1
<?xml version="1.0" encoding="utf-8"?>
2
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd" [
3
<!ENTITY legal SYSTEM "legal.xml">
4
<!ENTITY version "2.26.0">
5
<!ENTITY date "02/10/2009">
6
<!ENTITY mdash "—">
7
<!ENTITY percnt "%">
9
<article id="index" lang="id">
11
<title>Panduan Acuan Manajer Tampilan GNOME</title>
15
<revnumber>0.0</revnumber>
20
<abstract role="description">
21
<para>GDM adalah Manajer Tampilan GNOME, suatu program log masuk grafis.</para>
26
<firstname>Martin</firstname><othername>K.</othername>
27
<surname>Petersen</surname>
29
<address><email>mkp@mkp.net</email></address>
33
<firstname>George</firstname><surname>Lebl</surname>
35
<address><email>jirka@5z.com</email></address>
39
<firstname>Jon</firstname><surname>McCann</surname>
41
<address><email>mccann@jhu.edu</email></address>
45
<firstname>Ray</firstname><surname>Strode</surname>
47
<address><email>rstrode@redhat.com</email></address>
50
<author role="maintainer">
51
<firstname>Brian</firstname><surname>Cameron</surname>
53
<address><email>Brian.Cameron@Sun.COM</email></address>
60
<holder>Martin K. Petersen</holder>
66
<holder>George Lebl</holder>
72
<holder>Red Hat, Inc.</holder>
81
<holder>Sun Microsystems, Inc.</holder>
82
</copyright><copyright><year>2010.</year><holder>Andika Triwidada (andika@gmail.com)</holder></copyright>
84
<legalnotice id="legalnotice">
86
Permission is granted to copy, distribute and/or modify this
87
document under the terms of the GNU Free Documentation
88
License (GFDL), Version 1.1 or any later version published
89
by the Free Software Foundation with no Invariant Sections,
90
no Front-Cover Texts, and no Back-Cover Texts. You can find
91
a copy of the GFDL at this <ulink type="help" url="ghelp:fdl">link</ulink> or in the file COPYING-DOCS
92
distributed with this manual.
94
<para>Manual ini adalah bagian dari suatu koleksi manual GNOME yang disebarkan di bawah GDFL. Bila Anda ingin menyebarkan manual ini secara terpisah dari koleksi, Anda dapat melakukannya dengan menambahkan salinan lisensi ke manual, sebagaimana dijelaskan di bagian 6 dari lisensi.</para>
97
Many of the names used by companies to distinguish their
98
products and services are claimed as trademarks. Where those
99
names appear in any GNOME documentation, and the members of
100
the GNOME Documentation Project are made aware of those
101
trademarks, then the names are in capital letters or initial
106
DOCUMENT AND MODIFIED VERSIONS OF THE DOCUMENT ARE PROVIDED
107
UNDER THE TERMS OF THE GNU FREE DOCUMENTATION LICENSE
108
WITH THE FURTHER UNDERSTANDING THAT:
112
<para>DOCUMENT IS PROVIDED ON AN "AS IS" BASIS,
113
WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR
114
IMPLIED, INCLUDING, WITHOUT LIMITATION, WARRANTIES
115
THAT THE DOCUMENT OR MODIFIED VERSION OF THE
116
DOCUMENT IS FREE OF DEFECTS MERCHANTABLE, FIT FOR
117
A PARTICULAR PURPOSE OR NON-INFRINGING. THE ENTIRE
118
RISK AS TO THE QUALITY, ACCURACY, AND PERFORMANCE
119
OF THE DOCUMENT OR MODIFIED VERSION OF THE
120
DOCUMENT IS WITH YOU. SHOULD ANY DOCUMENT OR
121
MODIFIED VERSION PROVE DEFECTIVE IN ANY RESPECT,
122
YOU (NOT THE INITIAL WRITER, AUTHOR OR ANY
123
CONTRIBUTOR) ASSUME THE COST OF ANY NECESSARY
124
SERVICING, REPAIR OR CORRECTION. THIS DISCLAIMER
125
OF WARRANTY CONSTITUTES AN ESSENTIAL PART OF THIS
126
LICENSE. NO USE OF ANY DOCUMENT OR MODIFIED
127
VERSION OF THE DOCUMENT IS AUTHORIZED HEREUNDER
128
EXCEPT UNDER THIS DISCLAIMER; AND
132
<para>UNDER NO CIRCUMSTANCES AND UNDER NO LEGAL
133
THEORY, WHETHER IN TORT (INCLUDING NEGLIGENCE),
134
CONTRACT, OR OTHERWISE, SHALL THE AUTHOR,
135
INITIAL WRITER, ANY CONTRIBUTOR, OR ANY
136
DISTRIBUTOR OF THE DOCUMENT OR MODIFIED VERSION
137
OF THE DOCUMENT, OR ANY SUPPLIER OF ANY OF SUCH
138
PARTIES, BE LIABLE TO ANY PERSON FOR ANY
139
DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR
140
CONSEQUENTIAL DAMAGES OF ANY CHARACTER
141
INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS
142
OF GOODWILL, WORK STOPPAGE, COMPUTER FAILURE OR
143
MALFUNCTION, OR ANY AND ALL OTHER DAMAGES OR
144
LOSSES ARISING OUT OF OR RELATING TO USE OF THE
145
DOCUMENT AND MODIFIED VERSIONS OF THE DOCUMENT,
146
EVEN IF SUCH PARTY SHALL HAVE BEEN INFORMED OF
147
THE POSSIBILITY OF SUCH DAMAGES.
156
<releaseinfo>Manual ini menjelaskan Manajer Tampilan GNOME versi 2.26.0. Terakhir diperbarui pada 02/10/2009.</releaseinfo>
159
<!-- ============= Preface ================================== -->
162
<title>Istilah dan Konvensi yang Dipakai di Manual Ini</title>
164
<para>Manual ini menjelaskan Manajer Tampilan GNOME versi 2.26.0. Terakhir diperbarui pada 02/10/2009.</para>
166
<para>Chooser - Suatu program yang dipakai untuk memilih suatu host jauh untuk mengelola tampilan dari jauh pada tampilan yang tersambung (<command>gdm-host-chooser</command>).</para>
168
<para>FreeDesktop - Organisasi yang menyediakan standar desktop, seperti misalnya Spesifikasi Entri Desktop yang dipakai oleh GDM. <ulink type="http" url="http://www.freedesktop.org/"> http://www.freedesktop.org</ulink>.</para>
169
<para>GDM - Manajer Tampilan GNOME. Dipakai untuk menjelaskan paket perangkat lunak secara utuh.</para>
172
Greeter - The graphical login window (<command>gdm-simple-greeter</command>).
175
<para>PAM - Pluggable Authentication Mechanism</para>
177
<para>XDMCP - X Display Manage Protocol</para>
180
Xserver - An implementation of the X Window System. For example the
181
Xorg Xserver provided by the X.org Foundation
182
<ulink type="http" url="http://www.x.org/">http://www.x.org</ulink>.
186
Paths that start with a word in angle brackets are relative to the
187
installation prefix. I.e. <filename><share>/pixmaps/</filename>
188
refers to <filename>/usr/share/pixmaps</filename> if GDM was
189
configured with <command>--prefix=/usr</command>.
193
<!-- ============= Overview ================================= -->
195
<sect1 id="overview">
196
<title>Ringkasan</title>
198
<sect2 id="introduction">
199
<title>Perkenalan</title>
202
The GNOME Display Manager (GDM) is a display manager that implements
203
all significant features required for managing attached and remote
204
displays. GDM was written from scratch and does not contain any XDM or
209
Note that GDM is configurable, and many configuration settings have
210
an impact on security. Issues to be aware of are highlighted in this
215
Please note that some Operating Systems configure GDM to behave
216
differently than the default values as described in this document. If
217
GDM does not seem to behave as documented, then check to see if any
218
related configuration may be different than described here.
222
For further information about GDM, refer to the project website at
223
<ulink type="http" url="http://www.gnome.org/projects/gdm/">
224
http://www.gnome.org/projects/gdm</ulink> and the project
225
Wiki <ulink type="http" url="http://live.gnome.org/GDM">
226
http://live.gnome.org/GDM</ulink>.
230
For discussion or queries about GDM, refer to the
231
<address><email>gdm-list@gnome.org</email></address> mail list. This
232
list is archived, and is a good resource to check to seek answers to
233
common questions. This list is archived at
234
<ulink type="http" url="http://mail.gnome.org/archives/gdm-list/">
235
http://mail.gnome.org/archives/gdm-list/</ulink> and has a search
236
facility to look for messages with keywords.
