The daemon and the accompanying utilities share a common
configuration file: etc/gdm/gdm.conf.
The configuration file is divided into sections each
containing variables that define the behaviour for a specific
part of the GDM suite.
gdm.conf follows the standard GNOME configuration
file syntax. Keywords in brackets define sections, strings
before an equal sign (=) are variables and the data after
equal sign represents their value.
If true, then gdm never tries to reuse existing X servers by
reinitializing them. It will just kill the existing server and
start over. Normally, just reinitializing is a nicer way to go
but if the X server memory usage keeps growing this may be
a safer option.
AutomaticLoginEnable
AutomaticLoginEnable=false
If the user given in AutomaticLogin should be logged in upon
first bootup. No password will be asked. This is useful
for single user workstations where local console security
is not an issue. Also could be useful for public terminals,
although there see TimedLogin.
AutomaticLogin
AutomaticLogin=
This user should be automatically logged in on first bootup.
AutomaticLoginEnable must be true and this must be
a valid user for this to happen. "root" can never be
autologged in however and gdm will just refuse to do it even
if you set it up.
The pathname to the configurator binary. If the greeter
ConfigAvailable option is set to true then run this binary
when somebody chooses Configuration from the system menu.
Of course GDM will first ask for root password however.
And it will never allow this to happen from a remote display.
Specifies the path which will be set in the user's session.
DisplayInitDir
DisplayInitDir=etc/gdm/Init
Directory containing the display init scripts. See the
``Script Directories'' section for more info.
FailsafeXServer
FailsafeXServer=
An X command line in case we can't start the normal X server.
should probably be some sort of a script that runs an
appropriate low resolution server that will just work.
This is tried before the XKeepsCrashing script is run.
FlexibleXServers
FlexibleXServers=5
The maximum number of allowed flexible servers. These are
servers that can be run using the /tmp/.gdm_socket socket
connection. This is used for both full servers and for
Xnest servers.
GnomeDefaultSession
GnomeDefaultSession=share/gnome/default.session
The filename which GDM should read if there is no per user
GNOME session file, and the user has requested the Gnome
Chooser session.
Specifies the path which will be set in the root's
session and the {Init,PreSession,PostSession} scripts
executed by GDM.
ServAuthDir
ServAuthDir=/var/gdm
Directory containing the X authentication files for the
individual displays. Should be owned by
gdm.gdm with permissions 750.
This directory is also used for other private files that
the daemon needs to store. Other user should not
have any way to get into this directory and read/change
it's contents.
SessionDir
SessionDir=etc/gdm/Sessions
Directory containing the scripts for all session types
available on the system.
StandardXServer
StandardXServer=/usr/bin/X11/X
Full path and arguments to the standard X server command.
This is used when gdm cannot find any other definition,
and it's used as the default and failsafe fallback in a
number of places. This should be able to run some sort
of X server.
SuspendCommand
SuspendCommand=
Full path and arguments to command to be executed when
user selects Suspend from the System menu. If empty
there is no such menu item.
TimedLoginEnable
TimedLoginEnable=false
If the user given in TimedLogin should be logged in after
a number of seconds (set with TimedLoginDelay) of inactivity
on the login screen. This is useful for public access
terminals or perhaps even home use. If the user uses the
keyboard or browses the menus, the timeout will be reset to
TimedLoginDelay or 30 seconds, whichever is higher. Note that
no password will be asked for this user so you should be
careful.
TimedLogin
TimedLogin=
This is the user that should be logged in after a specified
number of seconds of inactivity. This can never be "root"
and gdm will refuse to log in root this way.
TimedLoginDelay
TimedLoginDelay=30
This is the delay before the TimedLogin user will be logged
in. It must be greater then or equal to 10.
User
User=gdm
The username under which gdmlogin /
gdmchooser are run.
UserAuthDir
UserAuthDir=
The directory where user's
.Xauthority file should be
saved. When nothing is specfied the user's home
directory is used.
UserAuthFBDir
UserAuthFBDir=/tmp
If GDM fails to update the user's
.Xauthority file a
fallback cookie is created in this directory.
UserAuthFile
UserAuthFile=.Xauthority
Name of the file used for storing user cookies.
XKeepsCrashing
XKeepsCrashing=etc/gdm/XKeepsCrashing
A script to run in case X keeps crashing. This is for running
An X configuration. The first argument will be one of the
programs specified in XKeepsCrashingConfigurators, the first
one that exists. If none of those exist, this script will not
be run. The second argument is a temporary filename that can
be used for any purpose within the script. The rest of the
arguments are translated messages. Please see the standard
installed script for further details.
