Our security department is asking that we display a message to users that alerts them that it is a company system. This message should not be a welcome message and it should be a message pop up that must be dismissed before being able to log in. I'm trying to figure some way to do this in both a graphical environment and a runlevel 3 console environment.

As for RL3, we currently display a ssh banner that issues similar warnings to the users before logging in. But it's not a message that has to be dismissed before logging in, and is technically not acceptable according to our security guys.

I would approach this problem by creating spoofs of the login programs. Find out the names of the two login programs you are using, one graphical and one command line. Change the names of these two programs to unique names. Then write replacements for these two programs. The replacement programs will display your security message. When the user dismisses the message the programs will then execute the normal login programs under their unique names.

-----------------------
Steve Stites

assuming you're staying with gdm on the X side, you can write a script for the /etc/X11/gdm/PostLogin/ directory using zenity to require a usage box. if a script executed in there returns 1 (condusive with a rejection of terms) the login would be terminated. equivalent for a console could be done in many ways, potentially with a dialog box triggered via pam_script.

Hmmm? Fork GDM???

I don't think of it as a fork. I think of it as a front end to GDM. You could accomplish the same thing without renaming GDM by finding the scripts which call GDM and telling them to call the front end which then calls GDM after the user acknowledges the message.

After thinking about your comment, renaming GDM is probably not a good idea and changing the calling script to call the front end is probably better. The same is also true for whatever dialog script front end is written for the console login.

---------------------
Steve Stites

Looking through /etc/gdm/gdm.conf I see a Greeter= line under [daemon] which is currently set to /usr/lib/gdm/gdmgreeter. I would think this would let you specify your own "pre-greeter" in gdm.conf-custom which in turn could (after "I Agree" or whatever) call the existing gdmgreeter. But I don't have near enough knowledge to know what the content of the custom "pre-greeter" should be.

i'm totally lost here guys... gdm already provides the exact framework that is being sought here... why is there any discussion of fundamentally changing it??

My original thought was that cambie is going to have to write a program to create the dialog box that he wants. The dialog box displays a security message and then goes away after the user clicks acknowledgment and the normal login screen is displayed. I don't think GDM can be configured to do this as GDM is currently written. GDM allows you to specify a welcome message but you cannot make this welcome message interactive.

The discussion has moved along to where blackhole54 is suggesting that the best place to start the dialog box is in the GDM control file gdm.conf-custom. cambie could write his custom dialog box and tell GDM to use cambie's program in place of GDM's greeter and remote greeter. After reading the web page linked to below I think that blackhole54's idea will probably work for both local and remote GDM logins.

http://palermo.linux.it/Documenti/Xgl/nvidia/gdm.conf

For init 3 logins I think that cambie will probably have to plug his custom dialog box somewhere into SSH, perhaps in sshd_config. I can find where to specify a SSH banner (/etc/issue.net) but I can't see any way to make the banner interactive.

----------------------
Steve Stites

nah.... nah...

as above, stick a script in the PostLogin directory and use Zenity to show a yes/no dialog. if you it no, pass the exit code out of the script, and the login session terminates. it's all there already.

as for init 3, pam_script would cover all angles implicitly, and use a very similar model to the gdm one too - nice to keep things arhitecurally similar even if they are totally isolated.

Wouldn't that put the message up after the user entered credentials? I thought the OP wanted it before.

BTW, I thought my suggestion was using the existing framework.