Add sysmaint account lock detection

This commit is contained in:
Aaron Rainbolt 2024-12-18 21:34:16 -06:00
parent 9d06341c91
commit 9d69cd1912
No known key found for this signature in database
GPG Key ID: A709160D73C79109

View File

@ -72,6 +72,14 @@ https://www.kicksecure.com/wiki/root#console
fi fi
fi fi
if [ "$PAM_USER" = 'sysmaint' ]; then
sysmaint_passwd_info="$(passwd -S sysmaint 2>/dev/null)" || true
sysmaint_lock_info="$(cut -d' ' -f2 <<< "${sysmaint_passwd_info}")"
if [ "${sysmaint_lock_info}" = 'L' ]; then
echo "$0: ERROR: Reboot and choose 'PERSISTENT mode SYSMAINT' for system maintenance. See https://www.kicksecure.com/wiki/sysmaint"
fi
fi
## https://forums.whonix.org/t/how-strong-do-linux-user-account-passwords-have-to-be-when-using-full-disk-encryption-fde-too/7698 ## https://forums.whonix.org/t/how-strong-do-linux-user-account-passwords-have-to-be-when-using-full-disk-encryption-fde-too/7698
## Does not work (yet) for login, pam_securetty runs before and aborts. ## Does not work (yet) for login, pam_securetty runs before and aborts.