DevHeads.net

How to disable screen locking system-wide?

By default, CentOS v5 requires a user's password when the system wakes
up from the screensaver. This can be disabled by each user, but how
can I disable this system-wide? Many of my users forget to do this,
which results in workstations being locked up.

Bob

Comments

Re: How to disable screen locking system-wide?

By Lamar Owen at 01/20/2011 - 16:53

On Thursday, January 20, 2011 03:11:00 pm Mike McCarty wrote:
Although I have seen in the case of Windows, installed to NTFS, and set with 'make your files private' when you first set up a password, that if even if you log in as Administrator you can't necessarily see all users' files, at least not through file sharing. It has been a long time since I've put that to the test on the local console.

Makes it a pain to do whole machine virus scans from the Administrator account, and makes it a bigger pain to do backups using the semi-documented $ shares when file sharing is enabled in the firewall.

I've never experienced that on Linux, but it is possible to set up the SELinux policy in a way that 'ordinary' root can't do everything, that you have to be in a different context.

Re: How to disable screen locking system-wide?

By Lamar Owen at 01/20/2011 - 13:00

On Thursday, January 20, 2011 09:36:09 am Ross Walker wrote:
Fingerprints are too easily faked. Mythbusters did it in a 'Crime and Mythdemeanors' episode a few years ago.

Re: How to disable screen locking system-wide?

By m.roth at 01/20/2011 - 13:03

Lamar Owen wrote:
I can beat that: I read, a month or so ago, how a bunch of elementary
school kids discovered that wet Gummi Bears would hold a fingerprint,
*and* (they didn't understand this) have more or less the same electrical
conductivity....

mark, who has to stare into the scanner when he goes into the
datacenter

Re: How to disable screen locking system-wide?

By Ross Walker at 01/20/2011 - 18:53

On Thu, Jan 20, 2011 at 12:03 PM, <m.roth@5-cent.us> wrote:
Fortunately I don't go sticking my fingers in wet gummy bears, so that
risk is mitigated!

While finger prints can be faked, it often requires access to the
finger to fake. I haven't heard of someone lifting a latent oil print
and creating a fake out of that. I'm sure with enough ingenuity it can
be done. Then again if someone is that intent on accessing your data,
well I'm sure they could figure another way as well...

-Ross

Re: How to disable screen locking system-wide?

By Nico Kadel-Garcia at 01/23/2011 - 00:35

On Thu, Jan 20, 2011 at 5:53 PM, Ross Walker < ... at gmail dot com> wrote:

Nope.

I found this link in a reference from 2002, and have seen nothing to
indicate any significant improvement of fingerprint scanners to ignore
gelatin based fake fingerprints, overlaid on a living person's finger
to fool the electrostatic or thermal sensors of some sensors, and and
with the fingeprints transferred from a Xerox of a police or other
official fingerprint.

<a href="http://www.schneier.com/crypto-gram-0205.html" title="http://www.schneier.com/crypto-gram-0205.html">http://www.schneier.com/crypto-gram-0205.html</a>

This has me laughing my tail off at the insistence on including
fingerprint authorization as a default in RHEL 6, and the difficulty
of extracting the daemons and utilities from the base image. Too many
scattered RPM dependencies for other utilities. It's actually now a
default "enabled" feature in anaconda for kickstart installations.

Re: How to disable screen locking system-wide?

By Gordon Messmer at 01/20/2011 - 22:02

On 01/20/2011 02:53 PM, Ross Walker wrote:
<a href="http://www.theregister.co.uk/2002/05/16/gummi_bears_defeat_fingerprint_sensors/" title="http://www.theregister.co.uk/2002/05/16/gummi_bears_defeat_fingerprint_sensors/">http://www.theregister.co.uk/2002/05/16/gummi_bears_defeat_fingerprint_s...</a>

Now you have.

Re: How to disable screen locking system-wide?

By Lamar Owen at 01/20/2011 - 15:18

On Thursday, January 20, 2011 01:57:54 pm <a href="mailto:m.roth@5-cent.us">m.roth@5-cent.us</a> wrote:
Our co-lo site is using fingerprint plus HID Corp cards.

