#!/bin/bash

if ! passwd_output="$(passwd -S "$PAM_USER" 2>/dev/null)" ; then
   echo "$0: ERROR: user \"$PAM_USER\" does not exist." >&2
   exit 1
fi

if [ "$(echo "$passwd_output" | cut -d ' ' -f 2)" = "P" ]; then
   true "INFO: Password not locked."
else
   echo "$0: ERROR: Password for user \"$PAM_USER\" is locked." >&2

   if [ -f /usr/share/whonix/marker ] || [ -f /usr/share/kicksecure/marker ]; then
      if [ "$PAM_USER" = "root" ]; then
         echo "$0: ERROR: root account is locked by default. See:" >&2
         echo "https://www.whonix.org/wiki/root" >&2
         echo "" >&2
      fi
   fi

   exit 1
fi

exit 0