240
Please submit any bug reports or enhancement requests to the
242
<ulink type="http" url="http://bugzilla.gnome.org/">
243
http://bugzilla.gnome.org</ulink>.
247
<sect2 id="stability">
248
<title>Stabilitas Antar Muka</title>
251
GDM 2.20 and earlier supported stable configuration interfaces.
252
However, the codebase was completely rewritten for GDM 2.22, and
253
is not completely backward compatible with older releases. This is
254
in part because things work differently, so some options just don't
255
make sense, in part because some options never made sense, and in
256
part because some functionality has not been reimplemented yet.
260
Interfaces which continue to be supported in a stable fashion include
261
the Init, PreSession, PostSession, PostLogin, and Xsession scripts.
262
Some daemon configuration options in the
263
<filename><etc>/gdm/custom.conf</filename> file continue to be
264
supported. Also, the <filename>~/.dmrc</filename>, and face browser
265
image locations are still supported.
269
GDM 2.20 and earlier supported the ability to manage multiple displays
270
with separate graphics cards, such as used in terminal server
271
environments, login in a window via a program like Xnest or Xephyr, the
272
gdmsetup program, XML-based greeter themes, and the ability to run the
273
XDMCP chooser from the login screen. These features were not
274
added back during the 2.22 rewrite.
279
<sect2 id="functionaldesc">
280
<title>Penjelasan Fungsional</title>
284
TODO - Would be good to discuss D-Bus, perhaps the new GObject model,
285
and to explain the reasons why the rewrite made GDM better.
286
From a high-level overview perspective, rather than the
292
GDM is responsible for managing displays on the system. This includes
293
authenticating users, starting the user session, and terminating the
294
user session. GDM is configurable and the ways it can be configured
295
are described in the "Configuring GDM" section of this
296
document. GDM is also accessible for users with disabilities.
300
GDM provides the ability to manage the main console display, and
301
displays launched via VT. It is integrated with other programs,
302
such as the Fast User Switch Applet (FUSA) and gnome-screensaver
303
to manage multiple displays on the console via the Xserver Virtual
304
Terminal (VT) interface. It also can manage XDMCP displays.
308
Regardless of the display type, GDM will do the following when it
309
manages the display. It will start an Xserver process, then run the
310
<filename>Init</filename> script as the root user, and start the
311
greeter program on the display.
315
The greeter program is run as the unprivileged "gdm"
316
user/group. This user and group are described in the
317
"Security" section of this document. The main function of
318
the greeter program is to authenticate the user. The authentication
319
process is driven by Pluggable Authentication Modules (PAM). The PAM
320
modules determine what prompts (if any) are shown to the user to
321
authenticate. On the average system, the greeter program will request
322
a username and password for authentication. However some systems may
323
be configured to use alternative mechanisms such as a fingerprint or
324
SmartCard reader. GDM and PAM can be configured to not require any
325
input, which will cause GDM to automatically log in and simply
326
start a session, which can be useful for some environments, such as
331
In addition to authentication, the greeter program allows the user to
332
select which session to start and which language to use. Sessions are
333
defined by files that end in the .desktop suffix and more information
334
about these files can be found in the "GDM User Session and Language
335
Configuration" section of this document. By default, GDM is configured
336
to display a face browser so the user can select their user account by
337
clicking on an image instead of having to type their username. GDM
338
keeps track of the user's default session and language in the user's
339
<filename>~/.dmrc</filename> and will use these defaults if the user
340
did not pick a session or language in the login GUI.
344
After authenticating a user, the daemon runs the
345
<filename>PostLogin</filename> script as root, then runs the
346
<filename>PreSession</filename> script as root. After running these
347
scripts, the user session is started. When the user exits their
348
session, the <filename>PostSession</filename> script is run as root.
349
These scripts are provided as hooks for distributions and end-users
350
to customize how sessions are managed. For example, using these
351
hooks you could set up a machine which creates the user's $HOME
352
directory on the fly, and erases it on logout. The difference
353
between the <filename>PostLogin</filename> and
354
<filename>PreSession</filename> scripts is that
355
<filename>PostLogin</filename> is run before the pam_open_session call
356
so is the right place to do anything which should be run before the
357
user session is initialized. The <filename>PreSession</filename>
358
script is called after session initialization.
362
<sect2 id="greeterpanel">
363
<title>Panel Greeter</title>
365
The GDM greeter program displays a panel docked at the bottom of the
366
screen which provides additional functionality. When a user is
367
selected, the panel allows the user to select which session, language,
368
and keyboard layout to use after logging in. The keyboard layout
369
selector also changes the keyboard layout used when typing your
370
password. The panel also contains an area for login services to leave
371
status icons. Some example status icons include a battery icon for
372
current battery usage, and an icon for enabling accessibility features.
373
The greeter program also provides buttons which allow the user to
374
shutdown or restart the system. It is possible to configure GDM to not
375
provide the shutdown and restart buttons, if desired. GDM can also be
376
configured via PolicyKit (or via RBAC on Solaris) to require the user
377
have appropriate authorization before accepting the shutdown or restart
382
Note that keyboard layout features are only available on systems that
387
<sect2 id="accessibility">
388
<title>Aksesibilitas</title>
391
GDM supports "Accessible Login", allowing users to log into
392
their desktop session even if they cannot easily use the screen,
393
mouse, or keyboard in the usual way. Accessible Technology (AT)
394
features such as an on-screen keyboard, screen reader, screen
395
magnifier, and Xserver AccessX keyboard accessibility are available.
396
It is also possible to enable large text or high contrast icons and
397
controls, if needed. Refer to the "Accessibility
398
Configuration" section of the document for more information
399
how various accessibility features can be configured.
403
On some Operating Systems, it is necessary to make sure that the GDM
404
user is a member of the "audio" group for AT programs that
405
require audio output (such as text-to-speech) to be functional.
409
<sect2 id="facebrowser">
410
<title>Peramban Wajah GDM</title>
413
The Face Browser is the interface which allows users to select their
414
username by clicking on an image. This feature can be enabled or
415
disabled via the /apps/gdm/simple-greeter/disable_user_list GConf
416
key and is on by default. When disabled, users must type their
417
complete username by hand. When enabled, it displays all local users
418
which are available for login on the system (all user accounts defined
419
in the /etc/passwd file that have a valid shell and sufficiently high
420
UID) and remote users that have recently logged in.
421
The face browser in GDM 2.20 and earlier would attempt to display all
422
remote users, which caused performance problems in large,
423
enterprise deployments.
427
The Face Browser is configured to display the users who log in most
428
frequently at the top of the list. This helps to ensure that users
429
who log in frequently can quickly find their login image.
433
The Face Browser supports "type-ahead search" which dynamically
434
moves the face selection as the user types to the corresponding username
435
in the list. This means that a user with a long username will only
436
have to type the first few characters of the username before the correct
437
item in the list gets selected.
441
The icons used by GDM can be installed globally by the sysadmin or can
442
be located in the user's home directories. If installed globally
443
they should be in the <filename><share>/pixmaps/faces/</filename>
444
directory and the filename should be the name of the user. Face image
445
files should be a standard image that GTK+ can read, such as PNG or
446
JPEG. Face icons placed in the global face directory must be readable
452
TODO - In the old GDM the ~/gnome2/gdm file is used, but the new code
453
seems to use ~/.gnome/gdm. Error?
457
If there is no global icon for the user, GDM will look in the user's
458
$HOME directory for the image file. GDM will first look for the user's
459
face image in <filename>~/.face</filename>. If not found, it will try
460
<filename>~/.face.icon</filename>. If still not found, it will use the
461
value defined for "face/picture=" in the
462
<filename>~/.gnome2/gdm</filename> file.
466
If a user has no defined face image, GDM will use the
467
"stock_person" icon defined in the current GTK+ theme. If no
468
such image is defined, it will fallback to a generic face image.
472
Please note that loading and scaling face icons located in remote user
473
home directories can be a very time-consuming task. Since it not
474
practical to load images over NIS or NFS, GDM does not attempt to load
475
face images from remote home directories.
479
When the browser is turned on, valid usernames on the computer are
480
exposed for everyone to see. If XDMCP is enabled, then the usernames
481
are exposed to remote users. This, of course, limits security
482
somewhat since a malicious user does not need to guess valid usernames.
