HOWTO: Disable Usernames from Login Managers for Linux and Windows

Saturday, September 7th, 2013 at 8:35 pm | 12,413 views | trackback url

With all the news flying around about security, the less we give a potential malicious attacker, the better. To that end, here’s how to disable the list of usernames or the last logged-in user on your machine(s) for Windows and Linux (gdm) when you boot them up and get to the login screen.

Disable Usernames in GDM v1, v2

There are several ways to do this, some work, some do not, depending on your version of GDM (v1 vs. v2), so I’ll show you what command to run to set this, and I’ll also show you where you can set it in the actual configuration file.

If you’re running gdm (Red Hat, CentOS Fedora, Ubuntu, Debian, openSUSE), run this command:

$ sudo gconftool-2 –direct –config-source xml:readwrite:/etc/gconf/gconf.xml.defaults \
  –type bool –set /apps/gdm/simple-greeter/disable_user_list true

This actually modifies the file:

/etc/gconf/gconf.xml.defaults/%gconf-tree.xml

The modifications you want to make in section “gdm/simple_greeter” are (just add/edit the whole block below):

<entry name=”disable_user_list” mtime=”1289993214″ type=”schema” stype=”bool” owner=”gdm-simple-greeter” gettext_domain=”gdm”>
   <local_schema locale=”C” short_desc=”Do not show known users in the login window”>
   <default type=”bool” value=”true”/>
<longdesc>Set to true to disable showing known users in the login window.</longdesc>
</entry>

Disable Usernames in GDM v3

If you’re using GDM3, and many current and recent Linux distributions are, here’s how to neuter the userlist so your system doesn’t leak the list of valid users who have access to the system:

Add the following to a new file you create, called 01-settings in /etc/dconf/db/gdm.d/. Make sure the text on the ‘banner-message-text’ line is all on one line in the configuration file. I’ve wrapped it here for visibility:

$ sudo vi /etc/dconf/db/gdm.d/01-settings
[org/gnome/login-screen]
banner-message-enable=true
banner-message-text='WARNING!!! You have accessed a private system.\n
                     UNAUTHORIZED ACCESS IS PROHIBITED\n
                     Violators will be prosecuted to the full extent of the law.\n
                     Your access to this network may be monitored and recorded for quality\n
                     assurance, security, performance, and maintenance purposes.'
disable-restart-buttons=true
disable-user-list=true

Remove the compiled dconf configuration for gdm:

$ sudo rm /etc/dconf/db/gdm

Then re-build that database:

$ sudo dconf update

Restart GDM (the easy way) to validate you’ve got this correct:

$ sudo telinit 3
$ sudo telinit 5

Disable Usernames in LightDM (lightdm)

LightDM is much easier than GDM to configure to enforce a user to type in their username as well as their password. Just add/create the following structure to a file called “/etc/lightdm/lightdm.conf”:

[SeatDefaults]
greeter-show-manual-login = true
greeter-hide-users = true
allow-guest = false

Note that is not a typo in the above, it’s actually SeatDefaults, not SetDefaults.

Now just restart lightdm to re-enact that configuration.

$ sudo /etc/init.d/lightdm restart

Disable Usernames in KDM

The documentation for KDM claims you can do this with one checkbox in the settings, but that’s not correct. They hide it in two places, which have to be configured. Go to “System Settings” -> “System Administration” -> “Login Screen”. Then on the “Users” tab, adjust the following:

Disable the user list in KDM

Then on the “Convenience” tab, adjust the following:

Disable the user list in KDM

Restart your machine, restart kdm or use the runmode 3, 5 trick above, and you should see a screen prompting for a username, but without a userlist visible.

How to disable this on Microsoft Windows (98 through 2008 Server)

  • Windows 98 or Me
    Open [HKEY_LOCAL_MACHINE\Network\Logon] and create new string value called “DontShowLastUser” and set it to “1” to hide the last user.
  • Windows 2000 or XP
    Open [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System] and create a new string value, or modify the existing value, called “DontDisplayLastUserName” and set it to “1” to enable or “0” to disable the restriction.
  • Windows NT
    Open [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] and create a new string value, or modify the existing value, called “DontDisplayLastUserName” and set it to “1” to enable or “0” to disable the restriction.

Now when you get to your login screen, you have to manually, interactively type in your username in order to log in.

Last Modified: Sunday, March 6th, 2016 @ 04:40

Leave a Reply

You must be logged in to post a comment.

Bad Behavior has blocked 2573 access attempts in the last 7 days.