Linux: Allow SSH Console Login But Not GDM / KDM / X Windows Based Login

I‘d like to only allow ssh or console based login (ssh, su, sudo commands) but restrict specific users from using GDM / KDM / X Windows based login under Linux operating systems. How do I stop direct GUI user login using GDM / KDM / X Windows login managers and only allow text based logins?

The GNOME Display Manager (GDM) or KDE Display Manager (KDM) provides a simpler alternative (read as replacement for XDM) display manager for the X Window System’s XDM. The easiest way to restrict access to GDM/KDM is to use “Pluggable Authentication Modules” for GDM or KDM which provide dynamic authorization for applications and services in a Linux system.

Step #1: Create Deny User Lists

Create a text file called /usr/local/etc/kdm.deny or /usr/local/etc/gdm.deny, enter:
# vi /usr/local/etc/gdm.deny
Add each username on a separate line. In this example, deny access to user tom, jerry, spike, tyke, butch etc:

tom
jerry
spike
tyke
butch

Save and close the file. You can to use the same file for kdm using ln command:
# ln -s /usr/local/etc/gdm.deny /usr/local/etc/kdm.deny
Any user name present in these file will no longer be able to login via GDM (GNOME) or KDM (KDE) systems. But, those users can still login using ssh or use su and/or sudo commands.

Step #2: Restrict GDM User Login

Edit /etc/pam.d/gdm, enter:
# vi /etc/pam.d/gdm
Append / modify line as follows:

auth   required   pam_listfile.so onerr=fail item=user sense=deny file=/usr/local/etc/gdm.deny

Save and close the file.

Step #3: Restrict KDM User Login

Edit /etc/pam.d/kdm, enter:
# vi /etc/pam.d/kdm
Append / modify line as follows:

auth   required   pam_listfile.so onerr=fail item=user sense=deny file=/usr/local/etc/gdm.deny

Save and close the file.

See also:

🐧 If you liked this page, please support my work on Patreon or with a donation.
🐧 Get the latest tutorials on SysAdmin, Linux/Unix, Open Source/DevOps topics:
CategoryList of Unix and Linux commands
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network Utilitiesdig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
4 comments… add one
  • Aaron May 6, 2010 @ 16:33

    Could this be used to create a whitelist for GDM/KDM? In other words deny all and then create an gdm.allow file to allow only certain users?

    • 🐧 nixCraft May 6, 2010 @ 18:10

      Yes, just replace

      sense=deny

      with

      sense=allow
  • Alex Aug 10, 2010 @ 7:27

    I created a whitelist for authorized users I want to allow with this method; unfortunately it didn’t work. What could I be missing. Thanks in advanced. I am using RHEL 5.

  • JohnD Nov 1, 2010 @ 2:39

    Try using NXserver and client. You can limit by group.

Leave a Reply

Your email address will not be published. Required fields are marked *

Use HTML <pre>...</pre>, <code>...</code> and <kbd>...</kbd> for code samples.