483
In some very restrictive environments the face browser may not be
494
TODO - What XDMCP features actually work? I know that the
500
The GDM daemon can be configured to listen for and manage X Display
501
Manage Protocol (XDMCP) requests from remote displays. By default
502
XDMCP support is turned off, but can be enabled if desired. If GDM is
503
built with TCP Wrapper support, then the daemon will only grant access
504
to hosts specified in the GDM service section in the TCP Wrappers
509
GDM includes several measures making it more resistant to denial of
510
service attacks on the XDMCP service. A lot of the protocol
511
parameters, handshaking timeouts, etc. can be fine tuned. The default
512
configuration should work reasonably on most systems.
516
GDM by default listens for XDMCP requests on the normal UDP port used
517
for XDMCP, port 177, and will respond to QUERY and BROADCAST_QUERY
518
requests by sending a WILLING packet to the originator.
522
GDM can also be configured to honor INDIRECT queries and present a
523
host chooser to the remote display. GDM will remember the user's
524
choice and forward subsequent requests to the chosen manager. GDM
525
also supports an extension to the protocol which will make it forget
526
the redirection once the user's connection succeeds. This extension
527
is only supported if both daemons are GDM. It is transparent and
528
will be ignored by XDM or other daemons that implement XDMCP.
532
If XDMCP seems to not be working, make sure that all machines are
533
specified in <filename>/etc/hosts</filename>.
537
Refer to the "Security" section for information about
538
security concerns when using XDMCP.
546
GDM uses syslog to log errors and status. It can also log debugging
547
information, which can be useful for tracking down problems if GDM is
548
not working properly. Debug output can be enabled by setting the
549
debug/Enable key to "true" in the
550
<filename><etc>/gdm/custom.conf</filename> file.
554
Output from the various Xservers is stored in the GDM log directory,
555
which is normally <filename><var>/log/gdm/</filename>. Any
556
Xserver messages are saved to a file associated with the display value,
557
<filename><display>.log</filename>.
561
The session output is piped through the GDM daemon to the
562
<filename>~/.xsession-errors</filename> file. The file is overwritten
563
on each login, so logging out and logging back into the same user via
564
GDM will cause any messages from the previous session to be lost.
568
Note that if GDM can not create this file for some reason, then a
569
fallback file will be created named <filename>~/.xsession-errors.XXXXXXXX</filename>
570
where the <filename>XXXXXXXX</filename> are some random characters.
575
<title>Pindah Pengguna Dengan Cepat</title>
578
GDM allows multiple users to be logged in at the same time. After one
579
user is logged in, additional users can log in via the User Switcher
580
on the GNOME Panel, or from the "Switch User" button in Lock Screen dialog
581
of GNOME Screensaver. The active session can be changed back and forth using
582
the same mechanism. Note that some distributions may not add the User Switcher
583
to the default panel configuration. It can be added using the panel context
587
Note this feature is available on systems that support Virtual
588
Terminals. This feature will not function if Virtual Terminals is not
594
<!-- ============= Security ================================= -->
596
<sect1 id="security">
597
<title>Keamanan</title>
600
<title>Grup dan Pengguna GDM</title>
603
For security reasons a dedicated user and group id are recommended for
604
proper operation. This user and group are normally "gdm" on
605
most systems, but can be configured to any user or group. All GDM
606
GUI programs are run as this user, so that the programs which interact
607
with the user are run in a sandbox. This user and group should have
612
The only special privilege the "gdm" user requires is the
613
ability to read and write Xauth files to the
614
<filename><var>/run/gdm</filename> directory. The
615
<filename><var>/run/gdm</filename> directory should have
616
root:gdm ownership and 1777 permissions.
620
You should not, under any circumstances, configure the GDM user/group
621
to a user which a user could easily gain access to, such as the user
622
<filename>nobody</filename>. Any user who gains access to an Xauth
623
key can snoop on and control running GUI programs running in the
624
associated session or perform a denial-of-service attack on it. It
625
is important to ensure that the system is configured properly so that
626
only the "gdm" user has access to these files and that it
627
is not easy to login to this account. For example, the account should
628
be setup to not have a password or allow non-root users to login to the
633
The GDM greeter configuration is stored in GConf. To allow the GDM
634
user to be able to write configuration, it is necessary for the
635
"gdm" user to have a writable $HOME directory. Users may
636
configure the default GConf configuration as desired to avoid the
637
need to provide the "gdm" user with a writable $HOME
638
directory. However, some features of GDM may be disabled if it is
639
unable to write state information to GConf configuration.
647
GDM uses PAM for login authentication. PAM stands for Pluggable
648
Authentication Module, and is used by most programs that request
649
authentication on your computer. It allows the administrator to
650
configure specific authentication behavior for different login programs
651
(such as ssh, login GUI, screensaver, etc.)
655
PAM is complicated and highly configurable, and this documentation does
656
not intend to explain this in detail. Instead, it is intended to give
657
an overview of how PAM configuration relates with GDM, how PAM is
658
commonly configured with GDM, and known issues. It is expected that
659
a person needing to do PAM configuration would need to do further
660
reading of PAM documentation to understand how to configure PAM and
661
to understand terms used in this section.
665
PAM configuration has different, but similar, interfaces on different
666
Operating Systems, so check the
667
<ulink type="help" url="man:pam.d">pam.d</ulink> or
668
<ulink type="help" url="man:pam.conf">pam.conf</ulink> man page for
669
details. Be sure you read the PAM documentation and are comfortable
670
with the security implications of any changes you intend to make to
675
Note that, by default, GDM uses the "gdm" PAM service name
676
for normal login and the "gdm-autologin" PAM service name for
677
automatic login. These services may not be defined in your pam.d or
678
pam.conf configured file. If there is no entry, then GDM will use the
679
default PAM behavior. On most systems this should work fine.
680
However, the automatic login feature may not work if the gdm-autologin
681
service is not defined.
685
The <filename>PostLogin</filename> script is run before
686
pam_open_session is called, and the <filename>PreSession</filename>
687
script is called after. This allows the system administrator to add
688
any scripting to the login process either before or after PAM
689
initializes the session.
693
If you wish to make GDM work with other types of authentication
694
mechanisms (such as a fingerprint or SmartCard reader), then you should
695
implement this by using a PAM service module for the desired
696
authentication type rather than by trying to modify the GDM code
697
directly. Refer to the PAM documentation on your system. How to do
698
this is frequently discussed on the
699
<address><email>gdm-list@gnome.org</email></address> mail list,
700
so you can refer to the list archives for more information.
704
PAM does have some limitations regarding being able to work with
705
multiple types of authentication at the same time, like supporting
706
the ability to accept either SmartCard and the ability to type the
707
username and password into the login program. There are techniques
708
that are used to make this work, and it is best to research how this
709
problem is commonly solved when setting up such a configuration.
713
If automatic login does not work on a system, check to see if the
714
"gdm-autologin" PAM stack is defined in the PAM configuration. For
715
this to work, it is necessary to use a PAM module that simply does no
716
authentication, or which simply returns PAM_SUCCESS from all of its
717
public interfaces. Assuming your system has a pam_allow.so PAM module
718
which does this, a PAM configuration to enable "gdm-autologin" would
723
gdm-autologin auth required pam_unix_cred.so.1
724
gdm-autologin auth sufficient pam_allow.so.1
725
gdm-autologin account sufficient pam_allow.so.1
726
gdm-autologin session sufficient pam_allow.so.1
727
gdm-autologin password sufficient pam_allow.so.1
731
The above setup will cause no lastlog entry to be generated. If a
732
lastlog entry is desired, then use the following for the session:
736
gdm-autologin session required pam_unix_session.so.1
740
If the computer is used by several people, which makes automatic login
741
unsuitable, you may want to allow some users to log in without entering
742
their password. This feature can be enabled as a per-user option in
743
the users-admin tool from the gnome-system-tools; it is achieved by
744
checking that the user is member a Unix group called
745
"nopasswdlogin" before asking for a password. For this to work,
746
the PAM configuration file for the "gdm" service must include
751
gdm auth sufficient pam_succeed_if.so user ingroup nopasswdlogin
756
<sect2 id="utmpwtmp">
757
<title>utmp dan wtmp</title>
760
GDM generates utmp and wtmp User Accounting Database entries upon
761
session login and logout. The utmp database contains user access
762
and accounting information that is accessed by commands such as
763
<command>finger</command>, <command>last</command>,
764
<command>login</command>, and <command>who</command>. The wtmp
765
database contains the history of user access and accounting
766
information for the utmp database. Refer to the
767
<ulink type="help" url="man:utmp">utmp</ulink> and
768
<ulink type="help" url="man:wtmp">wtmp</ulink>
769
man pages on your system for more information.
774
<title>Skema Otentikasi Xserver</title>
777
Xserver authorization files are stored in a newly created subdirectory
778
of <filename><var>/run/gdm</filename> at start up. These files
779
are used to store and share a "password" between X clients
780
and the Xserver. This "password" is unique for each session
781
logged in, so users from one session can't snoop on users from another.