I'm not familiar with the RSA keyfobs, though.

Re: How to disable screen locking system-wide?

By m.roth at 01/20/2011 - 15:47

Lamar Owen wrote:
Oh. They have a six digit number that changes every single minute. It's
synchronized with the authentication server. To log onto my company
website, for example, so I can do my timesheet, I put in my username, then
a pin, followed by the current six digit code.

So, you need three pieces of information, and one constantly changes.

mark

Re: How to disable screen locking system-wide?

By Lamar Owen at 01/20/2011 - 12:35

On Thursday, January 20, 2011 06:02:38 am Giles Coochey wrote:
+1.

The third 'A' of triple-A (AAA) is accountability. If you share accounts you defeat accountability. This has nothing to do with data access, or user home directory data access; yes, there should be mechanisms in place for monitoring. But those mechanisms need their own accountability, too. The access should be done only by an account authorized to do so.

Without accountability, authentication and authorization don't mean a whole lot.

Re: How to disable screen locking system-wide?

By Lamar Owen at 01/20/2011 - 12:29

On Thursday, January 20, 2011 03:54:45 am Rudi Ahlers wrote:
An IT admin should not be accessing the accountant's PC without the accountant or another financial person present, for control reasons (control in the financial, SCI, and auditing sense). There are significant regulatory compliance issues with your specific example.... :-) Just because it's company data doesn't mean it's open season for any IT admin to access. This is likely why CTRL-ALT-BACKSPACE is off by default, too.

If the PC is another IT admin's PC, that's a different story. But even then there are significant accountability issues, as when workstations are left unlocked anyone can come up and then do something as that user.

I understand what the OP wants to do, but honestly I think it's a bad idea to do it. If the setting is changed it should be on a per-user basis, since at that point the user can know about it, and there is a degree of informed consent there.

There may be a knob to do it, but I think there could be liability issues for tweaking that knob, which essentially changes all user's preferences without their informed consent. I know that I would not do this in my environment, because I don't want that liability.

But it definitely depends upon your specific environment. And, yes, users need to log out, and many places do fairly harsh discipline if a workstation isn't either locked or logged out in the user's absence.

Re: How to disable screen locking system-wide?

By Mathieu Baudier at 01/20/2011 - 11:11

Instead of removing the lock on your workstations (big security risk
as others have mentioned), why not rather activate the 'user switch'
button?

If you really need to access a workstation, you can then log in as
another user (e.g. admin user) and then do what you want (which may
involve killing the guilty session).

In gconf-editor, you find this option under:
/apps/gnome-screensaver/user_switch_enabled

You can then probably apply it system-wide using recommendations of
this thread (I haven't tested it).

I quickly scanned through the thread, so maybe somebody suggested that
already, sorry for the repeat in that case.

A bit OT, but something related that I discovered recently: you can
explicitly start the screensaver (and thus the lock) with Ctrl+Alt+L
(instead of looking for the button in the GNOME menu).

Re: How to disable screen locking system-wide?

By Ross Walker at 01/20/2011 - 10:14

Let's try this again...

KDE has a multi-user x login feature that allows another user to start a new session keeping the existing session active.

It might take a little config mod'ing to get it working, but it works. It works best if there is lots of RAM.

-Ross

Re: How to disable screen locking system-wide?

By Robert Spangler at 01/20/2011 - 10:51

And if that doesn't work you could always;

Press CTRL+ALT+F2-6
Logon
Start a new X session with 'statrx -- :1'

Re: How to disable screen locking system-wide?

By Keith Keller at 01/20/2011 - 16:09

On Thu, Jan 20, 2011 at 09:51:28AM -0500, Robert Spangler wrote:
There is (IIRC) a subtle difference between these two: the former will
attempt to execute ~/.xsession, whereas the latter will attempt to execute
~/.xinitrc. If you have neither of these files it shouldn't make much
difference, but if you have one, or have both but are different, it
might not result in what the user expects. (It's obviously an easy fix
if you know about it, but not at all obvious if you don't.)

