From 6033de78152cb5d7a9659f58aa8035ae2a7d6532 Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@whonix.org>
Date: Tue, 15 Nov 2022 11:58:50 -0500
Subject: [PATCH 01/27] debugging

---
 usr/libexec/security-misc/pam-info | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info
index 906fc0d..e2be3d0 100755
--- a/usr/libexec/security-misc/pam-info
+++ b/usr/libexec/security-misc/pam-info
@@ -3,6 +3,8 @@
 ## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
+true "$0: START"
+
 grep_result="$(grep "accessfile=/etc/security/access-security-misc.conf" /etc/pam.d/common-account 2>/dev/null)"
 
 ## Check if grep matched something.
@@ -151,4 +153,6 @@ if [ "$PAM_SERVICE" = "su" ]; then
    echo "" >&2
 fi
 
+true "$0: END"
+
 exit 0

From 2872c2ab52ae9a1eaa25ea8b9852401e82d5616a Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@whonix.org>
Date: Tue, 15 Nov 2022 12:00:59 -0500
Subject: [PATCH 02/27] comments

---
 usr/libexec/security-misc/pam-info | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info
index e2be3d0..4b09ef8 100755
--- a/usr/libexec/security-misc/pam-info
+++ b/usr/libexec/security-misc/pam-info
@@ -3,6 +3,9 @@
 ## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
+#set -x
+#exec 5>&1 1>> ~/pam-info-debug.txt
+#exec 6>&2 2>> ~/pam-info-debug.txt
 true "$0: START"
 
 grep_result="$(grep "accessfile=/etc/security/access-security-misc.conf" /etc/pam.d/common-account 2>/dev/null)"

From 95487346dbb18c4ac9133fc21b4abed12dc346b3 Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@whonix.org>
Date: Tue, 15 Nov 2022 12:29:41 -0500
Subject: [PATCH 03/27] pam-info: create debug log file ~/pam-info-debug.txt

when file /etc/pam-info-debug exists
---
 usr/libexec/security-misc/pam-info | 19 +++++++++++++++----
 1 file changed, 15 insertions(+), 4 deletions(-)

diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info
index 4b09ef8..9872e15 100755
--- a/usr/libexec/security-misc/pam-info
+++ b/usr/libexec/security-misc/pam-info
@@ -3,10 +3,21 @@
 ## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
-#set -x
-#exec 5>&1 1>> ~/pam-info-debug.txt
-#exec 6>&2 2>> ~/pam-info-debug.txt
-true "$0: START"
+## To enable debug log, run:
+## /etc/pam-info-debug
+##
+## Debug log if enabled can be found in file:
+## /root/pam-info-debug.txt
+
+true "$0: START PHASE 1"
+
+if test -f /etc/pam-info-debug ; then
+   set -x
+   exec 5>&1 1>> ~/pam-info-debug.txt
+   exec 6>&2 2>> ~/pam-info-debug.txt
+fi
+
+true "$0: START PHASE 2"
 
 grep_result="$(grep "accessfile=/etc/security/access-security-misc.conf" /etc/pam.d/common-account 2>/dev/null)"
 

From 23b936b573c8989222a50d1ef8c35dc95589bb0e Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@whonix.org>
Date: Tue, 15 Nov 2022 12:31:14 -0500
Subject: [PATCH 04/27] also support /usr/local/etc/pam-info-debug

---
 usr/libexec/security-misc/pam-info | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info
index 9872e15..1799826 100755
--- a/usr/libexec/security-misc/pam-info
+++ b/usr/libexec/security-misc/pam-info
@@ -11,7 +11,7 @@
 
 true "$0: START PHASE 1"
 
-if test -f /etc/pam-info-debug ; then
+if test -f /etc/pam-info-debug || test -f /usr/local/etc/pam-info-debug ; then
    set -x
    exec 5>&1 1>> ~/pam-info-debug.txt
    exec 6>&2 2>> ~/pam-info-debug.txt

From e5d7ab7082908e64596ccd1da835a781cae22456 Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@whonix.org>
Date: Tue, 15 Nov 2022 12:44:12 -0500
Subject: [PATCH 05/27] comment

---
 usr/libexec/security-misc/pam-info | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info
index 1799826..cdccbb8 100755
--- a/usr/libexec/security-misc/pam-info
+++ b/usr/libexec/security-misc/pam-info
@@ -4,7 +4,7 @@
 ## See the file COPYING for copying conditions.
 
 ## To enable debug log, run:
-## /etc/pam-info-debug
+## sudo touch /etc/pam-info-debug
 ##
 ## Debug log if enabled can be found in file:
 ## /root/pam-info-debug.txt

From bb6b509d06a1ae34ee407cb309c530e5dddfedfd Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@whonix.org>
Date: Wed, 16 Nov 2022 01:44:21 -0500
Subject: [PATCH 06/27] pam-info refactoring

---
 usr/libexec/security-misc/pam-info | 34 ++++++++++++++++++++++++------
 1 file changed, 28 insertions(+), 6 deletions(-)

diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info
index cdccbb8..6a065fe 100755
--- a/usr/libexec/security-misc/pam-info
+++ b/usr/libexec/security-misc/pam-info
@@ -19,6 +19,11 @@ fi
 
 true "$0: START PHASE 2"
 
+set -o pipefail
+
+## Debugging.
+who_ami="$(whoami)"
+
 grep_result="$(grep "accessfile=/etc/security/access-security-misc.conf" /etc/pam.d/common-account 2>/dev/null)"
 
 ## Check if grep matched something.
@@ -104,12 +109,16 @@ fi
 ## 2021-08-10 16:26:33 RHOST                                                      V
 ## 2021-08-10 16:26:54 RHOST                                                      V
 
-pam_faillock_output_first_line="$(echo "$pam_faillock_output" | head -1)"
+## Get first line.
+#pam_faillock_output_first_line="$(echo "$pam_faillock_output" | head --lines=1)"
+echo "$pam_faillock_output" | read -t 10 -r pam_faillock_output_first_line || true
+
+## example pam_faillock_output_first_line:
+## user:
+
 user_name="$(echo "$pam_faillock_output_first_line" | LANG=C str_replace ":" "")"
-
-pam_faillock_output_count="$(echo "$pam_faillock_output" | wc -l)"
-
-failed_login_counter=$(( pam_faillock_output_count - 2 ))
+## example user_name:
+## user
 
 if [ ! "$PAM_USER" = "$user_name" ]; then
    echo "$0: ERROR: PAM_USER: '$PAM_USER' does not equal user_name: '$user_name'." >&2
@@ -118,12 +127,25 @@ if [ ! "$PAM_USER" = "$user_name" ]; then
    exit 0
 fi
 
