GDM - X Windows login banners

A few tidbits on setting a login banner with GDM:

 

First method used:

In the past, to create a login banner the GUI/X Windows login, I have been editing /etc/X11/gdm/PreSession/Default (RHEL/SL 4) or /etc/gdm/PreSession/Default (RHEL/SL5), putting the following in after the PATH declaration near the top:

 

# Login banner
/usr/bin/gdialog --yesno "NOTICE TO USERS \n\nThis is a Federal computer system (and/or it is directly connected to a BNL local network system) and is the property of the United States Government.  \nIt is for authorized u
se only.  \nUsers (authorized or unauthorized) have no explicit or implicit expectation of privacy.  \nAny or all uses of this system and all files on this system may be intercepted, monitored, recorded, copied, audited, i
nspected, and disclosed to \nauthorized site, Department of Energy, and law enforcement personnel, as well as authorized officials of other agencies, both domestic and foreign.  \n\nBy using this system, the user consents
to such interception, monitoring, recording, copying, auditing, inspection, and disclosure \nat the discretion of authorized site or Department of Energy personnel.  \n\nUnauthorized or improper use of this system may resu
lt in administrative disciplinary action and civil and criminal penalties.  \n\nBy continuing to use this system you indicate your awareness of and consent to these terms and conditions of use.  \n\nLOG OFF IMMEDIATELY (by
 clicking No or Cancel) if you do not agree to the conditions stated in this warning.  \nClicking Yes or OK indicates that you accept these conditions." 10 100
if ( test 1 -eq $? );then
# To avoid staring at a blank screen for next 10 second,
# and to miss the date with xsession-error dialog
gdialog --infobox "Logging Out in 10secs" 1 20 &
sleep 10
exit 1
fi


 

This pops up the login banner text AFTER a user enters successful credentials.  There are also buttons for Yes/OK or No/Cancel (whether it is "Yes and No" or "Ok and Cancel" depends on whether it is RHEL/SL4 or 5).   A nice feature of this method is that it requires (nominally) an action on the user's part upon logging in to acknowledge the banner.

However, this is not present on the login screen itself, and thus to a passing observer (eg. a DOE auditor), it isn't obvious that a banner is used for the graphical login.

 

Second Method Used:

I investigated alternatives and came up with the following that could be used as an alternative (or in addition) to the above method.  This will place the banner text in the login box itself, above the user name entry.  Edit /etc/gdm/custom.conf (RHEL/SL 5) or /etc/X11/gdm/gdm.conf (RHEL/SL 4 - though I haven't as of this writing actually tried this on RHEL/SL 4) with the following sections:

 

[daemon]

Greeter=/usr/libexec/gdmlogin


[greeter]

DefaultWelcome=false
Welcome=Welcome to %h \\n\\nNOTICE TO USERS \\nThis is a Federal computer system (and/or it is directly connected to a BNL local network system), \\nand it is the property of the United States Government.  \\n\\nIt is for authorized use only.  U
sers (authorized or unauthorized) have no explicit or implicit expectation of privacy.  \\n\\nAny or all uses of this system and all files on this system may be intercepted, monitored, recorded, copied, audited, \\n inspected
, and disclosed to authorized site, Department of Energy, and law enforcement personnel, \\nas well as authorized officials of other agencies, both domestic and foreign.  \\n\\nBy using this system, the user consents to such
 interception, monitoring, recording, copying, auditing, \\ninspection, and disclosure at the discretion of authorized site or Department of Energy personnel.  \\n\\nUnauthorized or improper use of this system may result in a
dministrative disciplinary action and civil and \\ncriminal penalties.  \\n\\nBy continuing to use this system you indicate your awareness of and consent to these terms and conditions of use.
RemoteWelcome=NOTICE TO USERS \\nThis is a Federal computer system (and/or it is directly connected to a BNL local network system), \\nand it is the property of the United States Government.  \\n\\nIt is for authorized use on
ly.  Users (authorized or unauthorized) have no explicit or implicit expectation of privacy.  \\n\\nAny or all uses of this system and all files on this system may be intercepted, monitored, recorded, copied, audited, \\n ins
pected, and disclosed to authorized site, Department of Energy, and law enforcement personnel, \\nas well as authorized officials of other agencies, both domestic and foreign.  \\n\\nBy using this system, the user consents t
o such interception, monitoring, recording, copying, auditing, \\ninspection, and disclosure at the discretion of authorized site or Department of Energy personnel.  \\n\\nUnauthorized or improper use of this system may resul
t in administrative disciplinary action and civil and \\ncriminal penalties.  \\n\\nBy continuing to use this system you indicate your awareness of and consent to these terms and conditions of use.


(Note - there can be no line breaks in the Welcome and RemoteWelcome text lines in the .conf file, so a straight cut and paste from the browser will require a little editing.  Also, the login dialogue box does not wrap text - if the line is very long, it simply disappears off the screen.  With a lot of experimentation, I found that "//n" will produce a line break in the text on screen, but the exact location for best fit will vary from screen to screen, depending on resolution, fonts and possibly other things, so it may take a bit of work to get it "just right" on any particular screen.  The line break inserted in the example above looked good on a 1600x1200 screen with no other gdm customizations.  YMMV.)

 

 There are additional control characters to insert information (such as %h used in the example above).  For starters, a list of some can be found here:  http://library.gnome.org/admin/gdm/2.16/configuration.html.en#greetersection

 

If your changes to these files don't seem to be taking hold, try this: 

gdmflexiserver --command="UPDATE_CONFIG greeter/Welcome"

(and so on for each [section]/value that you have edited).  There are other ways to accomplish this, such as "gdm-restart" (which is immediate, even if a user is logged in) or the gentler "gdm-safe-restart" which will cause the restart to happen only after all users log out.

It may also be possible to set the Banner using the "gdmsetup" GUI configuration tool.

 

RHEL6:

With RHEL 6 comes yet another variation:

 

su -s /bin/sh gdm

gconftool-2 --direct --config-source=xml:readwrite:$HOME/.gconf --type bool --set /apps/gdm/simple-greeter/banner_message_enable true

gconftool-2 --direct --config-source=xml:readwrite:$HOME/.gconf --type string --set /apps/gdm/simple-greeter/banner_message_text "$(cat /etc/DOE_banner)"


To make the text left justified, edit /usr/share/gdm/gdm-greeter-login-window.ui.  Find this line:

<property name="justify">center</property>

and replace "center" with "left".

 

Yet another possibility:

Here's another method, suggested by Tom Throwe on the Linux Working Group list at BNL.  It is slightly troubling as a stand-alone solution, because it presents a message window that does not reappear once dismissed.  One person could hit OK on the banner, then walk away for some reason - another person walking up and logging in would then see no banner.

In RHEL 5 running gdm, the banner can be displayed by adding the path to
the banner with InfoMsgFile in the [greeter] section of
/etc/gdm/custom.conf.

The [greeter] section should look like:

[greeter]
InfoMsgFile=<path to banner file>

I suspect that the above is true of gdm in general, so it should work in
other distributions.  For RHEL 4, the InfoMsgFile line is put in gdm.conf.