--keith

Re: How to disable screen locking system-wide?

By John Hodrien at 01/20/2011 - 10:18

So does gnome (another gconf key:
/apps/gnome-screensaver/user_switch_enabled). Not tried it on CentOS 5, but
it works okay on Fedora 12. You have to be careful not to end up with
everybody logged in everywhere.

jh

Re: How to disable screen locking system-wide?

By Les Mikesell at 01/20/2011 - 12:03

Why is everyone stuck at the console of one particular workstation? The
point of a multiuser, networked OS is that you can have as many logins
as you want from wherever you want. I almost never log in directly at
the console of a linux box unless it is broken - or at least the one
where my desktop sessions run.

Re: How to disable screen locking system-wide?

By Ross Walker at 01/20/2011 - 10:27

I wonder if there is an auto logoff idle timeout feature?

That would help reduce orphaned sessions. Set it for 8 hours of idle, then auto-logoff.

-Ross

Re: How to disable screen locking system-wide?

By Sorin Srbu at 01/20/2011 - 11:25

Now that would be neat on public and semi-public machines over here!

Re: How to disable screen locking system-wide?

By m.roth at 01/20/2011 - 10:49

Ross Walker wrote:
8? I'd think 2, long enough for a long meeting, or a 1 or 2 drink lunch.

mark

Re: How to disable screen locking system-wide?

By Joshua Baker-LePain at 01/19/2011 - 15:46

On Wed, 19 Jan 2011 at 11:44am, Bob Eastbrook wrote

Ctrl-Alt-Bksp will fix that right up. I'm not a big fan of users leaving
workstations unsecured when they walk away.

Re: How to disable screen locking system-wide?

By Sorin Srbu at 01/20/2011 - 04:34

Wouldn't that kill any programs, or whatever, the user has running?

Re: How to disable screen locking system-wide?

By Rudi Ahlers at 01/19/2011 - 15:49

On Wed, Jan 19, 2011 at 9:46 PM, Joshua Baker-LePain < ... at duke dot edu> wrote:

Don't you mean CTRL+ALT+DEL?

I don't think the OP wanted a plaster, he wants a solution :)

Re: How to disable screen locking system-wide?

By Sean Hart at 01/19/2011 - 16:00

On 1/19/11 11:49 AM, Rudi Ahlers wrote:

Re: How to disable screen locking system-wide?

By m.roth at 01/19/2011 - 16:18

Sean Hart wrote:
But the locked screensaver wants the *same* password that you log in with.
I'm having trouble understanding the problem... or is it that many of the
users *never* log out?

mark

Re: How to disable screen locking system-wide?

By Bob Eastbrook at 01/20/2011 - 18:26

Yes, users will sign onto a workstation, and then disappear somewhere
in the building. They usually forget that they're logged on, which
means the workstation is unusable by anyone else for several days.

Restarting the X server is one solution, but it will kill any running jobs.

If user Bob sees that Alice is logged on, but not doing anything, then
Bob could safely log Alice out.

Bob

Re: How to disable screen locking system-wide?

By Michael Gliwinski at 01/21/2011 - 09:11

On Thursday 20 Jan 2011 22:26:08 Bob Eastbrook wrote:
I'm not sure about GNOME or if that's available in version currently shipped
in CentOS but in KDE the screensaver allows you to switch user, i.e. leave the
currently logged on user's session running and start a new one for another
user. That seems like a better solution if possible, no?

Re: How to disable screen locking system-wide?

By Edward Morbius at 01/26/2011 - 18:39

on 13:11 Fri 21 Jan, Michael Gliwinski (<a href="mailto:Michael.Gliwinski@henderson-group.com">Michael.Gliwinski@henderson-group.com</a>) wrote:
Or, so long as your graphics card doesn't kill console access, go old
school:

- Switch to console.
- Log into console.
- Launch X.

The problem here is the hanging console session, which you should kill.