In case FailsafeXServer is setup, that will be tried first.
and this only used as a backup if even that server keeps
crashing.
A list of programs to try which will do X configuration for
the user. These are run from the XKeepsCrashing script.
The first one on this list that exists is used.
Xnest
Xnest=/usr/bin/X11/Xnest
The full path and arguments to the Xnest command. This is used
for the flexible Xnest servers. This way the user can start new
login screens in a nested window. Of course you must have the Xnest
server from your X server packages installed for this to work.
Allow root (privilaged user) to log in through GDM. Set
this to false if you want to disallow such logins.
On systems that support PAM, this parameter is
not as useful as you can use PAM to do the same thing,
and in fact do even more. However it is still followed,
so you should probably leave it true for PAM systems.
AllowRemoteRoot
AllowRemoteRoot=true
Allow root (privilaged user) to log in remotely through GDM.
Set this to false if you want to disallow such logins. Remote
logins are any logins that come in through the xdmcp.
On systems that support PAM, this parameter is
not as useful as you can use PAM to do the same thing,
and in fact do even more. However it is still followed,
so you should probably leave it true for PAM systems.
AllowRemoteAutoLogin
AllowRemoteAutoLogin=false
Allow the timed login to work remotely. That is, remote
connections through XDMCP will be allowed to log into the
"TimedLogin" user by letting the login window time out, just
like the local user on the first console.
Note that this can make a system quite insecure, and thus is
off by default.
RelaxPermissions
RelaxPermissions=0
By default GDM ignores files and directories writable to
other users than the owner.
Changing the value of RelaxPermissions makes it
possible to alter this behaviour:
0 - Paranoia option. Only accepts user owned files and directories.
1 - Allow group writable files and directories.
2 - Allow world writable files and directories.
RetryDelay
RetryDelay=3
The number of seconds GDM should wait before
reactivating the entry field after a failed login.
SessionMaxFile
SessionMaxFile=524288
GDM will refuse to read session files bigger than this
number (specified in bytes). This can be bigger then
UserMaxFile, since these are never read into memory, and
so it is harder to "attack" gdm in this way.
In addition to the size check both
gdm and
gdmlogin are extremely picky
about accessing files in user directories. Neither
will follow symlinks and they can optionally refuse to
read files and directories writable by other than the
owner. See the RelaxPermissions option for more info.
However for the session files, GDM is not as picky. If you
set RelaxPermissions to 0, GDM will assume it to be 1 for
the case of session files. This is unfortunately because
the session files would then never be able to be read in.
UserMaxFile
UserMaxFile=65536
GDM will refuse to read/write files bigger than this number
(specified in bytes).
In addition to the size check both
gdm and
gdmlogin are extremely picky
about accessing files in user directories. Neither
will follow symlinks and they can optionally refuse to
read files and directories writable by other than the
owner. See the RelaxPermissions option for more info.
VerboseAuth
VerboseAuth=true
Specifies whether GDM should print authentication errors
in the message field in the greeter. Unlike in the past
having this option be true is no longer a security risk.
It will not specify if username or password was wrong, as
both result in the same error. However it will give a
different error when for example root login is disallowed
and root logs in, or if a user with a disabled login tries
to log in (only after the user succeeds). No verbose
information about the login is given until a user is verified.
To prevent attackers from filling up the pending
queue, GDM will only allow one connection for each
remote machine. If you want to provide display
services to machines with more than one screen, you
should increase the DisplaysPerHost value accordingly.
Note that the number of connections from the local
machine is unlimited. Only remote connections
are limited by this number.
Enable
Enable=false
Setting this to true enables XDMCP support allowing remote displays/X
terminals to be managed by GDM.
gdm listens for requests on UDP
port 177. See the Port option for more information.
If GDM is compiled to support it, access from remote displays
can be controlled using the TCP Wrappers library. The service name is
gdm
You should add
gdm: .my.domain
to your /etc/hosts.allow. See the
hosts_access(5) man page for details.
Please note that XDMCP is not a particularly secure protocol
and that it is a good idea to block UDP port 177 on your
firewall unless you really need it.
HonorIndirect
HonorIndirect=true
Enables XDMCP INDIRECT choosing (i.e. remote execution
of gdmchooser) for X-terminals
which don't supply their own display browser.
MaxPending
MaxPending=4
To avoid denial of service attacks, GDM has fixed size
queue of pending connections. Only MaxPending displays
can start at the same time.