785
GDM only supports the MIT-MAGIC-COOKIE-1 Xserver authentication
786
scheme. Normally little is gained from the other schemes, and no
787
effort has been made to implement them so far. Be especially
788
careful about using XDMCP because the Xserver authentication cookie
789
goes over the wire as clear text. If snooping is possible, then an
790
attacker could simply snoop your authentication password as you log in,
791
regardless of the authentication scheme being used. If snooping is
792
possible and undesirable, then you should use ssh for tunneling an X
793
connection rather then using XDMCP. You could think of XDMCP as a sort
794
of graphical telnet, having the same security issues. In most cases,
795
ssh -Y should be preferred over GDM's XDMCP features.
800
<sect2 id="xdmcpsecurity">
801
<title>Keamanan XDMCP</title>
804
Even though your display is protected by cookies, XEvents and thus
805
keystrokes typed when entering passwords will still go over the wire in
806
clear text. It is trivial to capture these.
810
XDMCP is primarily useful for running thin clients such as in terminal
811
labs. Those thin clients will only ever need the network to access
812
the server, and so it seems like the best security policy to have
813
those thin clients on a separate network that cannot be accessed by
814
the outside world, and can only connect to the server. The only point
815
from which you need to access outside is the server. This type of set up
816
should never use an unmanaged hub or other sniffable network.
821
<sect2 id="xdmcpaccess">
822
<title>Kendali Akses XDMCP</title>
825
XDMCP access control is done using TCP wrappers. It is possible to
826
compile GDM without TCP wrapper support, so this feature may not be
827
supported on some Operating Systems.
831
You should use the daemon name <command>gdm</command> in the
832
<filename><etc>/hosts.allow</filename> and
833
<filename><etc>/hosts.deny</filename> files. For example to
834
deny computers from <filename>.evil.domain</filename> from logging in,
841
to <filename><etc>/hosts.deny</filename>. You may also need
848
to your <filename><etc>/hosts.allow</filename> if you normally
849
disallow all services from all hosts. See the
850
<ulink type="help" url="man:hosts.allow">hosts.allow(5)</ulink> man
855
<sect2 id="firewall">
856
<title>Keamanan Firewall</title>
859
Even though GDM tries to outsmart potential attackers trying to take
860
advantage of XDMCP, it is still advised that you block the XDMCP port
861
(normally UDP port 177) on your firewall unless really needed. GDM
862
guards against denial of service attacks, but the X protocol is still
863
inherently insecure and should only be used in controlled environments.
864
Also each remote connection takes up lots of resources, so it is much
865
easier to do a denial of service attack via XDMCP than attacking a
870
It is also wise to block all of the Xserver ports. These are TCP
871
ports 6000+ (one for each display number) on your firewall. Note that
872
GDM will use display numbers 20 and higher for flexible on-demand
877
X is not a very safe protocol when using it over the Internet, and
878
XDMCP is even less safe.
882
<sect2 id="policykit">
883
<title>PolicyKit</title>
887
TODO - Should we say more?
892
GDM may be configured to use PolicyKit to allow the system
893
administrator to control whether the login screen should provide
894
the shutdown and restart buttons on the greeter screen.
898
These buttons are controlled by the
899
<filename>org.freedesktop.consolekit.system.stop-multiple-users</filename>
901
<filename>org.freedesktop.consolekit.system.restart-multiple-users</filename>
902
actions respectively. Policy for these actions can be set up using the
903
polkit-gnome-authorization tool, or the polkit-auth command line program.
909
<title>RBAC (Role Based Access Control)</title>
912
GDM may be configured to use RBAC instead of PolicyKit. In this
913
case the RBAC configuration is used to control whether the login screen
914
should provide the shutdown and restart buttons on the greeter screen.
918
For example, on Solaris, the "solaris.system.shutdown"
919
authorization is used to control this. Simply modify the
920
<filename>/etc/user_attr</filename> file so that the "gdm"
921
user has this authorization.
927
<!-- ============= ConsoleKit ================================ -->
929
<sect1 id="consolekit">
930
<title>Dukungan untuk ConsoleKit</title>
934
TODO - Should we update these docs? Probably should mention any
935
configuration that users may want to do for using it with GDM?
936
If so, perhaps this section should be moved to a subsection of
937
the "Configure" section?
942
GDM includes support for publishing user login information with the user
943
and login session accounting framework known as ConsoleKit. ConsoleKit
944
is able to keep track of all the users currently logged in. In this
945
respect, it can be used as a replacement for the utmp or utmpx files that
946
are available on most Unix-like Operating Systems.
950
When GDM is about to create a new login process for a user it will call
951
a privileged method of ConsoleKit in order to open a new session for this
952
user. At this time GDM also provides ConsoleKit with information about
953
this user session such as: the user ID, the X11 Display name that will be
954
associated with the session, the host-name from which the session
955
originates (useful in the case of an XDMCP session), whether or not this
956
session is attached, etc. As the entity that initiates the user process,
957
GDM is in a unique position to know about the user session and to be
958
trusted to provide these bits of information. The use of this privileged
959
method is restricted by the use of the D-Bus system message bus security
964
In case a user with an existing session has authenticated
965
at GDM and requests to resume that existing session, GDM calls a
966
privileged method of ConsoleKit to unlock that session. The exact
967
details of what happens when the session receives this unlock signal are
968
undefined and session-specific. However, most sessions will unlock a
969
screensaver in response.
973
When the user chooses to log out, or if GDM or the session quit
974
unexpectedly the user session will be unregistered from ConsoleKit.
978
<!-- ============= Configuration ============================= -->
980
<sect1 id="configuration">
981
<title>Konfigurasi</title>
984
GDM has a number of configuration interfaces. These include scripting
985
integration points, daemon configuration, greeter configuration,
986
general session settings, integration with gnome-settings-daemon
987
configuration, and session configuration. These types of integration are
988
described in detail below.
991
<sect2 id="scripting">
992
<title>Titik Integrasi Scripting</title>
995
The GDM script integration points can be found in the
996
<filename><etc>/gdm/</filename> directory:
1008
The <filename>Init</filename>, <filename>PostLogin</filename>,
1009
<filename>PreSession</filename>, and <filename>PostSession</filename>
1010
scripts all work as described below.
1014
For each type of script, the default one which will be executed is
1015
called "Default" and is stored in a directory associated with
1016
the script type. So the default <filename>Init</filename> script is
1017
<filename><etc>/gdm/Init/Default</filename>. A per-display
1018
script can be provided, and if it exists it will be run instead of the
1019
default script. Such scripts are stored in the same directory as the
1020
default script and have the same name as the Xserver DISPLAY value for
1021
that display. For example, if the <filename><Init>/:0</filename>
1022
script exists, it will be run for DISPLAY ":0".
1026
All of these scripts are run with root privilege and return 0 if run
1027
successfully, and a non-zero return code if there was any failure that
1028
should cause the login session to be aborted. Also note that GDM will
1029
block until the scripts finish, so if any of these scripts hang, this
1030
will cause the login process to also hang.
1034
When the Xserver for the login GUI has been successfully started, but
1035
before the login GUI is actually displayed, GDM will run the
1036
<filename>Init</filename> script. This script is useful for starting
1037
programs that should be run while the login screen is showing, or for
1038
doing any special initialization if required.
1042
After the user has been successfully authenticated GDM will run the
1043
<filename>PostLogin</filename> script. This is done before any session
1044
setup has been done, including before the pam_open_session call. This
1045
script is useful for doing any session initialization that needs to
1046
happen before the session starts. For example, you might setup the
1047
user's $HOME directory if needed.
1051
After the user session has been initialized, GDM will run the
1052
<filename>PreSession</filename> script. This script is useful for
1053
doing any session initialization that needs to happen after the
1054
session has been initialized. It can be used for session management or
1055
accounting, for example.
1059
When a user terminates their session, GDM will run the
1060
<filename>PostSession</filename> script. Note that the Xserver will
1061
have been stopped by the time this script is run, so it should not be
1066
Note that the <filename>PostSession</filename> script will be run
1067
even when the display fails to respond due to an I/O error or
1068
similar. Thus, there is no guarantee that X applications will work
1069
during script execution.
1073
All of the above scripts will set the
1074
<filename>$RUNNING_UNDER_GDM</filename> environment variable to
1075
<filename>yes</filename>. If the scripts are also shared with other
1076
display managers, this allows you to identify when GDM is calling these
1077
scripts, so you can run specific code when GDM is used.