+pam_faillock_output_count="$(echo "$pam_faillock_output" | wc -l)"
+## example pam_faillock_output_count:
+## 2
+## example pam_faillock_output_count:
+## 4
+
+## Do not count the first two informational textual output lines
+## (starting with "user:" and "When").
+failed_login_counter=$(( pam_faillock_output_count - 2 ))
+
+## example failed_login_counter:
+## 2
+
 if [ "$failed_login_counter" = "0" ]; then
    true "$0: INFO: Failed login counter is 0, ok."
    exit 0
 fi
 
-## pam_faillock default
+## pam_faillock default if it cannot be determined below.
 deny=3
 
 if test -f /etc/security/faillock.conf ; then

From ae113442a162969561a24fcf17718ceb6a11d928 Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@whonix.org>
Date: Wed, 16 Nov 2022 01:49:45 -0500
Subject: [PATCH 07/27] pam-info refactoring

---
 usr/libexec/security-misc/pam-info | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info
index 6a065fe..f62982a 100755
--- a/usr/libexec/security-misc/pam-info
+++ b/usr/libexec/security-misc/pam-info
@@ -95,20 +95,27 @@ fi
 #    fi
 # fi
 
-## Using || true to not break read-only disk boot without ro-mode-init or grub-live.
-pam_faillock_output="$(faillock --user "$PAM_USER")" || true
+## Checking exit code to avoid breaking when read-only disk boot without ro-mode-init or grub-live.
+if ! pam_faillock_output="$(faillock --user "$PAM_USER" 2>&1)" ; then
+   true "$0: faillock non-zero exit code."
+   exit 0
+fi
 
 if [ "$pam_faillock_output" = "" ]; then
    true "$0: no failed login"
    exit 0
 fi
 
-## Example:
+## example pam_faillock_output (stdout):
 ## user:
 ## When                Type  Source                                           Valid
 ## 2021-08-10 16:26:33 RHOST                                                      V
 ## 2021-08-10 16:26:54 RHOST                                                      V
 
+## example pam_faillock_output (stderr):
+## faillock: No user name supplied.
+## Usage: faillock [--dir /path/to/tally-directory] [--user username] [--reset]
+
 ## Get first line.
 #pam_faillock_output_first_line="$(echo "$pam_faillock_output" | head --lines=1)"
 echo "$pam_faillock_output" | read -t 10 -r pam_faillock_output_first_line || true

From f59f959a8d43ebd80a4037e65ec26df7143bcaf5 Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@whonix.org>
Date: Wed, 16 Nov 2022 01:55:14 -0500
Subject: [PATCH 08/27] pam-info fix

---
 usr/libexec/security-misc/pam-info | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info
index f62982a..b16f84b 100755
--- a/usr/libexec/security-misc/pam-info
+++ b/usr/libexec/security-misc/pam-info
@@ -118,8 +118,11 @@ fi
 
 ## Get first line.
 #pam_faillock_output_first_line="$(echo "$pam_faillock_output" | head --lines=1)"
-echo "$pam_faillock_output" | read -t 10 -r pam_faillock_output_first_line || true
+while read -t 10 -r pam_faillock_output_first_line ; do
+   break
+done <<< "$pam_faillock_output"
 
+true "pam_faillock_output_first_line: '$pam_faillock_output_first_line'"
 ## example pam_faillock_output_first_line:
 ## user:
 

From 487f63bb01c6dfc71d0e4efef2c70dae94093dce Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@whonix.org>
Date: Wed, 16 Nov 2022 01:56:01 -0500
Subject: [PATCH 09/27] comment

---
 usr/libexec/security-misc/pam-info | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info
index b16f84b..0d9b4f3 100755
--- a/usr/libexec/security-misc/pam-info
+++ b/usr/libexec/security-misc/pam-info
@@ -95,7 +95,8 @@ fi
 #    fi
 # fi
 
-## Checking exit code to avoid breaking when read-only disk boot without ro-mode-init or grub-live.
+## Checking exit code to avoid breaking when read-only disk boot but
+## without ro-mode-init or grub-live being used.
 if ! pam_faillock_output="$(faillock --user "$PAM_USER" 2>&1)" ; then
    true "$0: faillock non-zero exit code."
    exit 0

From caf0099064747a2048363e3600a53af51df549ad Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@whonix.org>
Date: Wed, 16 Nov 2022 02:00:32 -0500
Subject: [PATCH 10/27] pam-info refactoring

---
 usr/libexec/security-misc/pam-info | 34 +++++++++++++++---------------
 1 file changed, 17 insertions(+), 17 deletions(-)

diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info
index 0d9b4f3..2140026 100755
--- a/usr/libexec/security-misc/pam-info
+++ b/usr/libexec/security-misc/pam-info
@@ -24,6 +24,23 @@ set -o pipefail
 ## Debugging.
 who_ami="$(whoami)"
 
+if [ ! "$(id -u)" = "0" ]; then
+   ## as user "user"
+   ## /usr/sbin/faillock -u user
+   ## faillock: Error opening /var/log/tallylog for update: Permission denied
+   ## /usr/sbin/faillock: Authentication error
+   ##
+   ## xscreensaver runs as user "user", therefore pam_faillock cannot function.
+   ## xscreensaver has its own failed login counter.
+   ##
+   ## https://askubuntu.com/questions/983183/how-lock-the-unlock-screen-after-wrong-password-attempts
+   ##
+   ## https://www.whonix.org/pipermail/whonix-devel/2019-September/001439.html
+   ## TODO: echo -> true
+   echo "$0: not started as root, exiting."
+   exit 0
+fi
+
 grep_result="$(grep "accessfile=/etc/security/access-security-misc.conf" /etc/pam.d/common-account 2>/dev/null)"
 
 ## Check if grep matched something.
@@ -62,23 +79,6 @@ fi
 
 ## https://forums.whonix.org/t/how-strong-do-linux-user-account-passwords-have-to-be-when-using-full-disk-encryption-fde-too/7698
 
