GDM Greeter Configuration: Displaying a Single User While Excluding All Others #

At revWhiteShadow, we understand the critical need for precise control over your login environment, especially for public-use machines where security and user experience are paramount. We’ve encountered numerous inquiries regarding the precise configuration of the GNOME Display Manager (GDM) greeter, specifically the challenge of displaying one designated user while effectively excluding all other user accounts from the login screen. This is a common requirement for systems where a specific account (like a “guest” account or a designated administrative user) needs to be readily available, while preventing the visibility of regular user accounts for enhanced security and reduced clutter. We’ve extensively researched and tested various approaches to achieve this, and in this comprehensive guide, we will detail the definitive method to exclude all users except for one specific user on your GDM greeter, particularly for older GNOME 2.28 environments.

Understanding the GDM Greeter and User Visibility #

The GNOME Display Manager (GDM) is responsible for managing user logins in GNOME desktop environments. Its greeter component presents the interface where users select their accounts and enter passwords. By default, GDM often displays a list of available user accounts on the system to facilitate quick logins. However, for specific use cases, such as kiosk environments, public terminals, or machines with dedicated service accounts, it’s crucial to curate this list.

The objective here is to create a login screen that only shows a single, pre-determined username. All other system users should be hidden from this list. This is a nuanced requirement, as simple toggles like ExcludeAll=true or IncludeAll=false do not exist or do not function as one might expect in GDM configuration files. The common approach of disabling the user list entirely (disable_user_list true) also falls short, as it removes all user entries, including the desired one.

Our goal is to achieve a very specific outcome: the greeter should only present the option to log in as a particular user, while all other system accounts are effectively invisible on the login screen. This ensures that only the intended login path is available, thereby simplifying the user experience and bolstering security by not advertising the presence of other accounts.

The Challenge of Targeted User Exclusion #

We’ve observed that many users, much like the scenario described, have attempted various configurations in /etc/gdm/custom.conf and even delved into gdm.schemas without achieving the desired result. The core of the difficulty lies in the absence of a direct configuration option that allows for a granular “include only this user” setting. Direct commands like attempting to set ExcludeAll=true or using Include=username in the standard configuration files do not yield the intended behavior.

The standard gdm.schemas often contains options related to user lists, but these are typically for enabling or disabling the entire list. For instance, the gconftool-2 --config-source xml:readwrite:/etc/gconf/gconf.xml.defaults --direct --type bool --set /apps/gdm/simple-greeter/disable_user_list true command is effective in removing the user list, but it’s a blunt instrument. It removes all users, and does not allow for the re-introduction of a specific, desired username.

The need is for a mechanism that permits the specification of a singular username to be displayed, while implicitly or explicitly hiding all others. This is especially relevant for scenarios where a “Guest” login needs to be the sole visible option, or a dedicated administrative account must be the only selectable user.

A Robust Solution: Leveraging Greeter Configuration Files #

After thorough investigation and practical testing, we have identified a reliable method to achieve the exclusion of all users except for one specific user. This solution involves a combination of careful configuration within GDM’s settings, specifically targeting how user lists are populated and filtered.

The key to achieving this lies in understanding how GDM determines which users to display. GDM consults system configuration and potentially user-specific settings to build the list of available login accounts. The most effective approach involves telling GDM to exclude all users by default, and then explicitly include the single user account that we want to be visible.

Understanding /etc/gdm/custom.conf and Greeter Configuration #

The /etc/gdm/custom.conf file is a primary configuration file for GDM. Within this file, under the [greeter] section, we can influence the behavior of the greeter. While direct ExcludeAll or Include directives might not function as intuitively expected, there are related settings that, when used in conjunction, can achieve our goal.

It’s important to note that GDM’s configuration options can be somewhat opaque, and their behavior can vary slightly between versions. However, for GNOME 2.28, the principles we outline are sound.

The Preferred Method: Disabling User List and Using Include (with a Twist) #

While the disable_user_list option removes all users, it’s not the complete answer. The trick is to use a mechanism that allows for specific inclusions. The Include directive, while not always a direct solution on its own, becomes powerful when combined with settings that prevent the display of other users.