1081
<sect2 id="autostart">
1082
<title>Autostart Configuration</title>
1085
The <filename><share>/gdm/autostart/LoginWindow</filename>
1086
directory contains files in the format specified by the
1087
"FreeDesktop.org Desktop Application Autostart
1088
Specification". Standard features in the specification may be
1089
used to specify programs that should auto-restart or only be launched
1090
if a GConf configuration value is set, etc.
1094
Any <filename>.desktop</filename> files in this directory will cause
1095
the associated program to automatically start with the login GUI
1096
greeter. By default, GDM is shipped with files which will autostart
1097
the gdm-simple-greeter login GUI greeter itself, the
1098
gnome-power-manager application, the gnome-settings-daemon, and the
1099
metacity window manager. These programs are needed for the greeter
1100
program to work. In addition, desktop files are provided for starting
1101
various AT programs if the configuration values specified in the
1102
Accessibility Configuration section below are set.
1106
<sect2 id="xsessionscript">
1107
<title>Skrip Xsession</title>
1110
There is also an <filename>Xsession</filename> script located at
1111
<filename><etc>/gdm/Xsession</filename> which is called between
1112
the <filename>PreSession</filename> and the
1113
<filename>PostSession</filename> scripts. This script does not
1114
support per-display like the other scripts. This script is used for
1115
actually starting the user session. This script is run as the user,
1116
and it will run whatever session was specified by the Desktop session
1117
file the user selected to start.
1121
<sect2 id="daemonconfig">
1122
<title>Konfigurasi Daemon</title>
1125
The GDM daemon is configured using the
1126
<filename><etc>/gdm/custom.conf</filename> file. Default
1127
values are stored in GConf in the <filename>gdm.schemas</filename>
1128
file. It is recommended that end-users modify the
1129
<filename><etc>/gdm/custom.conf</filename> file because the
1130
schemas file may be overwritten when the user updates their system to
1131
have a newer version of GDM.
1135
Note that older versions of GDM supported additional configuration
1136
options which are no longer supported in the latest versions of GDM.
1140
The <filename><etc>/gdm/custom.conf</filename> file is in the
1141
<filename>keyfile</filename> format. Keywords in brackets
1142
define group sections, strings before an equal sign (=) are keys and
1143
the data after equal sign represents their value. Empty lines or
1144
lines starting with the hash mark (#) are ignored.
1148
The file <filename><etc>/gdm/custom.conf</filename> supports the
1149
"[daemon]", "[security]", and "[xdmcp]"
1150
group sections. Within each group, there are particular key/value
1151
pairs that can be specified to modify how GDM behaves. For example,
1152
to enable timed login and specify the timed login user to be a user
1153
named "you", you would modify the file so it contains the
1159
TimedLoginEnable=true
1163
<para>Daftar lengkap dari kunci konfigurasi yang didukung adalah sebagai berikut:</para>
1165
<sect3 id="choosersection">
1166
<title>[chooser]</title>
1170
<term>Multicast</term>
1172
<synopsis>Multicast=false</synopsis>
1173
<para>Bila true dan IPv6 diaktifkan, chooser akan mengirim suatu query multicast ke jaringan lokal dan mengumpulkan jawaban dari host yang telah bergabung ke grup multicast.</para>
1178
<term>MulticastAddr</term>
1180
<synopsis>MulticastAddr=ff02::1</synopsis>
1181
<para>Ini adalaha alamat multicast Link-local.</para>
1187
<sect3 id="daemonsection">
1188
<title>[daemon]</title>
1191
<term>TimedLoginEnable</term>
1193
<synopsis>TimedLoginEnable=false</synopsis>
1195
If the user given in <filename>TimedLogin</filename> should be
1196
logged in after a number of seconds (set with
1197
<filename>TimedLoginDelay</filename>) of inactivity on the
1198
login screen. This is useful for public access terminals or
1199
perhaps even home use. If the user uses the keyboard or
1200
browses the menus, the timeout will be reset to
1201
<filename>TimedLoginDelay</filename> or 30 seconds, whichever
1202
is higher. If the user does not enter a username but just
1203
hits the ENTER key while the login program is requesting the
1204
username, then GDM will assume the user wants to login
1205
immediately as the timed user. Note that no password will be
1206
asked for this user so you should be careful, although if using
1207
PAM it can be configured to require password entry before
1208
allowing login. Refer to the "Security->PAM"
1209
section of the manual for more information, or for help if this
1210
feature does not seem to work.
1216
<term>TimedLogin</term>
1218
<synopsis>TimedLogin=</synopsis>
1220
This is the user that should be logged in after a specified
1221
number of seconds of inactivity.
1224
If the value ends with a vertical bar | (the pipe symbol),
1225
then GDM will execute the program specified and use whatever
1226
value is returned on standard out from the program as the user.
1227
The program is run with the DISPLAY environment variable set so
1228
that it is possible to specify the user in a per-display
1229
fashion. For example if the value is "/usr/bin/getloginuser|",
1230
then the program "/usr/bin/getloginuser" will be run to get the
1237
<term>TimedLoginDelay</term>
1239
<synopsis>TimedLoginDelay=30</synopsis>
1241
Delay in seconds before the <filename>TimedLogin</filename>
1242
user will be logged in.
1248
<term>AutomaticLoginEnable</term>
1250
<synopsis>AutomaticLoginEnable=false</synopsis>
1252
If true, the user given in <filename>AutomaticLogin</filename>
1253
should be logged in immediately. This feature is like timed
1254
login with a delay of 0 seconds.
1260
<term>AutomaticLogin</term>
1262
<synopsis>AutomaticLogin=</synopsis>
1264
This is the user that should be logged in immediately if
1265
<filename>AutomaticLoginEnable</filename> is true.
1268
If the value ends with a vertical bar | (the pipe symbol),
1269
then GDM will execute the program specified and use whatever
1270
value is returned on standard out from the program as the user.
1271
The program is run with the DISPLAY environment variable set so
1272
that it is possible to specify the user in a per-display
1273
fashion. For example if the value is "/usr/bin/getloginuser|",
1274
then the program "/usr/bin/getloginuser" will be run to get the
1283
<synopsis>User=gdm</synopsis>
1285
The username under which the greeter and other GUI programs
1286
are run. Refer to the <filename>Group</filename>
1287
configuration key and to the "Security->GDM User And
1288
Group" section of this document for more information.
1296
<synopsis>Group=gdm</synopsis>
1298
The group name under which the greeter and other GUI programs
1299
are run. Refer to the <filename>User</filename>
1300
configuration key and to the "Security->GDM User And
1301
Group" section of this document for more information.
1308
<sect3 id="debugsection">
1309
<title>Opsi Debug</title>
1312
<title>[debug]</title>
1317
<synopsis>Enable=false</synopsis>
1319
To enable debugging, set the debug/Enable key to
1321
<filename><etc>/gdm/custom.conf</filename>
1322
file and restart GDM. Then debug output will be sent to the
1323
system log file (<filename><var>/log/messages</filename>
1324
or <filename><var>/adm/messages</filename> depending on
1325
your Operating System).
1332
<sect3 id="greetersection">
1333
<title>Opsi Greeter</title>
1336
<title>[greeter]</title>
1339
<term>IncludeAll</term>
1341
<synopsis>IncludeAll=true</synopsis>
1343
If true, then the face browser will show all users on the local
1344
machine. If false, the face browser will only show users who
1345
have recently logged in.
1349
When this key is true, GDM will call fgetpwent() to get a list
1350
of local users on the system. Any users with a user id less
1351
than 500 (or 100 if running on Solaris) are filtered out. The
1352
Face Browser also will display any users that have previously
1353
logged in on the system (for example NIS/LDAP users). It gets
1354
this list via calling the <command>ck-history</command>
1355
ConsoleKit interface. It will also filter out any users which
1356
do not have a valid shell (valid shells are any shell that
1357
getusershell() returns - /sbin/nologin or /bin/false are
1358
considered invalid shells even if getusershell() returns them).
1362
If false, then GDM more simply only displays users that have
1363
previously logged in on the system (local or NIS/LDAP users) by
1364
calling the <command>ck-history</command> ConsoleKit interface.
1370
<term>Include</term>
1372
<synopsis>Include=</synopsis>
1374
Set to a list of users to always include in the Face Browser.
1375
This value is set to a list of users separated by commas. By
1376
default, the value is empty.
1382
<term>Exclude</term>
1384
<synopsis>Exclude=bin,root,daemon,adm,lp,sync,shutdown,halt,mail,news,uucp,operator,nobody,nobody4,noaccess,postgres,pvm,rpm,nfsnobody,pcap</synopsis>
1386
Set to a list of users to always exclude in the Face Browser.