Better: Institute a policy that abandoned desktop sessions are fair
game to be killed. As with hot stoves and children, the lesson would be
learned after a few experiences.

Systems work should be handled remotely via ssh (or VNC), within screen
session, or via cronjobs.

Another useful feature would be to have an auto-logoff set after a
certain amount of inactivity. This doesn't seem to be available within
GNOME, so you'd probably have to homebrew it.

Re: How to disable screen locking system-wide?

By Keith Keller at 01/19/2011 - 16:35

On Wed, Jan 19, 2011 at 03:18:37PM -0500, <a href="mailto:m.roth@5-cent.us">m.roth@5-cent.us</a> wrote:
The locked screensaver will be killed along with the rest of the X
session with ctrl-alt-backspace. When [kgx]dm restarts it will present
a fresh login window.

Are the screensavers not smart enough to intercept ctrl-alt-bksp?

For the OP: what's the goal behind preventing an X session from locking?
Perhaps there is a more elegant solution than simply disabling it.

--keith

Re: How to disable screen locking system-wide?

By Giles Coochey at 01/20/2011 - 07:41

On 19/01/2011 21:35, Keith Keller wrote:
If you want to disable CTRL-ALT-BACKSPACE use the X option "DontZap" in
your X configuration.

Re: How to disable screen locking system-wide?

By Rudi Ahlers at 01/20/2011 - 05:00

On Wed, Jan 19, 2011 at 10:35 PM, Keith Keller

It probably depends on his environment. If it's an office where people
actually work for money and need to address client issues then I'm
sure your colleagues won't be please if you make them loose all their
work just to be an arrogant IT manager who wants to prove a point.

I don't know about you, but a user leaving his desk (for any purpose,
other than going home) doesn't cause a security risk. I trust all our
staff, and when Andrew goes on lunch I expect him to leave his PC
unlocked.
1. It's our property and he should have any personal stuff on there,
as per our NDA, that could cause problem.
2. If a client, which Andrew was busy with phones in, I or one of the
other staff members would need access to that work.

So, in such a case I do think the OP has a valid question and it
could be addressed more professionally than to restart X, or even the
PC just to prove a point.

P.S. And I don't know the answer either.....

Re: How to disable screen locking system-wide?

By Joshua Baker-LePain at 01/20/2011 - 11:49

On Thu, 20 Jan 2011 at 11:00am, Rudi Ahlers wrote

I was going to leave this alone, but I feel this lowers to the level of
personal attacks and I'd like to address that. Yes, my response was a bit
glib (and tongue-in-cheek, which obviously didn't come across correctly).
But that doesn't mean that the reasoning behind it isn't valid in some
situations, and it certainly doesn't make me arrogant or unprofessional.
As others have pointed out, there are industries and workplaces where any
unlocked, unattended workstation is a major security risk. Please don't
assume that your use case is everybody else's. And please keep it civil.
Thanks.

We now return you to your regularly scheduled CentOS list programming (no
pun intended).

Re: How to disable screen locking system-wide?

By Sorin Srbu at 01/24/2011 - 04:54

Suddenly came to think of Mordac, the IT-preventer in the Dilbert strip. ;-)

One a more serious note, personally, if I run across an unlocked workstation
and there's nobody around, I take a few seconds to start up Notepad (if
Windows) or OpenOffice (if linux) and type in a message like "If I'd been a
bad guy, your data would all have been gone and your homepage been set to
<a href="http://www.bestialporn.com" title="www.bestialporn.com">www.bestialporn.com</a>. //Your friendly Sysadmin" in real big letters, and then
maximize the window, and lastly activated the (password-protected)
screensaver, before I walked away.

I've done this a few times over the years, and the message has usually been
acknowledged and accepted with no questions asked.

No need to restart any machines; that's just mean. Although I have been
dreaming about doing that... ;-)

Re: How to disable screen locking system-wide?