-if [ ! "$(id -u)" = "0" ]; then
-   ## as user "user"
-   ## /usr/sbin/faillock -u user
-   ## faillock: Error opening /var/log/tallylog for update: Permission denied
-   ## /usr/sbin/faillock: Authentication error
-   ##
-   ## xscreensaver runs as user "user", therefore pam_faillock cannot function.
-   ## xscreensaver has its own failed login counter.
-   ##
-   ## https://askubuntu.com/questions/983183/how-lock-the-unlock-screen-after-wrong-password-attempts
-   ##
-   ## https://www.whonix.org/pipermail/whonix-devel/2019-September/001439.html
-   ## TODO: echo -> true
-   echo "$0: not started as root, exiting."
-   exit 0
-fi
-
 ## Does not work (yet) for login, pam_securetty runs before and aborts.
 ## Also this should only run for login since securetty covers only login.
 # if [ "$PAM_USER" = "root" ]; then

From 09e6af5c080f776d56d7e2390f88c4ae7e01bdb7 Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@whonix.org>
Date: Wed, 16 Nov 2022 02:01:23 -0500
Subject: [PATCH 11/27] pam-info refactoring

---
 usr/libexec/security-misc/pam-info | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info
index 2140026..c751e2d 100755
--- a/usr/libexec/security-misc/pam-info
+++ b/usr/libexec/security-misc/pam-info
@@ -41,6 +41,11 @@ if [ ! "$(id -u)" = "0" ]; then
    exit 0
 fi
 
+if ! command -v "faillock" &>/dev/null; then
+   echo "$0: The faillock program is unavailable, exiting."
+   exit 0
+fi
+
 grep_result="$(grep "accessfile=/etc/security/access-security-misc.conf" /etc/pam.d/common-account 2>/dev/null)"
 
 ## Check if grep matched something.

From d419898ee494fb159ed6811a719dbb4a5ffb469a Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@whonix.org>
Date: Thu, 17 Nov 2022 10:15:36 -0500
Subject: [PATCH 12/27] bumped changelog version

---
 changelog.upstream | 74 ++++++++++++++++++++++++++++++++++++++++++++++
 debian/changelog   |  6 ++++
 2 files changed, 80 insertions(+)

diff --git a/changelog.upstream b/changelog.upstream
index 12bbc46..e2ffcff 100644
--- a/changelog.upstream
+++ b/changelog.upstream
@@ -1,3 +1,77 @@
+commit 09e6af5c080f776d56d7e2390f88c4ae7e01bdb7
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Wed Nov 16 02:01:23 2022 -0500
+
+    pam-info refactoring
+
+commit caf0099064747a2048363e3600a53af51df549ad
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Wed Nov 16 02:00:32 2022 -0500
+
+    pam-info refactoring
+
+commit 487f63bb01c6dfc71d0e4efef2c70dae94093dce
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Wed Nov 16 01:56:01 2022 -0500
+
+    comment
+
+commit f59f959a8d43ebd80a4037e65ec26df7143bcaf5
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Wed Nov 16 01:55:14 2022 -0500
+
+    pam-info fix
+
+commit ae113442a162969561a24fcf17718ceb6a11d928
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Wed Nov 16 01:49:45 2022 -0500
+
+    pam-info refactoring
+
+commit bb6b509d06a1ae34ee407cb309c530e5dddfedfd
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Wed Nov 16 01:44:21 2022 -0500
+
+    pam-info refactoring
+
+commit e5d7ab7082908e64596ccd1da835a781cae22456
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Tue Nov 15 12:44:12 2022 -0500
+
+    comment
+
+commit 23b936b573c8989222a50d1ef8c35dc95589bb0e
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Tue Nov 15 12:31:14 2022 -0500
+
+    also support /usr/local/etc/pam-info-debug
+
+commit 95487346dbb18c4ac9133fc21b4abed12dc346b3
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Tue Nov 15 12:29:41 2022 -0500
+
+    pam-info: create debug log file ~/pam-info-debug.txt
+    
+    when file /etc/pam-info-debug exists
+
+commit 2872c2ab52ae9a1eaa25ea8b9852401e82d5616a
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Tue Nov 15 12:00:59 2022 -0500
+
+    comments
+
+commit 6033de78152cb5d7a9659f58aa8035ae2a7d6532
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Tue Nov 15 11:58:50 2022 -0500
+
+    debugging
+
+commit 2319458e9f1a0ae2b60cf5786122c19459bbaea1
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Wed Aug 24 18:28:39 2022 -0400
+
+    bumped changelog version
+
 commit cdfc175953a8ab358bb8e6db2610df11733ba258
 Merge: ff84514 ae4d498
 Author: Patrick Schleizer <adrelanos@whonix.org>
diff --git a/debian/changelog b/debian/changelog
index 5367362..c38ad9f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+security-misc (3:26.0-1) unstable; urgency=medium
+
+  * New upstream version (local package).
+
+ -- Patrick Schleizer <adrelanos@whonix.org>  Thu, 17 Nov 2022 15:15:36 +0000
+
 security-misc (3:25.9-1) unstable; urgency=medium
 
   * New upstream version (local package).

From e5255a630ad3c9c99b6b7ffa4c7be43a44dffba9 Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@whonix.org>
Date: Tue, 22 Nov 2022 05:57:30 -0500
Subject: [PATCH 13/27] pam-info: support non-root environments (such as during
 graphical display manager login and xscreensaver)

