I still maintain that's the *admin's* task, but OK... "faillog -u $USERNAME | head -1" should give you the last failed login entry for $USERNAME (if defined). However that does not mean it would be close to the time $USERNAME logs in again (unless you put a grep behind it). I don't know of a PAM module that would give you "pam_faillog" so you could use a script like "
pam_script"?