One thing many managers like is consistency. In many organizations, that starts with what everyone sees at the beginning of the day, the login menu. In this annoyance, I'll show you how you can customize and standardize the GNOME and KDE login menus. But first, you need to select a standard login manager for your workstations.
Whether you want to use GNOME, KDE, or another GUI desktop, you need to select your preferred login manager. Even if you're running GNOME desktops, you can still use the KDE login manager, and visa versa. Each of the book's preferred distributions allows you to select the preferred login manager in a configuration file specific to that distribution, as described in Table 1-1.
Table 1-1. General tab of the GDM Login Screen
Use the full path to the login manager of your choice, such as /usr/bin/kdm or /usr/bin/gdm.
There are other login managers available. Some people prefer the X Login Manager, also known as xdm. Its simple interface does not include menu options for other desktops, languages, or shutdown/reboot commands. If you've installed the X Login Manager, you can substitute xdm for gdm or kdm in Table 1-1.
As you review what each login manager can do in this annoyance, you may change your mind on what's best. You can always return to this section and configure a different preferred login manager for your systems. If you're configuring a standard across many users' computers, you'll have to copy the appropriate file to the other systems that you administer.
/etc/X11/gdm on Red Hat/Fedora
/etc/opt/gnome/gdm on SUSE
/etc/gdm on Debian
As distributions evolve, these directories may change. To find the directory on your distribution, run one of the following commands:
rpm -ql gdm | grep gdm.conf dpkg -L gdm | grep gdm.conf
If you get no output, either you haven't installed the GNOME Login Menu package or the name of the directory has changed.
The standard tool to edit the GNOME Login Menu is the Login Screen Setup tool, which you can start with the gdmsetup command. This opens the Login Screen Setup window shown in Figure 1-5. I'll examine each of the tabs in turn.
If you want to do some arcane customization that you can't find in the Login Screen Setup window on the GNOME display manager, you can try directly editing the associated gdm.conf configuration file. It includes a wide variety of options that go beyond the scope of what I can cover in this annoyance. For more information, run the yelp command to open the GNOME help documentation and navigate to Desktop → GNOME Display Manager Reference Manual. The version associated with Fedora Core 5 includes two additional tabs: "XServer settings for remote servers" and Users, where you can specify the visible users in the GDM login screen.
The General tab defines the basic settings associated with the GNOME Display Manager login screen and allows you to configure several options, which are described in Table 1-2. Be aware that SUSE Linux Professional enables automatic logins by default. This is all right for a system dedicated to a single user in an environment, such as laptop or home office, where intruders are not expected to meddle with it. It also is a good choice for a locked-down public terminal offering a guest account. It should be disabled otherwise.
Table 1-2. GDM Login Screen General tab
Standard or Graphical greeter for local logins (the Standard greeter provides a default login screen; the Graphical greeter is more customizable with pictures or other graphics; for details, see the following subsections).
Standard or Graphical greeter for remote logins.
Always use 24 hour clock format
If checked, time is shown in a 24-hour instead of a standard U.S. A.M./P.M. format.
Greeting for a successful login.
Remote welcome string
Greeting for a successful remote login.
Login a user automatically
Supports automatic logins to a standard account; a reasonable option for public terminals or some single-user systems.
Automatic login username
Default login account.
Login a user automatically after a specified time
Suitable for a guest account.
Timed login username
Default account if there is no login; suitable for a guest account.
Seconds before login
Wait time before login to a timed login account.
Under the "Standard greeter" tab, you can configure the look and feel of the Standard Greeter for local and remote users. You can configure a logo and an image (or enable "choosable" images so each user can configure her image to her taste), as well as a background image and color. The Standard Greeter is known as the GTK+ Greeter in Fedora Core.
Under the "Graphical greeter" tab, you can configure the look and feel of the Graphical Greeter for local and remote users. Linux distributions include several optional themes, and you can configure your own. In fact, this is one way to create a customized look and feel for your organization. The Graphical Greeter is known as the Themed Greeter in Fedora Core.
You can use the current themes as a model for your own. With a little trial and error, you can replace the .png files in the appropriate themes/ subdirectory with the images of your choice.
The location of the themes/ subdirectory varies. While the default is /usr/share/gdm/themes, SUSE stores Graphical Greeter themes in /opt/gnome/share/gdm/themes. Alternatively, you can download your own themes; one source is http://themes.freshmeat.net/browse/991/, where most of the themes are available under the GNU General Public License (GPL).
If I had to create a custom theme for my organization, I'd use one of the themes available as a template and substitute the appropriate image files. Of course, you can create your own, using one of the many models available.
The Security tab includes several options, described in Table 1-3.
Table 1-3. GDM Login Screen Security tab
Description / recommendation
Allow root to log in with GDM
I recommend you disable this setting to discourage administrators from logging in with the root account.
Allow root to log in remotely with GDM
I strongly recommend disabling this setting, as it would transmit the root password over the network, without encryption.
Allow remote timed logins
Associated with the timed login setting under the General tab.
Show actions menu
Displays the Actions menu in the login screen.
Secure actions menu
Supports options that require the root password, such as reboot and shutdown.
Allow configuration from the login screen
Supports access to the GDM Login Screen Setup Tool from the login screen; disable unless you're experimenting with the login screen.
Allow running XDMCP chooser from the login screen
Enables logins to remote GUI systems.