---
 etc/sudoers.d/security-misc        |  3 +++
 usr/bin/faillock-user              | 35 ++++++++++++++++++++++++++++++
 usr/libexec/security-misc/pam-info | 24 +++++---------------
 3 files changed, 44 insertions(+), 18 deletions(-)
 create mode 100755 usr/bin/faillock-user

diff --git a/etc/sudoers.d/security-misc b/etc/sudoers.d/security-misc
index f6bf3a6..9b3404d 100644
--- a/etc/sudoers.d/security-misc
+++ b/etc/sudoers.d/security-misc
@@ -3,3 +3,6 @@
 
 user ALL=NOPASSWD: /usr/libexec/security-misc/panic-on-oops
 %sudo ALL=NOPASSWD: /usr/libexec/security-misc/panic-on-oops
+
+user ALL=NOPASSWD: /usr/bin/faillock-user
+%sudo ALL=NOPASSWD: /usr/bin/faillock-user
diff --git a/usr/bin/faillock-user b/usr/bin/faillock-user
new file mode 100755
index 0000000..fac1da8
--- /dev/null
+++ b/usr/bin/faillock-user
@@ -0,0 +1,35 @@
+#!/bin/bash
+
+## Copyright (C) 2022 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+if ! command -v "/usr/sbin/faillock" &>/dev/null; then
+   true "$0: ERROR: The faillock program is unavailable, exiting."
+   exit 2
+fi
+
+who_ami="$(whoami)"
+
+if [ "$(id -u)" = "0" ]; then
+   faillock_program="/usr/sbin/faillock"
+else
+   ## as user "user"
+   ## /usr/sbin/faillock -u user
+   ## faillock: Error opening /var/log/tallylog for update: Permission denied
+   ## /usr/sbin/faillock: Authentication error
+   ##
+   ## xscreensaver runs as user "user", therefore pam_faillock cannot function.
+   ## xscreensaver has its own failed login counter.
+   ##
+   ## https://askubuntu.com/questions/983183/how-lock-the-unlock-screen-after-wrong-password-attempts
+   ##
+   ## https://www.whonix.org/pipermail/whonix-devel/2019-September/001439.html
+   #true "$0: not started as root, exiting."
+   #exit 0
+
+   faillock_program="sudo --non-interactive /usr/sbin/faillock"
+fi
+
+$faillock_program --user "$who_ami"
+
+exit $?
diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info
index c751e2d..d16a584 100755
--- a/usr/libexec/security-misc/pam-info
+++ b/usr/libexec/security-misc/pam-info
@@ -24,25 +24,13 @@ set -o pipefail
 ## Debugging.
 who_ami="$(whoami)"
 
-if [ ! "$(id -u)" = "0" ]; then
-   ## as user "user"
-   ## /usr/sbin/faillock -u user
-   ## faillock: Error opening /var/log/tallylog for update: Permission denied
-   ## /usr/sbin/faillock: Authentication error
-   ##
-   ## xscreensaver runs as user "user", therefore pam_faillock cannot function.
-   ## xscreensaver has its own failed login counter.
-   ##
-   ## https://askubuntu.com/questions/983183/how-lock-the-unlock-screen-after-wrong-password-attempts
-   ##
-   ## https://www.whonix.org/pipermail/whonix-devel/2019-September/001439.html
-   ## TODO: echo -> true
-   echo "$0: not started as root, exiting."
+if [ "$PAM_USER" = "" ]; then
+   true "$0: ERROR: Environment variable PAM_USER is unset!"
    exit 0
 fi
 
-if ! command -v "faillock" &>/dev/null; then
-   echo "$0: The faillock program is unavailable, exiting."
+if ! command -v "/usr/bin/faillock-user" &>/dev/null; then
+   true "$0: The /usr/bin/faillock-user wrapper is unavailable, exiting."
    exit 0
 fi
 
@@ -102,8 +90,8 @@ fi
 
 ## Checking exit code to avoid breaking when read-only disk boot but
 ## without ro-mode-init or grub-live being used.
-if ! pam_faillock_output="$(faillock --user "$PAM_USER" 2>&1)" ; then
-   true "$0: faillock non-zero exit code."
+if ! pam_faillock_output="$(/usr/bin/faillock-user)" ; then
+   true "$0: /usr/bin/faillock-user non-zero exit code."
    exit 0
 fi
 

From d7222b5678aa182866c389d8a88f55b6488e74e0 Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@whonix.org>
Date: Tue, 22 Nov 2022 06:03:13 -0500
Subject: [PATCH 14/27] bumped changelog version

---
 changelog.upstream | 12 ++++++++++++
 debian/changelog   |  6 ++++++
 2 files changed, 18 insertions(+)

diff --git a/changelog.upstream b/changelog.upstream
index e2ffcff..c100eed 100644
--- a/changelog.upstream
+++ b/changelog.upstream
@@ -1,3 +1,15 @@
+commit e5255a630ad3c9c99b6b7ffa4c7be43a44dffba9
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Tue Nov 22 05:57:30 2022 -0500
+
+    pam-info: support non-root environments (such as during graphical display manager login and xscreensaver)
+
+commit d419898ee494fb159ed6811a719dbb4a5ffb469a
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Thu Nov 17 10:15:36 2022 -0500
+
+    bumped changelog version
+
 commit 09e6af5c080f776d56d7e2390f88c4ae7e01bdb7
 Author: Patrick Schleizer <adrelanos@whonix.org>
 Date:   Wed Nov 16 02:01:23 2022 -0500
diff --git a/debian/changelog b/debian/changelog
index c38ad9f..a7624d3 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+security-misc (3:26.1-1) unstable; urgency=medium
+
+  * New upstream version (local package).
+
+ -- Patrick Schleizer <adrelanos@whonix.org>  Tue, 22 Nov 2022 11:03:13 +0000
+
 security-misc (3:26.0-1) unstable; urgency=medium
 
   * New upstream version (local package).

From 497b5b45442b1293b130fef63de1b84d091d27eb Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@whonix.org>
Date: Thu, 24 Nov 2022 06:14:04 -0500
Subject: [PATCH 15/27] fix

---
 usr/bin/faillock-user              |  8 +++++++-
 usr/libexec/security-misc/pam-info | 16 +++++-----------
 2 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/usr/bin/faillock-user b/usr/bin/faillock-user
index fac1da8..fd491f1 100755
--- a/usr/bin/faillock-user
+++ b/usr/bin/faillock-user
@@ -10,6 +10,12 @@ fi
 
 who_ami="$(whoami)"
 
+if [ "$SUDO_USER" = "" ]; then
+   user_to_check="$who_ami"
+else
+   user_to_check="$SUDO_USER"
+fi
+
 if [ "$(id -u)" = "0" ]; then
    faillock_program="/usr/sbin/faillock"
 else
@@ -30,6 +36,6 @@ else
    faillock_program="sudo --non-interactive /usr/sbin/faillock"
 fi
 