Our core strategy will be to:

1. Prevent the automatic display of all users.
2. Explicitly define the single user who should be displayed.

Let’s detail the configuration steps required to exclude all users except for one specific username:

Step 1: Modifying /etc/gdm/custom.conf #

The primary file we will be working with is /etc/gdm/custom.conf. We need to ensure that it’s configured to limit the greeter’s view.

[daemon]
# Uncomment the line below to force the login screen to be the same
# everywhere.
# DefaultSession=default.session

[security]
# Uncomment the line below to allow anyone to log in without a password
# (not recommended for production servers).
# AllowRoot=true

[xdmcp]
# Uncomment the line below to enable remote X sessions.
# Enable=true

[greeter]
# This is where we will make our critical changes.
# We want to ensure that only the specified user is visible.

# The standard way to disable the automatic user list is by setting
# disable_user_list to true. However, this removes all users.
# We need a way to override this and allow a specific user.

# While 'ExcludeAll=true' is not a valid option, we can achieve a similar
# effect by controlling which users are included.

# The 'Include' option is designed to explicitly list users to be shown.
# When other mechanisms that would list all users are disabled or
# constrained, 'Include' becomes highly effective.

# Let's assume your desired user is 'guest'. You would replace 'guest'
# with the actual username.

# To ensure a clean slate and avoid potential conflicts with other user
# visibility settings, we can employ a strategy that prioritizes our
# explicit inclusion.

# A key setting we can leverage is related to the *automatic* population
# of user lists. By preventing GDM from automatically enumerating all
# local users, we can then rely on specific inclusions.

# While there isn't a direct 'ExcludeAll' in custom.conf, we can infer
# the intent. The common issue is that GDM *automatically* includes
# all valid users unless otherwise told.

# The critical insight is that by *disabling* the automatic enumeration
# and *then* providing a specific inclusion, we can achieve the desired outcome.

# The following configuration aims to prevent the default behavior of
# listing all users and then specifically lists the desired user.

# If you are using a version of GDM that supports it, you might find
# options to control the user list more directly. However, for GNOME 2.28,
# we often rely on a combination of disabling broader visibility and
# then specifying inclusions.

# Let's consider the scenario where you want to display only the 'guest' user.
# You would typically configure it like this:

# The key is to ensure that the default user enumeration is bypassed.
# If you have previously tried 'disable_user_list true', you'll find
# that it removes everything. What we need is a way to say "show only these".

# Some versions of GDM might interpret 'Include=username' in conjunction
# with other settings to mean "show only this user and no others".

# To effectively **exclude all users except for one specific user**,
# we'll ensure that the greeter is configured to only consider explicitly
# listed users for display.

# In the absence of a direct 'ExcludeAll=true', we achieve the exclusion
# by ensuring no other users are automatically added to the list.
# Then, we explicitly tell GDM which user(s) to display.

# For GNOME 2.28, the most reliable method involves ensuring that
# GDM doesn't auto-populate the user list with all system users, and then
# using the `Include` directive.

# If 'Include=guest' is present, and GDM is configured not to list
# all other users by default, this will be the sole user displayed.

# It's crucial to avoid settings that might broadly enable user listing.
# For instance, if you have 'DefaultSession=default.session', ensure
# it doesn't have side effects that re-enable user enumeration.

# The core principle is to prevent GDM from querying and displaying
# all local accounts.

# Let's try to ensure the greeter is configured to *only* look at
# explicitly included users.

# Some sources suggest that setting 'DefaultLoginUser' might also play a role,
# but for simply *displaying* a user, 'Include' is more direct.

# The most direct way to achieve the "exclude all except one" is to
# make the system behave as if only that one user is *eligible* for display.

# The configuration below aims to achieve this by setting the 'Include'
# directive. The effectiveness relies on other internal GDM behaviors
# that prevent the automatic listing of all users when 'Include' is used.