1387
This value is set to a list of users separated by commas. Note
1388
that the setting in the <filename>custom.conf</filename>
1389
overrides the default value, so if you wish to add additional
1390
users to the list, then you need to set the value to the
1391
default value with additional users appended to the list.
1398
<sect3 id="securitysection">
1399
<title>Opsi Keamanan</title>
1402
<title>[security]</title>
1405
<term>DisallowTCP</term>
1407
<synopsis>DisallowTCP=true</synopsis>
1409
If true, then always append <filename>-nolisten tcp</filename>
1410
to the command line when starting attached Xservers, thus
1411
disallowing TCP connection. This is a more secure
1412
configuration if you are not using remote connections.
1419
<sect3 id="xdmcpsection">
1420
<title>Dukungan XDMCP</title>
1423
<title>[xdmcp]</title>
1426
<term>DisplaysPerHost</term>
1428
<synopsis>DisplaysPerHost=1</synopsis>
1430
To prevent attackers from filling up the pending queue, GDM
1431
will only allow one connection for each remote computer. If
1432
you want to provide display services to computers with more
1433
than one screen, you should increase this value.
1437
Note that the number of attached DISPLAYS allowed is not
1438
limited. Only remote connections via XDMCP are limited by
1439
this configuration option.
1447
<synopsis>Enable=false</synopsis>
1449
Setting this to true enables XDMCP support allowing remote
1450
displays/X terminals to be managed by GDM.
1454
<filename>gdm</filename> listens for requests on UDP port 177.
1455
See the Port option for more information.
1459
If GDM is compiled to support it, access from remote displays
1460
can be controlled using the TCP Wrappers library. The service
1461
name is <filename>gdm</filename>
1469
to your <filename><etc>/hosts.allow</filename>, depending
1470
on your TCP Wrappers configuration. See the
1471
<ulink type="help" url="man:hosts.allow">hosts.allow</ulink>
1472
man page for details.
1476
Please note that XDMCP is not a particularly secure protocol
1477
and that it is a good idea to block UDP port 177 on your
1478
firewall unless you really need it.
1484
<term>HonorIndirect</term>
1486
<synopsis>HonorIndirect=true</synopsis>
1488
Enables XDMCP INDIRECT choosing (i.e. remote execution of
1489
<filename>gdmchooser</filename>) for X-terminals which do not
1490
supply their own display browser.
1496
<term>MaxPending</term>
1498
<synopsis>MaxPending=4</synopsis>
1500
To avoid denial of service attacks, GDM has fixed size queue
1501
of pending connections. Only MaxPending displays can start at
1506
Please note that this parameter does not limit the number of
1507
remote displays which can be managed. It only limits the number
1508
of displays initiating a connection simultaneously.
1514
<term>MaxSessions</term>
1516
<synopsis>MaxSessions=16</synopsis>
1518
Determines the maximum number of remote display connections
1519
which will be managed simultaneously. I.e. the total number of
1520
remote displays that can use your host.
1526
<term>MaxWait</term>
1528
<synopsis>MaxWait=30</synopsis>
1530
When GDM is ready to manage a display an ACCEPT packet is sent
1531
to it containing a unique session id which will be used in
1532
future XDMCP conversations.
1536
GDM will then place the session id in the pending queue
1537
waiting for the display to respond with a MANAGE request.
1541
If no response is received within MaxWait seconds, GDM will
1542
declare the display dead and erase it from the pending queue
1543
freeing up the slot for other displays.
1549
<term>MaxWaitIndirect</term>
1551
<synopsis>MaxWaitIndirect=30</synopsis>
1553
The MaxWaitIndirect parameter determines the maximum number of
1554
seconds between the time where a user chooses a host and the
1555
subsequent indirect query where the user is connected to the
1556
host. When the timeout is exceeded, the information about the
1557
chosen host is forgotten and the indirect slot freed up for
1558
other displays. The information may be forgotten earlier if
1559
there are more hosts trying to send indirect queries then
1560
<filename>MaxPendingIndirect</filename>.
1566
<term>PingIntervalSeconds</term>
1568
<synopsis>PingIntervalSeconds=60</synopsis>
1570
If the Xserver does not respond in the specified number of
1571
seconds, then the connection is stopped and the session ended.
1572
When this happens the slave daemon dies with an ALARM signal.
1573
Note that GDM 2.20 and earlier multiplied this setting by 2,
1574
so it may be necessary to increase the timeout if upgrading
1575
from GDM 2.20 and earlier to a newer version.
1579
Note that GDM in the past used to have a
1580
<filename>PingInterval</filename> configuration key which was
1581
also in minutes. For most purposes you'd want this setting
1582
to be lower than one minute. However since in most cases where
1583
XDMCP would be used (such as terminal labs), a lag of more
1584
than 15 or so seconds would really mean that the terminal was
1585
turned off or restarted and you would want to end the session.
1593
<synopsis>Port=177</synopsis>
1595
The UDP port number <filename>gdm</filename> should listen to
1596
for XDMCP requests. Do not change this unless you know what
1603
<term>Willing</term>
1605
<synopsis>Willing=<etc>/gdm/Xwilling</synopsis>
1607
When the machine sends a WILLING packet back after a QUERY it
1608
sends a string that gives the current status of this server.
1609
The default message is the system ID, but it is possible to
1610
create a script that displays customized message. If this
1611
script does not exist or this key is empty the default message
1612
is sent. If this script succeeds and produces some output,
1613
the first line of it's output is sent (and only the first
1614
line). It runs at most once every 3 seconds to prevent
1615
possible denial of service by flooding the machine with QUERY
1624
<sect2 id="greeterconfiguration">
1625
<title>Konfigurasi Greeter Sederhana</title>
1628
The GDM default greeter is called the simple Greeter and is
1629
configured via GConf. Default values are stored in GConf in the
1630
<filename>gdm-simple-greeter.schemas</filename> file. These defaults
1631
can be overridden if the "gdm" user has a writable $HOME
1632
directory to store GConf settings. These values can be edited using
1633
the <command>gconftool-2</command> or <command>gconf-editor</command>
1634
programs. The following configuration options are supported:
1638
<title>Greeter Configuration Keys</title>
1641
<term>/apps/gdm/simple-greeter/banner_message_enable</term>
1643
<synopsis>false (boolean)</synopsis>
1645
Controls whether the banner message text is displayed.
1651
<term>/apps/gdm/simple-greeter/banner_message_text</term>
1653
<synopsis>NULL (string)</synopsis>
1655
Specifies the text banner message to show on the greeter
1662
<term>/apps/gdm/simple-greeter/disable_restart_buttons</term>
1664
<synopsis>false (boolean)</synopsis>
1666
Controls whether to show the restart buttons in the login
1673
<term>/apps/gdm/simple-greeter/disable_user_list</term>
1675
<synopsis>false (boolean)</synopsis>
1677
If true, then the face browser with known users is not shown
1678
in the login window.
1684
<term>/apps/gdm/simple-greeter/logo_icon_name</term>
1686
<synopsis>komputer (string)</synopsis>
1687
<para>Tata ke nama ikon ditemakan untuk dipakai bagi logo penyapa.</para>
1692
<term>/apps/gdm/simple-greeter/recent-languages</term>
1694
<synopsis>[] (daftar string)</synopsis>
1696
Set to a list of languages to be shown by default in the login
1697
window. Default value is "[]". With the default setting only
1698
the system default language is shown and the option "Other..."
1699
which pops-up a dialog box showing a full list of available
1700
languages which the user can select.
1704
Users are not intended to change this setting by hand. Instead
1705
GDM keeps track of any languages selected in this configuration
1706
key, and will show them in the language combo box along with
1707
the "Other..." choice. This way, commonly selected languages
1708
are easier to select.
1714
<term>/apps/gdm/simple-greeter/recent-layouts</term>
1716
<synopsis>[] (daftar string)</synopsis>
1718
Set to a list of keyboard layouts to be shown by default in the
1719
login panel. Default value is "[]". With the default setting
1720
only the system default keyboard layout is shown and the option
1721
"Other..." which pops-up a dialog box showing a full list of
1722
available keyboard layouts which the user can select.
1726
Users are not intended to change this setting by hand. Instead
1727
GDM keeps track of any keyboard layouts selected in this
1728
configuration key, and will show them in the keyboard layout
1729
combo box along with the "Other..." choice. This way, commonly
1730
selected keyboard layouts are easier to select.