-$faillock_program --user "$who_ami"
+$faillock_program --user "$user_to_check"
 
 exit $?
diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info
index d16a584..0210634 100755
--- a/usr/libexec/security-misc/pam-info
+++ b/usr/libexec/security-misc/pam-info
@@ -21,14 +21,14 @@ true "$0: START PHASE 2"
 
 set -o pipefail
 
-## Debugging.
-who_ami="$(whoami)"
-
 if [ "$PAM_USER" = "" ]; then
    true "$0: ERROR: Environment variable PAM_USER is unset!"
    exit 0
 fi
 
+## Debugging.
+who_ami="$(whoami)"
+
 if ! command -v "/usr/bin/faillock-user" &>/dev/null; then
    true "$0: The /usr/bin/faillock-user wrapper is unavailable, exiting."
    exit 0
@@ -123,13 +123,7 @@ true "pam_faillock_output_first_line: '$pam_faillock_output_first_line'"
 user_name="$(echo "$pam_faillock_output_first_line" | LANG=C str_replace ":" "")"
 ## example user_name:
 ## user
-
-if [ ! "$PAM_USER" = "$user_name" ]; then
-   echo "$0: ERROR: PAM_USER: '$PAM_USER' does not equal user_name: '$user_name'." >&2
-   echo "$0: ERROR: Please report this bug." >&2
-   echo "" >&2
-   exit 0
-fi
+## root
 
 pam_faillock_output_count="$(echo "$pam_faillock_output" | wc -l)"
 ## example pam_faillock_output_count:
@@ -183,7 +177,7 @@ if [ "$remaining_attempts" -le "0" ]; then
    exit 0
 fi
 
-echo "$0: WARNING: $failed_login_counter failed login attempts." >&2
+echo "$0: WARNING: $failed_login_counter failed login attempts for user_name '$user_name'." >&2
 echo "$0: Login will be blocked after $deny attempts." >&2
 echo "$0: You have $remaining_attempts more attempts before unlock procedure is required." >&2
 echo "" >&2

From 97722d1926bc106a0645783fcb55b7d5691c873b Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@whonix.org>
Date: Thu, 24 Nov 2022 06:14:15 -0500
Subject: [PATCH 16/27] bumped changelog version

---
 changelog.upstream | 12 ++++++++++++
 debian/changelog   |  6 ++++++
 2 files changed, 18 insertions(+)

diff --git a/changelog.upstream b/changelog.upstream
index c100eed..3d897e4 100644
--- a/changelog.upstream
+++ b/changelog.upstream
@@ -1,3 +1,15 @@
+commit 497b5b45442b1293b130fef63de1b84d091d27eb
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Thu Nov 24 06:14:04 2022 -0500
+
+    fix
+
+commit d7222b5678aa182866c389d8a88f55b6488e74e0
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Tue Nov 22 06:03:13 2022 -0500
+
+    bumped changelog version
+
 commit e5255a630ad3c9c99b6b7ffa4c7be43a44dffba9
 Author: Patrick Schleizer <adrelanos@whonix.org>
 Date:   Tue Nov 22 05:57:30 2022 -0500
diff --git a/debian/changelog b/debian/changelog
index a7624d3..ced8f30 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+security-misc (3:26.2-1) unstable; urgency=medium
+
+  * New upstream version (local package).
+
+ -- Patrick Schleizer <adrelanos@whonix.org>  Thu, 24 Nov 2022 11:14:15 +0000
+
 security-misc (3:26.1-1) unstable; urgency=medium
 
   * New upstream version (local package).

From e06b173a1be8c0e3e47a9c4bab2d94fe88d422e0 Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@whonix.org>
Date: Thu, 24 Nov 2022 06:24:14 -0500
Subject: [PATCH 17/27] debugging

---
 usr/bin/faillock-user | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/usr/bin/faillock-user b/usr/bin/faillock-user
index fd491f1..083615c 100755
--- a/usr/bin/faillock-user
+++ b/usr/bin/faillock-user
@@ -3,6 +3,16 @@
 ## Copyright (C) 2022 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
+true "$0: START PHASE 1"
+
+if test -f /etc/pam-info-debug || test -f /usr/local/etc/pam-info-debug ; then
+   set -x
+   exec 5>&1 1>> ~/pam-info-debug.txt
+   exec 6>&2 2>> ~/pam-info-debug.txt
+fi
+
+true "$0: START PHASE 2"
+
 if ! command -v "/usr/sbin/faillock" &>/dev/null; then
    true "$0: ERROR: The faillock program is unavailable, exiting."
    exit 2

From 36454c2dbf43de4805f2f156b05d263c37b9615a Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@whonix.org>
Date: Thu, 24 Nov 2022 06:25:47 -0500
Subject: [PATCH 18/27] debugging

---
 usr/bin/faillock-user | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/usr/bin/faillock-user b/usr/bin/faillock-user
index 083615c..ffe1988 100755
--- a/usr/bin/faillock-user
+++ b/usr/bin/faillock-user
@@ -20,6 +20,8 @@ fi
 
 who_ami="$(whoami)"
 
+true "$0: SUDO_USER: $SUDO_USER"
+
 if [ "$SUDO_USER" = "" ]; then
    user_to_check="$who_ami"
 else

From d05c10172178d04781976026243297fa153125a0 Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@whonix.org>
Date: Thu, 24 Nov 2022 06:31:24 -0500
Subject: [PATCH 19/27] debugging

---
 usr/bin/faillock-user              | 4 +++-
 usr/libexec/security-misc/pam-info | 9 ++++++---
 2 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/usr/bin/faillock-user b/usr/bin/faillock-user
index ffe1988..e8cf697 100755
--- a/usr/bin/faillock-user
+++ b/usr/bin/faillock-user
@@ -18,8 +18,10 @@ if ! command -v "/usr/sbin/faillock" &>/dev/null; then
    exit 2
 fi
 
+## Debugging.
 who_ami="$(whoami)"
-
+true "$0: who_ami: $who_ami"
+true "$0: PAM_USER: $PAM_USER"
 true "$0: SUDO_USER: $SUDO_USER"
 
 if [ "$SUDO_USER" = "" ]; then
diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info
index 0210634..ab5f85f 100755
--- a/usr/libexec/security-misc/pam-info
+++ b/usr/libexec/security-misc/pam-info
@@ -21,14 +21,17 @@ true "$0: START PHASE 2"
 
 set -o pipefail
 
+## Debugging.
+who_ami="$(whoami)"
+true "$0: who_ami: $who_ami"
+true "$0: PAM_USER: $PAM_USER"
+true "$0: SUDO_USER: $SUDO_USER"
+
 if [ "$PAM_USER" = "" ]; then
    true "$0: ERROR: Environment variable PAM_USER is unset!"
    exit 0
 fi
 