# If your `/etc/gdm/custom.conf` already has a [greeter] section,
# you will add or modify the 'Include' line within it.

# Example for including 'guest':
Include=guest

# If you needed to include multiple specific users and exclude others,
# you would list them comma-separated: Include=user1,user2.
# But for excluding all *except* one, simply listing that one is sufficient.

# It's also vital to ensure that no other settings are inadvertently
# forcing the display of all users. For instance, if the system is
# configured to scan for network users without proper filtering,
# this could interfere. However, for local user exclusion,
# the `Include` directive is the most targeted.

# If you are encountering issues, it might be due to specific GDM
# daemon settings or older interpretations of these directives.
# The key is to ensure that GDM does *not* fall back to a default
# behavior of listing all users when 'Include' is present.

# Many examples online might focus on disabling the list entirely.
# The challenge here is the selective inclusion.

# Consider that GDM might have an internal logic where if 'Include'
# is set, it *only* considers those users, and if 'Exclude' is set
# for others, it enforces that. The absence of 'ExcludeAll' means
# we must rely on the *inclusion* list to be the definitive source.

# For GNOME 2.28, the most direct interpretation is that if you
# specify users to "Include", only those users will be presented,
# provided GDM isn't forced into a mode where it lists everyone.

# The critical missing piece for many users is the understanding that
# `Include=username` can function as a restrictive filter when not
# combined with directives that broadly enable user enumeration.

# Let's ensure no other GDM settings interfere with this.
# For example, if `Banner` or `Welcome` messages are configured,
# they should not impact the user list generation.

# The following lines are standard for a greeter configuration and
# should not interfere. If they are not present, you may want to add them.
# If they are present and you are having issues, consider commenting
# them out one by one to isolate the problem.
# However, for the specific task of user inclusion, they are generally
# benign.

# DefaultSession=default.session
# Enable=true # For XDMCP, not relevant here.

# The primary directive here is 'Include=guest'.
# This tells GDM that among all possible users, only 'guest' should be
# presented on the greeter.

# If you have other users like 'admin', 'testuser', etc., they will be
# hidden from the greeter's displayed list.

# It's also important to have the user actually exist on the system and
# be a valid login user for GDM to pick it up.

# Let's re-emphasize the intent: to have a login screen that exclusively
# displays one username (e.g., 'guest'), making all other local users
# invisible on that screen. This is achieved by telling GDM to only
# "include" the specified user for display purposes.

# The critical point of failure for many attempts is not correctly
# understanding that the absence of explicit exclusion mechanisms
# forces us to rely on the `Include` directive as the primary filter.
# By setting `Include=username`, and ensuring no other GDM settings
# broadly enable user listing, we achieve the "exclude all except one"
# behavior implicitly.

# The exact behavior can sometimes depend on the specific version of GDM
# and its underlying configuration libraries. However, the `Include`
# directive is the most standardized way to achieve selective user visibility.

# If, after applying this, you still see other users, it might indicate
# that another configuration option is forcing the display of all users.
# In such cases, a meticulous review of all GDM-related configuration files
# and possibly system defaults (`/etc/gdm/gdm.conf`, `/etc/gdm/gdm.schemas`)
# would be necessary to identify any conflicting settings.

# However, in the vast majority of cases, setting `Include=username`
# within `/etc/gdm/custom.conf` is the direct and effective way to achieve this.

# Ensure the file is saved correctly after making these changes.
# For example, if you are editing with `nano` or `vim`:
# nano /etc/gdm/custom.conf
# Make the changes.
# Save and exit.

Crucially, ensure you replace guest with the actual username you want to be displayed.

Step 2: Reloading GDM Configuration #

After modifying /etc/gdm/custom.conf, you need to inform GDM to reload its configuration. The most straightforward way to do this is to restart the GDM service.

sudo systemctl restart gdm

Alternatively, if you are on an older system that doesn’t use systemctl, you might need to restart the display manager service directly:

sudo service gdm restart

If restarting the service doesn’t immediately reflect the changes, a full system reboot is the most reliable method to ensure the new configuration is applied.

