The default login screen for almalinux-9.3 workstation shows a list of existing login user names. User clicks desired user name, and then is presented with a text widget to type in the associated password for that user name.
For better traditional login security (i.e. avoiding telling a person viewing the login screen the available user names), how does one change this login screen protocol to require both the user name and the associated password to be typed in?
Thanks…
I found that the following will solve this problem, removing the list of available usernames from the workstation login screen, and requiring first a username to be typed in, and then the associated password for that username.
[Install the dbus-x11 package. Temporarily allow the gdm user access to one’s X11 screen. Run the gsettings command as user gdm to suppress the usernames on the workstation’s login screen.]
From an administrator user’s login session:
sudo dnf -y install dbus-x11
xhost SI:localuser:gdm
sudo -u gdm gsettings set org.gnome.login-screen disable-user-list true
After the admin logs out of the session, the usernames are no longer listed on the login screen.
I don’t do that. Rather, I have root do Ansible tasks. (Can’t remember why the second one.)
- name: Hide users from GDM login screen
ansible.builtin.copy:
content: |
[org/gnome/login-screen]
# Do not show the user list
disable-user-list=true
dest: /etc/dconf/db/gdm.d/00-login-screen
when:
- dm_hide_users|bool
notify:
- dconf update
- name: Add to dconf
ansible.builtin.copy:
content: |
user-db:user
system-db:gdm
file-db:/usr/share/gdm/greeter-dconf-defaults
dest: /etc/dconf/profile/gdm
and
# handlers file for display-manager
- name: dconf update
command: dconf update
Anyhow, the approach does create file /etc/dconf/db/gdm.d/00-login-screen that contains disable-user-list=true and after GDM is eventually happy about that.