-## Debugging.
-who_ami="$(whoami)"
-
 if ! command -v "/usr/bin/faillock-user" &>/dev/null; then
    true "$0: The /usr/bin/faillock-user wrapper is unavailable, exiting."
    exit 0

From 73963a9e6847fd8099093da1253267d79db7d261 Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@whonix.org>
Date: Thu, 24 Nov 2022 06:31:37 -0500
Subject: [PATCH 20/27] bumped changelog version

---
 changelog.upstream | 24 ++++++++++++++++++++++++
 debian/changelog   |  6 ++++++
 2 files changed, 30 insertions(+)

diff --git a/changelog.upstream b/changelog.upstream
index 3d897e4..46ad6d7 100644
--- a/changelog.upstream
+++ b/changelog.upstream
@@ -1,3 +1,27 @@
+commit d05c10172178d04781976026243297fa153125a0
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Thu Nov 24 06:31:24 2022 -0500
+
+    debugging
+
+commit 36454c2dbf43de4805f2f156b05d263c37b9615a
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Thu Nov 24 06:25:47 2022 -0500
+
+    debugging
+
+commit e06b173a1be8c0e3e47a9c4bab2d94fe88d422e0
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Thu Nov 24 06:24:14 2022 -0500
+
+    debugging
+
+commit 97722d1926bc106a0645783fcb55b7d5691c873b
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Thu Nov 24 06:14:15 2022 -0500
+
+    bumped changelog version
+
 commit 497b5b45442b1293b130fef63de1b84d091d27eb
 Author: Patrick Schleizer <adrelanos@whonix.org>
 Date:   Thu Nov 24 06:14:04 2022 -0500
diff --git a/debian/changelog b/debian/changelog
index ced8f30..0f2b02a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+security-misc (3:26.3-1) unstable; urgency=medium
+
+  * New upstream version (local package).
+
+ -- Patrick Schleizer <adrelanos@whonix.org>  Thu, 24 Nov 2022 11:31:37 +0000
+
 security-misc (3:26.2-1) unstable; urgency=medium
 
   * New upstream version (local package).

From 39b35ef9ac7489685df5486334a0acf5936e9b47 Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@whonix.org>
Date: Thu, 24 Nov 2022 06:49:15 -0500
Subject: [PATCH 21/27] fix

---
 usr/bin/faillock-user              | 24 +++---------------------
 usr/libexec/security-misc/pam-info | 14 +++++++++++++-
 2 files changed, 16 insertions(+), 22 deletions(-)

diff --git a/usr/bin/faillock-user b/usr/bin/faillock-user
index e8cf697..aabdd1e 100755
--- a/usr/bin/faillock-user
+++ b/usr/bin/faillock-user
@@ -30,26 +30,8 @@ else
    user_to_check="$SUDO_USER"
 fi
 
-if [ "$(id -u)" = "0" ]; then
-   faillock_program="/usr/sbin/faillock"
-else
-   ## as user "user"
-   ## /usr/sbin/faillock -u user
-   ## faillock: Error opening /var/log/tallylog for update: Permission denied
-   ## /usr/sbin/faillock: Authentication error
-   ##
-   ## xscreensaver runs as user "user", therefore pam_faillock cannot function.
-   ## xscreensaver has its own failed login counter.
-   ##
-   ## https://askubuntu.com/questions/983183/how-lock-the-unlock-screen-after-wrong-password-attempts
-   ##
-   ## https://www.whonix.org/pipermail/whonix-devel/2019-September/001439.html
-   #true "$0: not started as root, exiting."
-   #exit 0
-
-   faillock_program="sudo --non-interactive /usr/sbin/faillock"
-fi
-
-$faillock_program --user "$user_to_check"
+faillock --user "$user_to_check"
 
+## Debugging.
+## Explicit "exit $?" to have it recorded in the xtrace if enabled.
 exit $?
diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info
index ab5f85f..3da4d11 100755
--- a/usr/libexec/security-misc/pam-info
+++ b/usr/libexec/security-misc/pam-info
@@ -91,9 +91,21 @@ fi
 #    fi
 # fi
 
+## as user "user"
+## /usr/sbin/faillock -u user
+## faillock: Error opening /var/log/tallylog for update: Permission denied
+## /usr/sbin/faillock: Authentication error
+##
+## xscreensaver runs as user "user", therefore pam_faillock cannot function.
+## xscreensaver has its own failed login counter.
+##
+## https://askubuntu.com/questions/983183/how-lock-the-unlock-screen-after-wrong-password-attempts
+##
+## https://www.whonix.org/pipermail/whonix-devel/2019-September/001439.html
+##
 ## Checking exit code to avoid breaking when read-only disk boot but
 ## without ro-mode-init or grub-live being used.
-if ! pam_faillock_output="$(/usr/bin/faillock-user)" ; then
+if ! pam_faillock_output="$(sudo --non-interactive /usr/bin/faillock-user)" ; then
    true "$0: /usr/bin/faillock-user non-zero exit code."
    exit 0
 fi

From 4601e106c4823f2cb0dc7a8ba601670395c96326 Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@whonix.org>
Date: Thu, 24 Nov 2022 06:49:26 -0500
Subject: [PATCH 22/27] bumped changelog version

---
 changelog.upstream | 12 ++++++++++++
 debian/changelog   |  6 ++++++
 2 files changed, 18 insertions(+)

diff --git a/changelog.upstream b/changelog.upstream
index 46ad6d7..6f034ed 100644
--- a/changelog.upstream
+++ b/changelog.upstream
@@ -1,3 +1,15 @@
+commit 39b35ef9ac7489685df5486334a0acf5936e9b47
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Thu Nov 24 06:49:15 2022 -0500
+
+    fix
+
+commit 73963a9e6847fd8099093da1253267d79db7d261
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Thu Nov 24 06:31:37 2022 -0500
+
+    bumped changelog version
+
 commit d05c10172178d04781976026243297fa153125a0
 Author: Patrick Schleizer <adrelanos@whonix.org>
 Date:   Thu Nov 24 06:31:24 2022 -0500
diff --git a/debian/changelog b/debian/changelog
index 0f2b02a..02fd616 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+security-misc (3:26.4-1) unstable; urgency=medium
+
+  * New upstream version (local package).
+
+ -- Patrick Schleizer <adrelanos@whonix.org>  Thu, 24 Nov 2022 11:49:25 +0000
+
 security-misc (3:26.3-1) unstable; urgency=medium
 
   * New upstream version (local package).