1736
<term>/apps/gdm/simple-greeter/wm_use_compiz</term>
1738
<synopsis>false (boolean)</synopsis>
1740
Controls whether compiz is used as the window manager instead
1748
<sect2 id="accessibilityconfiguration">
1749
<title>Konfigurasi Aksesibilitas</title>
1752
This section describes the accessibility configuration options available
1756
<sect3 id="accessibilitydialog">
1757
<title>Dialog Aksesibilitas GDM Dan Kunci GConf</title>
1760
The GDM greeter panel at the login screen displays an accessibility
1761
icon. Clicking on that icon opens the GDM Accessibility Dialog. In
1762
the GDM Accessibility Dialog, there is a list of checkboxes, so the
1763
user can enable or disable the associated assistive tools.
1767
The checkboxes that correspond to the on-screen keyboard, screen
1768
magnifier and screen reader assistive tools act on the three GConf
1769
keys that are described in the next section of this document. By
1770
enabling or disabling these checkboxes, the associated GConf key is
1771
set to "true" or "false". When the GConf key is set to true, the
1772
assistive tools linked to this GConf key are launched. When the
1773
GConf key is set to "false", any running assistive tool linked to
1774
this GConf key are terminated. These GConf keys are not automatically
1775
reset to a default state after the user has logged in. Consequently,
1776
the assistive tools that were running during the last GDM login
1777
session will automatically be launched at the next GDM login session.
1781
The other checkboxes in the GDM Accessibility Dialog do not have
1782
corresponding GConf keys because no additional program is launched to
1783
provide the accessibility features that they offer. These other
1784
options correspond to accessibility features that are provided by the
1785
Xserver, which is always running during the GDM session.
1789
<sect3 id="accessibilitygconfconfiguration">
1790
<title>Kunci GConf Aksesibilitas</title>
1793
GDM offers the following GConf keys to control its accessibility
1798
<title>Kunci Konfigurasi GDM</title>
1801
<term>/desktop/gnome/interface/accessibility</term>
1803
<synopsis>false (boolean)</synopsis>
1804
<para>Mengendalikan apakah infrastruktur Aksesibilitas akan dimulai dengan GUI GDM. Ini diperlukan oleh banyak program teknologi aksesibilitas agar bekerja.</para>
1808
<term>/desktop/gnome/applications/at/screen_magnifier_enabled</term>
1810
<synopsis>false (boolean)</synopsis>
1811
<para>Bila ditata, alat asistif yang dikaitkan ke kunci GConf ini akan dimulai dengan program GUI GDM. Secara baku ini adalah aplikasi pembesaran layar.</para>
1815
<term>/desktop/gnome/applications/at/screen_keyboard_enabled</term>
1817
<synopsis>false (boolean)</synopsis>
1818
<para>Bila ditata, alat asistif yang dikaitkan ke kunci GConf ini akan dimulai dengan program GUI GDM. Secara baku ini adalah aplikasi papan tik di layar.</para>
1822
<term>/desktop/gnome/applications/at/screen_reader_enabled</term>
1824
<synopsis>false (boolean)</synopsis>
1825
<para>Bila ditata, alat asistif yang dikaitkan ke kunci GConf ini akan dimulai dengan program GUI GDM. Secara baku ini adalah aplikasi pembaca layar.</para>
1831
<sect3 id="accessibilitytoolsconfiguration">
1832
<title>Mengaitkan Kunci GConf ke Alat Aksesibilitas</title>
1835
For the screen_magnifier_enabled, the screen_keyboard_enabled, and the
1836
screen_reader_enabled GConf keys, the assistive tool which gets
1837
launched depends on the desktop files located in the GDM autostart
1838
directory as described in the "Autostart Configuration" section of
1839
this manual. Any desktop file in the GDM autostart directory can be
1840
linked to these GConf key via specifying that GConf key in the
1841
AutostartCondition value in the desktop file. So the exact
1842
AutostartCondition line in the desktop file could be one of the
1847
AutostartCondition=GNOME /desktop/gnome/applications/at/screen_keyboard_enabled
1848
AutostartCondition=GNOME /desktop/gnome/applications/at/screen_magnifier_enabled
1849
AutostartCondition=GNOME /desktop/gnome/applications/at/screen_reader_enabled
1853
When an accessibility key is true, then any program which is linked to
1854
that key in a GDM autostart desktop file will be launched (unless the
1855
Hidden key is set to true in that desktop file). A single GConf key
1856
can even start multiple assistive tools if there are multiple desktop
1857
files with this AutostartCondition in the GDM autostart directory.
1861
<sect3 id="accessibilitytoolexample">
1862
<title>Contoh Pengubahan Konfigurasi Alat Aksesibilitas</title>
1865
For example, if GNOME is distributed with GOK as the default on-screen
1866
keyboard, then this could be replaced with a different program if
1867
desired. To replace GOK with the on-screen keyboard application
1868
"onboard" and additionally activate the assistive tool "mousetweaks"
1869
for dwelling support, then the following configuration is needed.
1873
Create a desktop file for onboard and a second one for mousetweaks;
1874
for example, onboard.desktop and mousetweaks.desktop. These files
1875
must be placed in the GDM autostart directory and be in the format
1876
as explained in the "Autostart Configuration" section of this
1881
The following is an example <filename>onboard.desktop</filename> file:
1887
Name=Onboard Onscreen Keyboard
1888
Comment=Use an on-screen keyboard
1890
Exec=onboard --size 500x180 -x 20 -y 10
1894
Categories=GNOME;GTK;Accessibility;
1895
AutostartCondition=GNOME /desktop/gnome/applications/at/screen_keyboard_enabled
1899
The following is an example <filename>mousetweaks.desktop</filename>
1906
Name=Software Mouse-Clicks
1907
Comment=Perform clicks by dwelling with the pointer
1909
Exec=mousetweaks --enable-dwell -m window -c -x 20 -y 240
1913
Categories=GNOME;GTK;Accessibility;
1914
AutostartCondition=GNOME /desktop/gnome/applications/at/screen_keyboard_enabled
1918
Note the line with the AutostartCondition that links both desktop
1919
files to the GConf key for the on-screen keyboard.
1923
To disable GOK from starting, the desktop file for the GOK on-screen
1924
keyboard must be removed or deactivated. Otherwise onboard and GOK
1925
would simultaneously be started. This can be done by removing the
1926
gok.desktop file from the GDM autostart directory, or by adding the
1927
"Hidden=true" key setting to the gok.desktop file.
1931
After making these changes, GOK will no longer be started when the
1932
user activates the on-screen keyboard in the GDM session; but onboard
1933
and mousetweaks will instead be launched.
1938
<sect2 id="generalsessionconfig">
1939
<title>Tatanan Sesi Umum</title>
1942
TODO - I think this section should be expanded upon. What specific
1943
keys are of interest, or would some users be likely to want
1944
to configure? Also, would be good to be more specific about
1945
how lock down management is handled.
1949
The GDM Greeter uses some of the same framework that your desktop
1950
session will use. And so, it is influenced by a number of the same
1951
GConf settings. For each of these settings the Greeter will use the
1952
default value unless it is specifically overridden by a) GDM's
1953
installed mandatory policy b) system mandatory policy. GDM installs
1954
its own mandatory policy to lock down some settings for security.
1958
<sect2 id="gnomesettingsdaemon">
1959
<title>Daemon Penataan GNOME</title>
1962
TODO - I think this section should be expanded upon. What specific
1963
keys are of interest, or would some users be likely to want
1964
to configure? Also, would be good to give a more complete
1965
list of plugins that users might want to consider disabling.
1966
Also, shouldn't we list the sound/active key in the Greeter
1967
configuration setting? Oddly I do not find this key used
1968
in anything but the chooser in SVN.
1973
GDM enables the following gnome-settings-daemon plugins:
1974
a11y-keyboard, background, sound, xsettings.
1978
These are responsible for things like the background image, font and
1979
theme settings, sound events, etc.
1983
Plugins can also be disabled using GConf. For example, if you want to
1984
disable the sound plugin then unset the following key:
1985
<filename>/apps/gdm/simple-greeter/settings-manager-plugins/sound/active</filename>.
1989
<sect2 id="sessionconfig">
1990
<title>Konfigurasi Sesi GDM</title>
1993
GDM sessions are specified using the FreeDesktop.org Desktop Entry
1994
Specification, which can be referenced at the following URL:
1995
<ulink url="http://www.freedesktop.org/wiki/Specifications/desktop-entry-spec">
1996
http://www.freedesktop.org/wiki/Specifications/desktop-entry-spec</ulink>.
