I'd like to only allow ssh or console based login (ssh, su, sudo commands) but restrict specific users from using GDM / KDM / X Windows based login under Linux operating systems. How do I stop direct GUI user login using GDM / KDM / X Windows login managers and only allow text based logins?
The GNOME Display Manager (GDM) or KDE Display Manager (KDM) provides a simpler alternative (read as replacement for XDM) display manager for the X Window System's XDM. The easiest way to restrict access to GDM/KDM is to use "Pluggable Authentication Modules" for GDM or KDM which provide dynamic authorization for applications and services in a Linux system.
Step #1: Create Deny User Lists
Create a text file called /usr/local/etc/kdm.deny or /usr/local/etc/gdm.deny, enter:
# vi /usr/local/etc/gdm.deny
Add each username on a separate line. In this example, deny access to user tom, jerry, spike, tyke, butch etc:
tom jerry spike tyke butch
Save and close the file. You can to use the same file for kdm using ln command:
# ln -s /usr/local/etc/gdm.deny /usr/local/etc/kdm.deny
Any user name present in these file will no longer be able to login via GDM (GNOME) or KDM (KDE) systems. But, those users can still login using ssh or use su and/or sudo commands.
Step #2: Restrict GDM User Login
Edit /etc/pam.d/gdm, enter:
# vi /etc/pam.d/gdm
Append / modify line as follows:
auth required pam_listfile.so onerr=fail item=user sense=deny file=/usr/local/etc/gdm.deny
Save and close the file.
Step #3: Restrict KDM User Login
Edit /etc/pam.d/kdm, enter:
# vi /etc/pam.d/kdm
Append / modify line as follows:
auth required pam_listfile.so onerr=fail item=user sense=deny file=/usr/local/etc/gdm.deny
Save and close the file.
See also:
You should follow me on twitter here or grab rss feed to keep track of new changes.
Featured Articles:
- 30 Handy Bash Shell Aliases For Linux / Unix / Mac OS X
- Top 30 Nmap Command Examples For Sys/Network Admins
- 25 PHP Security Best Practices For Sys Admins
- 20 Linux System Monitoring Tools Every SysAdmin Should Know
- 20 Linux Server Hardening Security Tips
- Linux: 20 Iptables Examples For New SysAdmins
- Top 20 OpenSSH Server Best Security Practices
- Top 20 Nginx WebServer Best Security Practices
- 20 Examples: Make Sure Unix / Linux Configuration Files Are Free From Syntax Errors
- 15 Greatest Open Source Terminal Applications Of 2012
- My 10 UNIX Command Line Mistakes
- Top 10 Open Source Web-Based Project Management Software
- Top 5 Email Client For Linux, Mac OS X, and Windows Users
- The Novice Guide To Buying A Linux Laptop
{ 4 comments… read them below or add one }
Could this be used to create a whitelist for GDM/KDM? In other words deny all and then create an gdm.allow file to allow only certain users?
Yes, just replace
with
I created a whitelist for authorized users I want to allow with this method; unfortunately it didn’t work. What could I be missing. Thanks in advanced. I am using RHEL 5.
Try using NXserver and client. You can limit by group.