diff --git a/checktrust/checktrust b/checktrust/checktrust
new file mode 100755
index 0000000..ba55e28
--- /dev/null
+++ b/checktrust/checktrust
@@ -0,0 +1,12 @@
+#! /usr/bin/bash
+
+for host in wtf afk pummelfee; do
+    reply="$(netcat -w 1 $host 236 </dev/null)"
+    if [ "$reply" = "I trust you" ]; then
+        echo "trusted"
+        exit
+    elif [ "$reply" = "I don't trust you" ]; then
+        echo "not trusted"
+        exit
+    fi
+done
diff --git a/checktrust/getty-checktrust b/checktrust/getty-checktrust
new file mode 100755
index 0000000..5e7dfc4
--- /dev/null
+++ b/checktrust/getty-checktrust
@@ -0,0 +1,14 @@
+#! /usr/bin/bash
+
+if [ "$(/usr/sbin/checktrust)" = "not trusted" ]; then
+    mkdir -p /node/issue.d
+    cat > /node/issue.d/notrust.issue <<EOF
+** WARNING: Loss of trust detected **
+** Looks like your machine lost the trust of our network. Maybe it was offline for too long. **
+** You won't be able to log in. **
+** Please contact IT Helpdesk: <helpdesk@molgen.mpg.de>, phone: -1708 **
+
+EOF
+else
+    rm -f /node/issue.d/notrust.issue
+fi
diff --git a/checktrust/getty-checktrust.service b/checktrust/getty-checktrust.service
new file mode 100644
index 0000000..2d301e3
--- /dev/null
+++ b/checktrust/getty-checktrust.service
@@ -0,0 +1,11 @@
+[Unit]
+Description=Check Mariux64 trust for getty
+Before=getty@.service
+
+[Install]
+WantedBy=getty@.service
+
+[Service]
+Type=oneshot
+ExecStart=/usr/libexec/getty-checktrust
+RemainAfterExit=yes
diff --git a/checktrust/lightdm-greeter-wrapper b/checktrust/lightdm-greeter-wrapper
new file mode 100755
index 0000000..1e47ada
--- /dev/null
+++ b/checktrust/lightdm-greeter-wrapper
@@ -0,0 +1,3 @@
+#! /bin/bash
+(/usr/libexec/lightdm-show-trust-warning &)
+exec "$@"
diff --git a/checktrust/lightdm-show-trust-warning b/checktrust/lightdm-show-trust-warning
new file mode 100755
index 0000000..ed738c0
--- /dev/null
+++ b/checktrust/lightdm-show-trust-warning
@@ -0,0 +1,28 @@
+#! /usr/bin/bash
+
+while true; do
+    reply="$(/usr/sbin/checktrust)"
+    if [ "$reply" = "trusted" ]; then
+        break
+    elif [ "$reply" = "not trusted" ]; then
+        if [ -z "$XDOPID" ]; then
+            (while true; do xdotool search --sync --name bla windowraise; sleep 1; done) &
+            XDOPID=$!
+        fi
+        xdotool search --sync --name bla windowraise &
+        zenity --width 400 --error --title bla --text \
+"<b>Loss of trust detected!</b>
+
+Looks like your machine lost the trust of our network. Maybe it was offline for too long.
+
+<i>You won't be able to log in.</i>
+
+<b>Please contact IT Helpdesk</b>
+
+helpdesk@molgen.mpg.de
+phone: -1708"
+        continue
+    fi
+    sleep 5
+done
+test -n "$XDOPID" && kill $XDOPID
diff --git a/checktrust/lightdm-use-wrapper.conf b/checktrust/lightdm-use-wrapper.conf
new file mode 100644
index 0000000..80af383
--- /dev/null
+++ b/checktrust/lightdm-use-wrapper.conf
@@ -0,0 +1,2 @@
+[Seat:*]
+greeter-wrapper=/usr/libexec/lightdm-greeter-wrapper
diff --git a/clusterd/clusterd b/clusterd/clusterd
index 96741a8..f6c7dc2 100755
--- a/clusterd/clusterd
+++ b/clusterd/clusterd
@@ -1794,6 +1794,31 @@ sub cmd_push {
 
