefMaster]

With the old default Gentoo PAM auth config (in /etc/pam.d/system-auth):

auth            required        pam_env.so
auth            required        pam_unix.so try_first_pass likeauth nullok
auth            optional        pam_permit.so

and this module being loaded at the end of /etc/pam.d/sshd:

auth       include      system-remote-login
...
auth       required     pam_google_authenticator.so ...

I am first asked for the password, and then for a TOTP.

However, now Gentoo updated system-auth to this:

auth            required        pam_env.so
auth            required        pam_unix.so try_first_pass likeauth nullok
auth            optional        pam_permit.so
auth            required        pam_faillock.so preauth
auth            sufficient      pam_unix.so nullok try_first_pass
auth            [default=die]   pam_faillock.so authfail

Unless I remove the last three lines (effectively disabling faillock, so not a great idea...), I am no longer asked for a TOTP at all, ie I can login with just the password.

A quick workaround for me was to move the pam_google_authenticator line for sshd to the beginning (which asks for a TOTP before asking for a password), but the fact that I had to do this at all was a nasty surprise as I would not expect an update to suddenly and silently remove the 2FA requirement from my system,I wonder if this may be a bug, either in this module or in Gentoo's pam config.

[ThiefMaster]

OK this doesn't look like a problem with the module, so I'm closing this.

related gentoo bugtracker entry in case anyone else has the same problem: https://bugs.gentoo.org/749156