PAM: abort on locked password

to avoid needlessly bumping pam_tally2 counter https://forums.whonix.org/t/restrict-root-access/7658/1
2025-08-01 08:56:06 -04:00 · 2019-08-17 10:33:47 +00:00 · 2019-08-17 10:33:47 +00:00 · 41b2819ec8
commit 41b2819ec8
parent e0e25364e2
4 changed files with 26 additions and 13 deletions
--- a/usr/lib/security-misc/pam-abort-on-locked-password
+++ b/usr/lib/security-misc/pam-abort-on-locked-password
@ -0,0 +1,19 @@
+#!/bin/bash
+
+if [ "$(passwd -S "$PAM_USER" | cut -d ' ' -f 2)" = "P" ]; then
+   true "INFO: Password not locked."
+else
+   echo "$0: ERROR: Password for user \"$PAM_USER\" is locked." >&2
+
+   if [ -f /usr/share/whonix/marker ] || [ -f /usr/share/kicksecure/marker ]; then
+      if [ "$PAM_USER" = "root" ]; then
+         echo "$0: ERROR: root account is locked by default. See:" >&2
+         echo "https://www.whonix.org/wiki/root" >&2
+         echo "" >&2
+      fi
+   fi
+
+   exit 1
+fi
+
+exit 0
--- a/usr/lib/security-misc/pam_tally2-info
+++ b/usr/lib/security-misc/pam_tally2-info
@ -1,17 +1,5 @@
 #!/bin/bash

-if [ "$(passwd -S "$PAM_USER" | cut -d ' ' -f 2)" = "P" ]; then
-   true "INFO: Password not locked."
-else
-   echo "$0: ERROR: Password for user \"$PAM_USER\" is locked." >&2
-   if [ "$PAM_USER" = "root" ]; then
-      echo "$0: ERROR: root account is locked by default. See:" >&2
-      echo "https://www.whonix.org/wiki/root" >&2
-      echo "" >&2
-   fi
-   exit 0
-fi
-
 pam_tally2_output="$(pam_tally2 --user "$PAM_USER")"

 if [ "$pam_tally2_output" = "" ]; then