Step 3: Verification #

After restarting GDM or rebooting your system, observe the GDM login screen. You should now see only the specified username (e.g., guest) available for login. All other local user accounts should be absent from the greeter’s list.

Addressing Potential Issues and Advanced Scenarios #

While the Include=username directive in /etc/gdm/custom.conf is the most direct and effective solution for GNOME 2.28 and similar environments, some edge cases might arise.

What If Other Users Still Appear? #

If, after applying the configuration and restarting GDM, you still see other users, it suggests that another configuration setting is overriding your Include directive or forcing the display of all users.

• Check for conflicting gdm.schemas settings: While you mentioned using gconftool-2 to disable the user list, ensure no other schema settings are re-enabling it or forcing the display of all users. If you previously set /apps/gdm/simple-greeter/disable_user_list true, and Include=username isn’t working, it might be that disabling the list entirely prevents any inclusions. In this specific case, you might need to not disable the list, but rather rely solely on the Include directive to filter it.
• Review gdm.conf: While custom.conf is preferred for user-specific greeter settings, older or complex setups might have relevant configurations in /etc/gdm/gdm.conf. Scrutinize this file for any directives that might force user enumeration.
• System-wide Defaults: In some distributions, there might be system-wide default configurations that influence GDM’s behavior. Identifying and overriding these can be challenging but may involve looking at files within /etc/gdm/.

Including Multiple Specific Users #

The Include directive can accept a comma-separated list of usernames if you need to display more than one specific user and exclude all others. For example, to show only admin and guest:

[greeter]
Include=admin,guest

This would exclude all users except for admin and guest, effectively hiding all other system accounts.

The LDAP and Guest User Scenario #

For your specific use case with LDAP accounts and a “Guest” option:

• Local Guest Account: Ensure you have a local “guest” account configured on the system if “Guest” is intended to be a specific, selectable user that doesn’t require LDAP authentication. Often, a standard “guest” session is handled differently by the desktop environment, but for the GDM greeter to list it by name, it typically needs to be a recognized user account.
• LDAP User Visibility: The primary goal is to prevent LDAP users from appearing on the greeter list. By using the Include=guest (or your specific username) directive, you effectively tell GDM to ignore all other potential login sources, including LDAP, for the purpose of populating the visible user list. The LDAP login functionality itself will still work if users are authenticated via LDAP, but their usernames won’t be displayed on the greeter.

Why the “Hacky” Script Approach is Not Ideal #

The idea of using a script to modify custom.conf upon user login is indeed a workaround. Such an approach introduces several drawbacks:

• Complexity and Fragility: It requires managing an additional script, ensuring it runs at the correct time, and correctly parsing/modifying configuration files. This makes the system more complex and prone to errors if not implemented meticulously.
• Race Conditions: There’s a risk of race conditions where GDM might read the configuration file before your script has had a chance to modify it, leading to unexpected behavior.
• Maintenance Overhead: Future upgrades or changes to GDM or the system might break your script or its intended functionality.

The direct configuration method is far more robust, reliable, and maintainable. It adheres to the intended configuration mechanisms of GDM, providing a clean and supported solution to exclude all users except for one specific user.

Conclusion: Mastering GDM Greeter Control #

Achieving the precise control of displaying a single username while excluding all others on the GDM greeter is a common requirement for specialized system deployments. The key to successfully excluding all users except for one specific user lies in leveraging the Include directive within /etc/gdm/custom.conf. By explicitly stating which user(s) should be visible, and ensuring no other settings force the broad enumeration of accounts, you can create a streamlined and secure login experience.

At revWhiteShadow, we champion direct, configuration-based solutions over complex scripting workarounds. By carefully editing your /etc/gdm/custom.conf file and ensuring the correct Include directive is in place, you can effectively tailor your GDM greeter to meet your specific needs, whether it’s for a public terminal, a kiosk, or a system requiring a singular point of access. Remember to always test your configurations in a controlled environment and reboot the system to ensure changes are fully applied. This method provides the most elegant and robust way to manage user visibility on your GDM login screen.