From a806c782d78d691617dd650808a0403ce72d4a1a Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@whonix.org>
Date: Thu, 24 Nov 2022 07:00:23 -0500
Subject: [PATCH 23/27] fix

---
 usr/libexec/security-misc/pam-info | 9 ++-------
 1 file changed, 2 insertions(+), 7 deletions(-)

diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info
index 3da4d11..e9441a2 100755
--- a/usr/libexec/security-misc/pam-info
+++ b/usr/libexec/security-misc/pam-info
@@ -32,11 +32,6 @@ if [ "$PAM_USER" = "" ]; then
    exit 0
 fi
 
-if ! command -v "/usr/bin/faillock-user" &>/dev/null; then
-   true "$0: The /usr/bin/faillock-user wrapper is unavailable, exiting."
-   exit 0
-fi
-
 grep_result="$(grep "accessfile=/etc/security/access-security-misc.conf" /etc/pam.d/common-account 2>/dev/null)"
 
 ## Check if grep matched something.
@@ -105,8 +100,8 @@ fi
 ##
 ## Checking exit code to avoid breaking when read-only disk boot but
 ## without ro-mode-init or grub-live being used.
-if ! pam_faillock_output="$(sudo --non-interactive /usr/bin/faillock-user)" ; then
-   true "$0: /usr/bin/faillock-user non-zero exit code."
+if ! pam_faillock_output="$(faillock --user "$PAM_USER")" ; then
+   true "$0: faillock non-zero exit code."
    exit 0
 fi
 

From ad1e722879ef049ef421f0062ee383770d66bfee Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@whonix.org>
Date: Thu, 24 Nov 2022 07:00:33 -0500
Subject: [PATCH 24/27] bumped changelog version

---
 changelog.upstream | 12 ++++++++++++
 debian/changelog   |  6 ++++++
 2 files changed, 18 insertions(+)

diff --git a/changelog.upstream b/changelog.upstream
index 6f034ed..7e718a8 100644
--- a/changelog.upstream
+++ b/changelog.upstream
@@ -1,3 +1,15 @@
+commit a806c782d78d691617dd650808a0403ce72d4a1a
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Thu Nov 24 07:00:23 2022 -0500
+
+    fix
+
+commit 4601e106c4823f2cb0dc7a8ba601670395c96326
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Thu Nov 24 06:49:26 2022 -0500
+
+    bumped changelog version
+
 commit 39b35ef9ac7489685df5486334a0acf5936e9b47
 Author: Patrick Schleizer <adrelanos@whonix.org>
 Date:   Thu Nov 24 06:49:15 2022 -0500
diff --git a/debian/changelog b/debian/changelog
index 02fd616..c053659 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+security-misc (3:26.5-1) unstable; urgency=medium
+
+  * New upstream version (local package).
+
+ -- Patrick Schleizer <adrelanos@whonix.org>  Thu, 24 Nov 2022 12:00:33 +0000
+
 security-misc (3:26.4-1) unstable; urgency=medium
 
   * New upstream version (local package).

From 421f03ae9e648d366146415532d4dd9dda106980 Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@whonix.org>
Date: Thu, 24 Nov 2022 07:20:56 -0500
Subject: [PATCH 25/27] fix

---
 usr/libexec/security-misc/pam-info | 78 ++++++++++++++++--------------
 1 file changed, 42 insertions(+), 36 deletions(-)

diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info
index e9441a2..381bedc 100755
--- a/usr/libexec/security-misc/pam-info
+++ b/usr/libexec/security-misc/pam-info
@@ -52,17 +52,18 @@ if [ ! "$grep_result" = "" ]; then
       fi
 
       if [ ! "$console_allowed" = "true" ]; then
-         echo "$0: ERROR: PAM_USER: '$PAM_USER' is not a member of group 'console'" >&2
-         echo "$0: To unlock, run the following command as superuser:" >&2
-         echo "$0: (If you still have a sudo/root shell somewhere.)" >&2
-         echo "" >&2
-         echo "adduser $PAM_USER console" >&2
-         echo "" >&2
-         echo "$0: However, possibly unlock procedure is required." >&2
-         echo "$0: First boot into recovery mode at grub boot menu and then run above command." >&2
-         echo "$0: See also:" >&2
-         echo "https://www.kicksecure.com/wiki/root#console" >&2
-         echo "" >&2
+         echo "\
+$0: ERROR: PAM_USER: '$PAM_USER' is not a member of group 'console'
+To unlock, run the following command as superuser:
+(If you still have a sudo/root shell somewhere.)
+
+adduser $PAM_USER console
+
+However, possibly unlock procedure is required.
+First boot into recovery mode at grub boot menu and then run above command.
+See also:
+https://www.kicksecure.com/wiki/root#console
+" >&2
          exit 0
       fi
    fi
@@ -76,11 +77,12 @@ fi
 #    if [ -f /etc/securetty ]; then
 #       grep_result="$(grep "^[^#]" /etc/securetty)"
 #       if [ "$grep_result" = "" ]; then
-#          echo "$0: ERROR: Root login is disabled." >&2
-#          echo "$0: ERROR: This is because /etc/securetty is empty." >&2
-#          echo "$0: See also:" >&2
-#          echo "https://www.kicksecure.com/wiki/root#login" >&2
-#          echo "" >&2
+#          echo "\
+# $0: ERROR: Root login is disabled.
+# ERROR: This is because /etc/securetty is empty.
+# See also:
+# https://www.kicksecure.com/wiki/root#login
+# " >&2
 #          exit 0
 #       fi
 #    fi
@@ -164,37 +166,41 @@ if test -f /etc/security/faillock.conf ; then
 fi
 
 if [[ "$deny" == *[!0-9]* ]]; then
-   echo "$0: ERROR: deny is not numeric. deny: '$deny'" >&2
-   echo "$0: ERROR: Please report this bug." >&2
-   echo "" >&2
+   echo "\
+$0: ERROR: deny is not numeric. deny: '$deny'
+ERROR: Please report this bug.
+" >&2
    exit 0
 fi
 