2000
By default, GDM will install desktop files in the
2001
<filename><share>/xsessions</filename> directory. GDM will
2002
search the following directories in this order to find desktop files:
2003
<filename><etc>/X11/sessions/</filename>,
2004
<filename><dmconfdir>/Sessions</filename>,
2005
<filename><share>/xsessions</filename>, and
2006
<filename><share>/gdm/BuiltInSessions</filename>. By default the
2007
<filename><dmconfdir></filename> is set to
2008
<filename><etc>/dm/</filename> unless GDM is configured to use
2009
a different directory via the "--with-dmconfdir" option.
2013
A session can be disabled by editing the desktop file and adding a line
2014
as follows: <filename>Hidden=true</filename>.
2018
GDM desktop files support a GDM-specific extension, a key named
2019
"X-GDM-BypassXsession". If the key is not specified in a
2020
desktop file, the value defaults to "false". If this key is
2021
specified to be "true" in a desktop file, then GDM will
2022
launch the program specified by the desktop file "Exec" key
2023
directly when starting the user session. It will not run the program
2024
via the <filename><etc>/gdm/Xsession</filename> script, which is
2025
the normal behavior. Since bypassing the
2026
<filename><etc>/gdm/Xsession</filename> script avoids setting up
2027
the user session with the normal system and user settings, sessions
2028
started this way can be useful for debugging problems in the system or
2029
user scripts that might be preventing a user from being able to start
2035
<sect2 id="userconfig">
2036
<title>Konfigurasi Bahasa dan Sesi Pengguna GDM </title>
2038
The user's default session and language choices are stored in the
2039
<filename>~/.dmrc</filename> file. When a user logs in for the first
2040
time, this file is created with the user's initial choices. The user
2041
can change these default values by simply changing to a different value
2042
when logging in. GDM will remember this change for subsequent logins.
2046
The <filename>~/.dmrc</filename> file is in the standard
2047
<filename>INI</filename> format. It has one section called
2048
<filename>[Desktop]</filename> which has two keys:
2049
<filename>Session</filename> and <filename>Language</filename>.
2053
The <filename>Session</filename> key specifies the basename of the
2054
session <filename>.desktop</filename> file that the user wishes to
2055
normally use without the <filename>.desktop</filename> extension.
2056
The <filename>Language</filename> key specifies the language that the
2057
user wishes to use by default. If either of these keys is missing, the
2058
system default is used. The file would normally look as follows:
2064
Language=id_ID.UTF-8
2070
<!-- ============= GDM Commands ============================= -->
2072
<sect1 id="binaries">
2073
<title>Perintah GDM</title>
2075
<sect2 id="sbindir_binaries">
2076
<title>Perintah Pengguna Root GDM</title>
2078
<para>Paket GDM menyediakan perintah berikut di <filename>sbindir</filename> yang dimaksudkan untuk dijalankan oleh pengguna root:</para>
2080
<sect3 id="gdmcommandline">
2081
<title>Opsi Perintah Baris <command>gdm</command> dan <command>gdm-binary</command></title>
2084
The <command>gdm</command> command is really just a script which
2085
runs the <command>gdm-binary</command>, passing along any options.
2086
Before launching <command>gdm-binary</command>, the gdm wrapper
2087
script will source the <filename><etc>/profile</filename> file
2088
to set the standard system environment variables. In order to better
2089
support internationalization, it will also set the LC_MESSAGES
2090
environment variable to LANG if neither LC_MESSAGES or LC_ALL are
2091
set. The <command>gdm-binary</command> is the actual GDM daemon.
2095
<title>Opsi Perintah Baris <command>gdm</command> dan <command>gdm-binary</command></title>
2098
<term>-?, --help</term>
2101
Gives a brief overview of the command line options.
2107
<term>--fatal-warnings</term>
2109
<para>Buat semua peringatan menyebabkan GDM keluar.</para>
2114
<term>--timed-exit</term>
2116
<para>Keluar setelah 30 detik. Berguna untuk pengawakutuan.</para>
2121
<term>--version</term>
2123
<para>Cetak versi daemon GDM.</para>
2129
<sect3 id="gdmrestartcommandline">
2130
<title>Opsi Perintah Baris <command>gdm-restart</command></title>
2133
<command>gdm-restart</command> stops and restarts GDM by sending
2134
the GDM daemon a HUP signal. This command will immediately terminate
2135
all sessions and log out users currently logged in with GDM.
2139
<sect3 id="gdmsaferestartcommandline">
2140
<title>Opsi Perintah Baris <command>gdm-safe-restart</command></title>
2143
<command>gdm-safe-restart</command> stops and restarts GDM by
2144
sending the GDM daemon a USR1 signal. GDM will be restarted as soon
2145
as all users log out.
2149
<sect3 id="gdmstopcommandline">
2150
<title>Opsi Perintah Baris <command>gdm-stop</command></title>
2153
<command>gdm-stop</command> stops GDM by sending the GDM daemon
2160
<!-- ============= Troubleshooting =========================== -->
2162
<sect1 id="troubleshooting">
2163
<title>Penanganan Masalah</title>
2166
TODO - any other tips we should add? Might be useful to highlight any
2167
common D-Bus configuration issues?
2172
This section discusses helpful tips for getting GDM working. In general,
2173
if you have a problem using GDM, you can submit a bug or send an email
2174
to the gdm-list mailing list. Information about how to do this is in
2175
the Introduction section of the document.
2179
If GDM is failing to work properly, it is always a good idea to include
2180
debug information. To enable debugging, set the debug/Enable key to
2181
"true" in the <filename><etc>/gdm/custom.conf</filename>
2182
file and restart GDM. Then use GDM to the point where it fails, and
2183
debug output will be sent to the system log file
2184
(<filename><var>/log/messages</filename> or
2185
<filename><var>/adm/messages</filename> depending on your Operating
2186
System). If you share this output with the GDM community via a bug
2187
report or email, please only include the GDM related debug information
2188
and not the entire file since it can be large. If you do not see any
2189
GDM syslog output, you may need to configure syslog (refer to the
2190
<ulink type="help" url="man:syslog">syslog</ulink> man page).
2193
<sect2 id="wontstart">
2194
<title>GDM Tidak Akan Dimulai</title>
2197
There are a many problems that can cause GDM to fail to start, but
2198
this section will discuss a few common problems and how to approach
2199
tracking down a problem with GDM starting. Some problems will
2200
cause GDM to respond with an error message or dialog when it tries
2201
to start, but it can be difficult to track down problems when GDM
2206
First make sure that the Xserver is configured properly. The
2207
GDM configuration file contains a command in the [server-Standard]
2208
section that is used for starting the Xserver. Verify that this
2209
command works on your system. Running this command from the
2210
console should start the Xserver. If it fails, then the problem
2211
is likely with your Xserver configuration. Refer to your Xserver
2212
error log for an idea of what the problem may be. The problem may
2213
also be that your Xserver requires different command-line options.
2214
If so, then modify the Xserver command in the GDM configuration file
2215
so that it is correct for your system.
2219
Also make sure that the <filename>/tmp</filename> directory has
2220
reasonable ownership and permissions, and that the machine's file
2221
system is not full. These problems will cause GDM to fail to start.
2226
<!-- ============= Application License ============================= -->
2228
<sect1 id="license">
2229
<title>Lisensi</title>
2230
<para>Program ini adalah perangkat lunak bebas; Anda dapat menyebarluaskannya dan/atau mengubahnya di bawah syarat <ulink type="help" url="gnome-help:gpl"><citetitle>GNU General Public License</citetitle></ulink> sebagaimana dipublikasikan oleh Free Software Foundation; baik versi 2 dari Lisensi, atau (terserah pilihan Anda) versi setelahnya.</para>
2231
<para>Program ini didistribusikan dengan harapan akan berguna, tetapi TANPA ADANYA JAMINAN; termasuk tanpa jaminan KETERDAGANGAN atau KECOCOKAN UNTUK TUJUAN TERTENTU. Lihat <citetitle>GNU General Public License</citetitle> untuk rincian lebih lanjut.</para>
2232
<para>Suatu salinan dari <citetitle>GNU General Public License</citetitle> disertakan sebagai lampiran dari <citetitle>Panduan Pengguna GNOME</citetitle>. Anda juga dapat memperoleh salinan dari <citetitle>GNU General Public License</citetitle> dari Free Software Foundation dengan mengunjungi ulink type="http" url="http://www.fsf.org">laman Web mereka</para>
2235
<!-- Keep this comment at the end of the file
2240
sgml-minimize-attributes:nil
2241
sgml-always-quote-attributes:t
2244
sgml-parent-document:nil
2245
sgml-exposed-tags:nil
2246
sgml-local-catalogs:nil
2247
sgml-local-ecat-files:nil