Always disallow TCP connections to X server
Disables GUI logins from remote systems.
Retry delay (seconds)
Specifies the delay after a failed login attempt.
Accessibility modules support users who need assistive technologies, particularly those who are unable to use keyboards or pointing devices in a "standard" fashion. For more information, see Appendix A of the GNOME Desktop Accessibility Guide; a version for GNOME 2.10 is available from http://www.gnome.org/learn/access-guide/2.10/. (The GNOME 2.12 Desktop Accessibility Guide was not available as of this writing.)
The X Display Manager Control Protocol (XDMCP) supports logins to remote GUI systems. As you can see from the XDMCP tab, there are several ways you can configure this protocol if you want to allow remote users to log in to your system using the GNOME Display Manager, as described in Table 1-4.
XDMCP is inherently insecure. A potentially more secure option for remote access to your GUI applications is the Secure Shell protocol. I describe its use for GUI applications in Chapter 11.
Table 1-4. XDMCP Configuration options
Enable if you want to allow remote GUI access.
Honour Indirect Requests
Supports access even if GDM is not available on the remote system (note the British spelling of "Honour").
Listen on UDP port
Specifies the TCP/IP port for XDMCP communication; the default is 177.
Maximum pending requests
Sets the maximum number of requests from remote displays; can vary from maximum remote sessions.
Max pending indirect requests
Sets the maximum number of requests from remote displays that do not have a display manager.
Maximum remote sessions
Limits the number of actual (not pending) remote sessions.
Maximum wait time
Limits the time a request can wait; may help if the network is slow.
Maximum indirect wait time
Limits the time a request from a system without a display manager can wait; may help if the network is slow.
Displays per host
Limits the number of displays allowed to a particular remote system.
Ping interval (seconds)
Checks connections with remote systems periodically, as defined here.
Once you're satisfied with the changes on one system, you'll want to transmit those changes to other systems on your network. As the GNOME Login Manager is system-wide instead of specific to each user, associated settings depend on standard configuration files in the distribution-dependent directories defined earlier. Just copy the files in the noted directories from system to system to implement the changes on the desired computers.
/etc/kde/kdm on Red Hat/Fedora and Debian (Red Hat links to a number of files in the /etc/X11/xdm directory)
/opt/kde3/share/config/kdm on SUSE
Alternatively, you can start the KDE Login Manager editing tool from the KDE Control Center. Navigate to System Administration → Login Manager. You can also run the kcmshell kdm command. Either action opens the Login Screen Setup window shown in Figure 1-6. I'll examine each of the tabs in turn.
As with the GNOME display manager, you can edit the associated kdmrc configuration file directly to change KDE. It includes a wide variety of options that go beyond the scope of what I can cover in this annoyance. For more information, run the khelpcenter command to open the KDE help documentation and navigate to Control Center Modules → Login Manager.
The options under the Appearance tab allow you to customize the overall look and feel of the KDE Login Manager, as described in Table 1-5.
Table 1-5. KDM Appearance tab
Provides a standard greeting; the
Determines what is displayed in the lefthand part of the main screen; if you select "Show logo," you can use the logo of your choice (such as your corporate image).
Defines the location of the upper-left corner of the main screen, relative to the upper-left corner of the display.
Allows you to select from available themes, in /usr/share/apps/kstyle/themes or /opt/kde3/share/apps/kstyle/themes; if you create your own, add them to the themes/ subdirectory appropriate to your distribution.
Allows you to select from available color schemes, available in /usr/share/apps/kdisplay/color-schemes or /opt/kde3/share/apps/kdisplay/color-schemes; if you create your own, add them to the color-schemes/ subdirectory appropriate to your distribution.
Defines the number of asterisks displayed for each keystroke when typing in your password.
Selects from available languages.
The options under the Font tab allow you to customize the fonts you see in the KDE Login Manager. There are three categories and one other option, as described in Table 1-6.
Table 1-6. KDM Fonts tab
Default font for most of the KDE Login Manager
Font for error messages and failed login attempts
Font for the Greeting, as defined in Table 1-5
Use anti-aliasing for fonts
Supports the use of smoothing for fonts; don't use unless necessary, as this may slow your system
The options under the Background tab allow you to customize the display behind the main part of the KDE Login Manager. While details go beyond the level of annoyances, the impact is that you can add the picture or slideshow of your choice. You may use this tab to customize the login screen with a corporate or organizational seal.
The Shutdown tab defines who can shut down or reboot a computer from the KDE Login Manager window. By default, all users are allowed to shut down or reboot the local computer using the KDE Login Manager. I recommend that you disable this option for most systems (with the possible exception of single-user workstations) because no password is required.
The Users tab defines the users listed in the KDE Login Manager. By default, all regular and nonstandard users as defined in /etc/passwd within a certain UID range are listed. I believe this is a bad default. Even if you've disabled users such as ftp with a home directory such as /sbin/nologin, this is a clue that a cracker might be able to use to break into your system.
I recommend that you disable this setting by deselecting the Show List option. If you're focused on user convenience, see the next tab.
Sometimes it's OK to configure a workstation with an automatic login. In fact, it's the default for SUSE Linux Professional Workstation. If you need to choose "Enable auto-login," I recommend that you do so for a specific user, selected under the Preselect User area, with relatively minimal permissions. If you're comfortable with the relative security of that account, you may also want to choose "Enable password-less logins."