By m.roth at 01/20/2011 - 12:04

Joshua Baker-LePain wrote:
mark, who logs off his system at home every night and every
morning...
(and the the only other resident, the fish, is too lazy to
flop out of the tank to the keyboard....)

Re: How to disable screen locking system-wide?

By John Hodrien at 01/20/2011 - 12:09

cat >> .bashrc <<EOF
echo Logging off is important and fun
sleep 5
echo Logging off is important and fun
sleep 5
echo Logging off is important and fun
sleep 5
EOF

jh

Re: How to disable screen locking system-wide?

By Tom H at 01/20/2011 - 08:02

On Thu, Jan 20, 2011 at 4:00 AM, Rudi Ahlers < ... at softdux dot com> wrote:
In our environment, leaving your desk without locking your
computer/screen is punished with a disciplinary hearing and three such
hearings result in dismissal. Having one person using another's
account is considered a security risk.

I don't know the exact path but you can use gconftool-2 (or
gconf-editor as a GUI) to set the screensaver not to lock (and mimick
doing so by changing the screensaver preferences in
"System-Preferences-Screensaver").

Re: How to disable screen locking system-wide?

By Sorin Srbu at 01/20/2011 - 08:55

Sounds kinda' harsh. May I ask what industry this is in?

That's a per-user setting you describe, right?

Re: How to disable screen locking system-wide?

By Mike McCarty at 01/20/2011 - 16:44

Sorin Srbu wrote:
Sounds pretty normal to me. I've worked for a variety of
companies over a period of over twenty years, and similar
policies were in effect in each one. At one company where
I worked, possesion of another person's password was
immediate dismissal grounds, though not automatic.

Any company which doesn't exercise "due diligence" to protect
its trade secrets will lose when trying to recover from
an industrial espionage incident. I know from personal
experience, since I was at a company which went after another
for theft of IP, and nearly wound up having to testify in
court. A friend of mine did have to.

All employees were required to attend a seminar presented
by the full time legal staff, explaining what IP is, and
how it is protected. One thing we were told very forcefully
was that we were to have good passwords (and what that meant),
and that we were never to divulge our passwords to anyone
else.

IANAL, but I suggest that anyone who has any intellectual
property (patents, trade secrets, trade marks) get a lawyer
to explain what they are, what the differences are, and
how to protect them. They need different kinds of protection,
and trade secrets, especially, are hard to protect without
good, secret passwords.

Mike

Re: How to disable screen locking system-wide?

By Mike McCarty at 01/20/2011 - 16:50

[...]

Oops! Forgot copyright. Those are the ones in the USA.
There may be others in other countries. I don't know.

Anyway, trade secrets are very hard to protect, and "due
diligence" is very important, so I'm told.

Mike

Re: How to disable screen locking system-wide?

By John Hodrien at 01/20/2011 - 09:01

No, you can make that work for all users with gconf-editor by editing the
right file. My previously suggested solution just does that in one go without
a gui:

gconftool-2 --direct \
--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --type bool \
--set /apps/gnome-screensaver/lock_enabled false

That makes it mandatory, so it can't be overridden, and will affect all users.
Only fixes it for gnome, I don't know what the equivalent fix is for KDE. You
need to take other steps to enforce it in the other direction, as killall
gnome-screensaver would defeat it.

jh

Re: How to disable screen locking system-wide?

By Sorin Srbu at 01/20/2011 - 09:10

Ah, I misunderstood first. The penny dropped now. 8-) Thanks.

Re: How to disable screen locking system-wide?

By John Hodrien at 01/20/2011 - 06:00

I think I see things differently. Allowing others to access your account *is*
a security risk. It potentially opens confidential data open to other people,
and leaves that specific user open to abuse through people using their
machine. You might as well just pin your passwords on the notice board and be
done. After all, you trust all your staff.

That's a data storage issue. Appropriate software systems should ensure you
have access to the data you need from your own account. Anyone's free to use
my machine while I'm not there, but they're certainly not free to use my
login.

For gnome how about something like:

gconftool-2 --direct \
--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --type bool \
--set /apps/gnome-screensaver/lock_enabled false

jh

Re: How to disable screen locking system-wide?