Please note that this parameter does *not* limit the
number of remote displays which can be managed. It only
limits the number of displays initiating a connection
simultaneously.
MaxPendingIndirect
MaxPendingIndirect=4
GDM will only provide MaxPendingIndirect displays with
host choosers simultaneously.
MaxSessions
MaxSessions=16
Determines the maximum number of remote display
connections which will be managed
simultaneously. I.e. the total number of remote displays
that can use your host.
MaxWait
MaxWait=30
When GDM is ready to manage a display an ACCEPT packet
is sent to it containing a unique session id which will
be used in future XDMCP conversations.
GDM will then place the session id in the pending queue
waiting for the display to respond with a MANAGE request.
If no response is received within MaxWait seconds, GDM
will declare the display dead and erase it from the pending
queue freeing up the slot for other displays.
MaxWaitIndirect
MaxWaitIndirect=30
The MaxWaitIndirect parameter determines the maximum
number of seconds between the time where a user chooses
a host and the subsequent indirect query where the user is
connected to the host. When the timeout is exceeded, the
information about the chosen host is removed and the indirect
slot freed up for under displays.
Port
Port=177
The UDP port number gdm should
listen to for XDMCP requests. Don't change this unless
you know what you're doing.
PingInterval
PingInterval=5
Interval in which to ping the X server in minutes. If the
X server doesn't return before the next time we ping it,
the connection is stopped and the session ended. This is
a combination of the xdm PingInterval and PingTimeout.
Willing
Willing=etc/gdm/Xwilling
When the server sends a WILLING packet back after a QUERY
it sends a string that gives the current status of this
server. The default message is the system ID, but it is
possible to create a script that displays customized
message. If this script doesn't exist or this key is
empty the default message is sent. If this script succeeds
and produces some output, the first line of it's output
is sent (and only the first line). It runs at most once
every 3 seconds to prevent possible denial of service
by flooding the server with QUERY packets.
Set to true to enable the face browser. See the ``Greeter''
section for more information on the face browser.
ConfigAvailable
ConfigAvailable=true
Allow the configurator to be run from the greeter. Note that
the user will need to type in the root password before the
configurator is run however. See the Configurator option
in the daemon section.
DefaultFace
DefaultFace=share/pixmaps/nophoto.png
Default icon file for users without a personal picture
in ~/gnome/photo. The image must be
in an Imlib supported format and the file must be
readable for the gdm user.
DefaultLocale
DefaultLocale=english
This language is used for the session unless nothing is
specified in ~user/.gnome/gdm and
the user didn't select a language in the Locale menu in
the greeter.
Font to use for the welcome message in the greeter.
GlobalFaceDir
GlobalFaceDir=share/faces/
Systemwide directory for face files. The sysadmin can
place icons for users here without touching their
homedirs. Faces are named after their users' logins.
I.e. <GlobalFaceDir>/johndoe
would contain the face icon for the user ``johndoe''. No
image format extension should be specified.
The face images must be stored in Imlib supported formats and
they must be readable for the GDM user.
A user's own icon file will always take precedence over the sysadmin
provided one.
Icon
Icon=share/pixmaps/gdm.xpm
Icon to use for gdmlogin when it's
in the iconified state. The image must be in an Imlib
supported format and it must be readable for the GDM
user. If no file is specified the iconify feature is
disabled.
LocaleFile
LocaleFile=etc/gdm/locale.alias
File in GNU locale format with entries for all supported
languages on the system.
Logo
Logo=share/pixmaps/gnome-logo-large.png
Image file to display in the logo box. The file must be
in an Imlib supported format and it must be readable by
the GDM user. If no file is specified the logo feature
is disabled.
Quiver
Quiver=true
Controls whether gdmlogin should
shake the display when an incorrect username/password is
entered.
SystemMenu
SystemMenu=false
Turns the Shutdown/Halt menu on/off.
TitleBar
TitleBar=true
Display the title bar in the greeter.
Use24Clock
Use24Clock=false
Force the use of 24 hour clock even if the locale would default
to a 12 hour clock. In some locales that normally use 24 hour
format (like cs_CZ) this setting has no effect.
Welcome
Welcome=Welcome to %n
Controls which text to display next to the logo image in the
greeter. The following control chars are supported:
%% — the `%' character
%d — display's hostname
%h — Fully qualified hostname
%m — machine (processor type)
%n — Nodename (i.e. hostname without .domain)
%r — release (OS version)
%s — sysname (i.e. OS)
XineramaScreen
XineramaScreen=0
If the Xinerama extension is active the login window
will be centered on this physical screen (use 0 for
the first screen, 1 for the second..).
