PAM: abort on locked password

to avoid needlessly bumping pam_tally2 counter

https://forums.whonix.org/t/restrict-root-access/7658/1

usr/lib/security-misc/pam-abort-on-locked-password

@@ -0,0 +1,19 @@
+#!/bin/bash
+
+if [ "$(passwd -S "$PAM_USER" | cut -d ' ' -f 2)" = "P" ]; then
+   true "INFO: Password not locked."
+else
+   echo "$0: ERROR: Password for user \"$PAM_USER\" is locked." >&2
+
+   if [ -f /usr/share/whonix/marker ] || [ -f /usr/share/kicksecure/marker ]; then
+      if [ "$PAM_USER" = "root" ]; then
+         echo "$0: ERROR: root account is locked by default. See:" >&2
+         echo "https://www.whonix.org/wiki/root" >&2
+         echo "" >&2
+      fi
+   fi
+
+   exit 1
+fi
+
+exit 0

usr/lib/security-misc/pam_tally2-info

@@ -1,17 +1,5 @@
 #!/bin/bash
 
-if [ "$(passwd -S "$PAM_USER" | cut -d ' ' -f 2)" = "P" ]; then
-   true "INFO: Password not locked."
-else
-   echo "$0: ERROR: Password for user \"$PAM_USER\" is locked." >&2
-   if [ "$PAM_USER" = "root" ]; then
-      echo "$0: ERROR: root account is locked by default. See:" >&2
-      echo "https://www.whonix.org/wiki/root" >&2
-      echo "" >&2
-   fi
-   exit 0
-fi
-
 pam_tally2_output="$(pam_tally2 --user "$PAM_USER")"
 
 if [ "$pam_tally2_output" = "" ]; then

usr/share/pam-configs/pam-abort-on-locked-password-security-misc

@@ -0,0 +1,6 @@
+Name: abort on locked password (by package security-misc)
+Default: yes
+Priority: 280
+Auth-Type: Primary
+Auth:
+	requisite	pam_exec.so	debug stdout seteuid /usr/lib/security-misc/pam-abort-on-locked-password

usr/share/pam-configs/wheel-security-misc

@@ -1,6 +1,6 @@
 Name: group sudo membership required to use su (by package security-misc)
 Default: yes
-Priority: 270
+Priority: 280
 Auth-Type: Primary
 Auth:
 	requisite	pam_wheel.so group=sudo debug