By Bob Eastbrook at 01/20/2011 - 20:48

Many thanks. That did the trick.

Bob

Re: How to disable screen locking system-wide?

By Mike McCarty at 01/20/2011 - 16:08

John Hodrien wrote:
This is not a supposition, I've seen it happen. I worked at
a company where one guy disabled his keyboard locker. One day he
left for lunch. When he came back, Security escorted him to HR,
where he was asked to explain why he sent several racist e-mails
all over the company. He had "a few days off" while they investigated
the incident, and the culprit was found. The culprit thought it
was all just a prank, and that's what was intended, but both of them
got in lots of trouble. Official memos to everyone followed.

At home, I keep my keyboard locked the instant I leave it because
of potential security breaches, using the little "lock screen (sic)"
button on the pop up menu on the left. Just about the only GUI button
I use.

OTOH, I have cats :-)

Mike

Re: How to disable screen locking system-wide?

By Sorin Srbu at 01/24/2011 - 05:02

Funny you should mention that. One of my cockatiels once almost managed to
delete a file for me at home, wandering and pecking on the keyboard. Beats
me how he managed... Since then I always lock the screen when leaving the
computer and the birds are out in the room. Saving yourself some
aggravation... Kinda'...

Re: How to disable screen locking system-wide?

By m.roth at 01/20/2011 - 16:24

Mike McCarty wrote:
Danger, Will Robinson! Cat typing detected!

mark "what, you don't want $23,524.07 charged to your credit card
at catsactuallyruletheworld.org?"

Re: How to disable screen locking system-wide?

By Rudi Ahlers at 01/20/2011 - 06:55

I don't agree with that, sorry.

A few years ago one of our staff members decided his salary isn't good
enough so he started a side-line business, on our company time. He
stole some of our client's data (contact details, emails, and even
contracts) and sold it to 3rd parties. This went on for about 6 months
before we actually realized what was going on.

Needless to say, he was fined heavily and sent to jail for 3 years.
So, I don't care if you feel the PC is your's, as long as it's a
company PC, with company data and company property, we will take a
look at the data on it.

I'm not talking about your home / private PC, that's an altogether
different story.

Re: How to disable screen locking system-wide?

By Mike McCarty at 01/20/2011 - 16:11

Rudi Ahlers wrote:
The computer belongs to the company, and the information on
it _should_ belong to the company (though what people put on
computers can't be completely monitored), but keeping one
employee out of another's accounts is important for a variety
of reasons.

That does not preclude access to the machine's content. Anyone
with root access should be able to do that. You shouldn't
have to log in AS THAT USER in order to access the computer's
content.

Mike

Re: How to disable screen locking system-wide?

By Jerry Franz at 01/20/2011 - 09:47

On 01/20/2011 02:55 AM, Rudi Ahlers wrote:
You are talking completely different issues. Allowing anyone walking
past a machine to sit down and do whatever they want (which is stupid)
is not in the least the same as having administrative access and
auditing by IT (which is smart).

If you don't have full administrative access to the machine
*independent* of people's day-to-day login accounts you are doing it
wrong and need to hire a competent IT admin - because your current one
doesn't know what heck they are doing.

Re: How to disable screen locking system-wide?

By Rudi Ahlers at 01/20/2011 - 12:11

On Thu, Jan 20, 2011 at 3:47 PM, Jerry Franz < ... at freerun dot com> wrote:

Benjamin, I'm sorry to say this, but you're wrong!

Now, since we're doing the name-calling thing, let's get that out of the way.

Sometimes you need to access a PC of a staff member who is busy with
something right now. And I'm not talking about administrative access.
Sure, I can access any PC via root login, and frankly for that matter
I can also reset any user's password via root login.

The message I'm trying to bring across is that users in the company
shouldn't have passwords which admin doesn't know, or can't access.
The PC's and data, well at least in our company, is the property of
the company. Making it more difficult for an engineer to gain access
to a user's PC automatically arises suspicion