BackgroundColor
BackgroundColor=#007777
If the BackgroundType is 2, use this color in the background
of the greeter. Also use it as the back of transparent images
set on the background and if the BackgroundRemoteOnlyColor
is set and this is a remote display.
BackgroundImage
BackgroundImage=somefile.png
If the BackgroundType is 1, then display this file as the
bacground in the greeter.
BackgroundProgram
BackgroundProgram=/usr/bin/xeyes
If set this program will be run in the background while
the login window is being displayed. Note that not all
programs will run this way, since gdm does not usually have
a home directory. You could set up home directory for the
gdm user if you wish to run applications which require it.
BackgroundRemoteOnlyColor
BackgroundRemoteOnlyColor=true
On remote displays only set the color background. This is
to make network load lighter. The BackgroundProgram is also
not run.
BackgroundScaleToFit
BackgroundScaleToFit=true
Scale background image to fit the screen.
BackgroundType
BackgroundType=2
The type of background to set. 0 is none, 1 is image and 2
is color.
SetPosition
SetPosition=true
If true the position of the login window is determined
by PositionX/PositionY.
PositionX
PositionX=200
The horizontal position of the login window.
PositionY
PositionY=100
The vertical position of the login window.
ShowGnomeChooserSession
ShowGnomeChooserSession=true
Should the greeter show the Gnome Chooser session, when
a session named 'Gnome' session is also present
ShowGnomeFailsafeSession
ShowGnomeFailsafeSession=true
Should the greeter show the Gnome Failsafe session
in the sessions list.
ShowXtermFailsafeSession
ShowXtermFailsafeSession=true
Should the greeter show the Xterm Failsafe session
in the sessions list.
If true, the chooser will broadcast a query to the local
network and collect responses. This way the chooser will
always show all available managers on the network. If you
need to add some hosts not local to this network, or if you
don't want to use Broadcast, you can list them in the Hosts
key.
DefaultHostImage
DefaultHostImage=share/pixmaps/nohost.png
File name for the default host icon. This image will be
displayed if no icon is specified for a given host. The
file must be in an Imlib supported format and it must be
readable for the GDM user.
HostImageDir
HostImageDir=share/hosts
Repository for host icon files. The sysadmin can place
icons for remote hosts here and they will appear in
gdmchooser.
The file name must match the fully qualified name (FQDN) for
the host. The icons must be stored in Imlib supported formats
and they must be readable to the gdm user.
Hosts
Hosts=host1,host2
The hosts which should be listed in the chooser. The chooser
will only list them if they respond. This is done in addition
to broadcast (if Broadcast is set), so you need not list
hosts on the local network. This is useful if your
networking setup doesn't allow all hosts to be reachable
by a broadcast packet.
ScanTime
ScanTime=3
Specifies how many seconds the chooser should wait for
replies to its BROADCAST_QUERY.
To set up X servers, you need to provide gdm with
information about the installed X servers. You can
have as many different definitions as you wish, each
identified with a unique name. The name
Standard
is required. If you do not specify this server, gdm
will assume default values for a 'Standard' server
and the path given by daemon/StandardXServer.
Standard is used as the default,
in situations when no other server has been defined.
Servers are defined by sections named server-
followed by the identifier of this server. This should be a
simple ascii string with no spaces. If you use the GUI
configurator, it will use random words for these. These will
not be user visible, they are just needed to uniquel identify the
server.
[server-Standard]
name
name=Standard server
The name that will be displayed to the user.
command
command=/usr/bin/X11/X
The command to execute, with full path to the binary
of the X server, and any extra arguments needed.
flexible
flexible=true
Indicates if this server is available as a choice when a
user wishes to run a flexible server.
Control section for local X servers. Each line indicates
the local display number and the command that needs to
be run to start the X server(s).
The command can either be a path to an X executable, or
a name of one of the server definitions. This can be
followed by some arguments that should be passed to the
X server when executed.
The gdm daemon doesn't enforce the numbers to be in
order or for them to be "packed". However when you use
the GUI configurator, the servers will always start from
0 and go up by 1. That is, leaving no holes.
GDM will splice "-auth
<ServAuthDir>/:n.Xauth :n", where n is
the display number. Inside the command line before all
other arguments before running the server.
On some systems it is necessary for gdm to know on which
virtual consoles to run the X server. In this case,
(if running XFree86) add "vt7" to the command line for example
to run on virtual console 7.