 remaining_attempts="$(( $deny - $failed_login_counter ))"
 
 if [ "$remaining_attempts" -le "0" ]; then
-   echo "$0: ERROR: Login blocked after $failed_login_counter attempts." >&2
-   echo "$0: To unlock, run the following command as superuser:" >&2
-   echo "$0: (If you still have a sudo/root shell somewhere.)" >&2
-   echo "" >&2
-   echo "faillock --reset --user $PAM_USER" >&2
-   echo "" >&2
-   echo "$0: However, most likely unlock procedure is required." >&2
-   echo "$0: First boot into recovery mode at grub boot menu and then run above command." >&2
-   echo "$0: See also:" >&2
-   echo "https://www.kicksecure.com/wiki/root#unlock" >&2
-   echo "" >&2
+   echo "\
+$0: ERROR: Login blocked after $failed_login_counter attempts.
+To unlock, run the following command as superuser:
+(If you still have a sudo/root shell somewhere.)
+
+faillock --reset --user $PAM_USER
+
+However, most likely unlock procedure is required.
+First boot into recovery mode at grub boot menu and then run above command.
+See also:
+https://www.kicksecure.com/wiki/root#unlock
+" >&2
    exit 0
 fi
 
-echo "$0: WARNING: $failed_login_counter failed login attempts for user_name '$user_name'." >&2
-echo "$0: Login will be blocked after $deny attempts." >&2
-echo "$0: You have $remaining_attempts more attempts before unlock procedure is required." >&2
-echo "" >&2
+echo "\
+$0: WARNING: $failed_login_counter failed login attempts for user_name '$user_name'.
+Login will be blocked after $deny attempts.
+You have $remaining_attempts more attempts before unlock procedure is required.
+" >&2
 
 if [ "$PAM_SERVICE" = "su" ]; then
-   echo "$0: NOTE: Type the password. When entering the password, no password feedback (no asterisk (\"*\") symbol) will be shown." >&2
-   echo "" >&2
+   echo "\
+$0: NOTE: Type the password. When entering the password, no password feedback (no asterisk (\"*\") symbol) will be shown.
+" >&2
 fi
 
 true "$0: END"

From 6d7a78262464c054c46df155605a480f1b32f22c Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@whonix.org>
Date: Thu, 24 Nov 2022 07:21:46 -0500
Subject: [PATCH 26/27] fix

---
 etc/sudoers.d/security-misc |  2 --
 usr/bin/faillock-user       | 37 -------------------------------------
 2 files changed, 39 deletions(-)
 delete mode 100755 usr/bin/faillock-user

diff --git a/etc/sudoers.d/security-misc b/etc/sudoers.d/security-misc
index 9b3404d..96b9b92 100644
--- a/etc/sudoers.d/security-misc
+++ b/etc/sudoers.d/security-misc
@@ -4,5 +4,3 @@
 user ALL=NOPASSWD: /usr/libexec/security-misc/panic-on-oops
 %sudo ALL=NOPASSWD: /usr/libexec/security-misc/panic-on-oops
 
-user ALL=NOPASSWD: /usr/bin/faillock-user
-%sudo ALL=NOPASSWD: /usr/bin/faillock-user
diff --git a/usr/bin/faillock-user b/usr/bin/faillock-user
deleted file mode 100755
index aabdd1e..0000000
--- a/usr/bin/faillock-user
+++ /dev/null
@@ -1,37 +0,0 @@
-#!/bin/bash
-
-## Copyright (C) 2022 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
-## See the file COPYING for copying conditions.
-
-true "$0: START PHASE 1"
-
-if test -f /etc/pam-info-debug || test -f /usr/local/etc/pam-info-debug ; then
-   set -x
-   exec 5>&1 1>> ~/pam-info-debug.txt
-   exec 6>&2 2>> ~/pam-info-debug.txt
-fi
-
-true "$0: START PHASE 2"
-
-if ! command -v "/usr/sbin/faillock" &>/dev/null; then
-   true "$0: ERROR: The faillock program is unavailable, exiting."
-   exit 2
-fi
-
-## Debugging.
-who_ami="$(whoami)"
-true "$0: who_ami: $who_ami"
-true "$0: PAM_USER: $PAM_USER"
-true "$0: SUDO_USER: $SUDO_USER"
-
-if [ "$SUDO_USER" = "" ]; then
-   user_to_check="$who_ami"
-else
-   user_to_check="$SUDO_USER"
-fi
-
-faillock --user "$user_to_check"
-
-## Debugging.
-## Explicit "exit $?" to have it recorded in the xtrace if enabled.
-exit $?

From 98f753d8ffcf6673a3130d45c23b84a4c35917b1 Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@whonix.org>
Date: Thu, 24 Nov 2022 07:21:58 -0500
Subject: [PATCH 27/27] bumped changelog version

---
 changelog.upstream | 18 ++++++++++++++++++
 debian/changelog   |  6 ++++++
 2 files changed, 24 insertions(+)

diff --git a/changelog.upstream b/changelog.upstream
index 7e718a8..088bb95 100644
--- a/changelog.upstream
+++ b/changelog.upstream
@@ -1,3 +1,21 @@
+commit 6d7a78262464c054c46df155605a480f1b32f22c
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Thu Nov 24 07:21:46 2022 -0500
+
+    fix
+
+commit 421f03ae9e648d366146415532d4dd9dda106980
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Thu Nov 24 07:20:56 2022 -0500
+
+    fix
+
+commit ad1e722879ef049ef421f0062ee383770d66bfee
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Thu Nov 24 07:00:33 2022 -0500
+
+    bumped changelog version
+
 commit a806c782d78d691617dd650808a0403ce72d4a1a
 Author: Patrick Schleizer <adrelanos@whonix.org>
 Date:   Thu Nov 24 07:00:23 2022 -0500
diff --git a/debian/changelog b/debian/changelog
index c053659..9181bec 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+security-misc (3:26.6-1) unstable; urgency=medium
+
+  * New upstream version (local package).
+
+ -- Patrick Schleizer <adrelanos@whonix.org>  Thu, 24 Nov 2022 12:21:58 +0000
+
 security-misc (3:26.5-1) unstable; urgency=medium
 
   * New upstream version (local package).