 #------------------------------------------------------------
 
+our $TRUSTCHECK_PORT=236;
+our $trustcheck_listen_socket;
+
+sub trustcheck_init {
+	$trustcheck_listen_socket=new IO::Socket::INET(LocalPort=>$TRUSTCHECK_PORT,Proto=>'tcp',Listen=>10,ReuseAddr=>1);
+	defined $trustcheck_listen_socket or die "$!\n";
+	My::Select::reader($trustcheck_listen_socket,\&trustcheck_connect_request);
+}
+
+sub trustcheck_connect_request {
+	My::Select::reader_requeue();
+	my $socket=$trustcheck_listen_socket->accept();
+	$socket->blocking(0);
+	my $hostname = gethostbyaddr(inet_aton($socket->peerhost()), AF_INET);
+	system 'hostconfig','--host',$hostname,'amd';
+	if ($? == 0) {
+		$socket->send("I trust you\n", 0);
+	} elsif ($? == 256) {
+		$socket->send("I don't trust you\n", 0);
+	}
+	close($socket);
+}
+
+#------------------------------------------------------------
+
 use constant USAGE => <<'__EOF__';
 
 usage: $0 [options]
@@ -1901,6 +1926,7 @@ if (defined $options{'push'}) {
 	init_area();
 	mgmt_init();
 	clp_init();
+	trustcheck_init();
 
 	sync_cluster_pw() or warn "$CLUSTER_PW_FILE: $!\n";
 
diff --git a/install.sh b/install.sh
index 1543cc8..44c8e89 100755
--- a/install.sh
+++ b/install.sh
@@ -76,6 +76,13 @@ function install_cron()
     install_if "$1" "$2" $INSTALL_CRON
 }
 
+function install_symlink()
+{
+	if [ "$(readlink "$2")" != "$1" ]; then
+		ln -sfv "$1" "$2"
+	fi
+}
+
 umask 022;
 
 mkdir -p "$DESTDIR$usr_bindir"
@@ -159,4 +166,13 @@ install_data misc_etc_files/rsyslog.conf "$DESTDIR$sysconfdir/rsyslog.conf"
 install_data crashkernel/crashkernel.service              "$DESTDIR$systemdunitdir/crashkernel.service"
 install_exec crashkernel/crash-recovery.sh                "$DESTDIR$root_sbindir/crash-recovery.sh"
 install_data misc_systemd_units/admin-sshd.service        "$DESTDIR$systemdunitdir/admin-sshd.service"
+install_exec checktrust/checktrust                        "$DESTDIR$usr_sbindir/checktrust"
+mkdir -p "$DESTDIR$sysconfdir/xdg/lightdm/lightdm.conf.d"
+install_data checktrust/lightdm-use-wrapper.conf          "$DESTDIR$sysconfdir/xdg/lightdm/lightdm.conf.d/50-use-wrapper.conf"
+install_exec checktrust/lightdm-greeter-wrapper           "$DESTDIR$usr_exec_prefix/libexec/lightdm-greeter-wrapper"
+install_exec checktrust/lightdm-show-trust-warning        "$DESTDIR$usr_exec_prefix/libexec/lightdm-show-trust-warning"
+mkdir -p "$DESTDIR$sysconfdir/issue.d/"
+install_symlink /node/issue.d/notrust.issue               "$DESTDIR$sysconfdir/issue.d/notrust.issue"
+install_data checktrust/getty-checktrust.service          "$DESTDIR$systemdunitdir/getty-checktrust.service"
+install_exec checktrust/getty-checktrust                  "$DESTDIR$usr_exec_prefix/libexec/getty-checktrust"
 exit