{{Header}}
{{title|title=
Login Security
}}
{{#seo:
|description=Instructions and information about configuring {{project_name_short}} login security.
|image=Gui_login.png
}}
{{passwords_mininav}}
[[File:Gui_login.png|thumb|Graphical Login Screen]]
[[File:virtual_console.png|thumb|Virtual Console]]
{{intro|
This page provides detailed information about the {{project_name_short}} login screen, how to configure it, and how to log in securely.
}}
= Login Security Concepts =
By default, {{project_name_short}} provides a user account, user, with {{gui}} autologin enabled if applicable, and no password set. When using a system with a GUI, {{project_name_short}} will boot directly into a graphical desktop when powered on. For many users and situations, this configuration is not a security hazard because:
* '''Single-user machines:''' Desktop and laptop systems are generally single-user machines and do not need to authenticate multiple human users. Users of a single-user machine are expected to keep their machine physically secure from in-person attackers.
* '''Multi-user configuration:''' For machines that aren't single-user, the system administrator will generally be the first person to use the machine after installation and will have the opportunity to configure the system's user accounts to meet the needs of all users.
* '''Weak login screen protection:''' The login screen is usually only a weak security barrier. If [[Full Disk Encryption|{{fde}}]] is not used, a malicious individual can gain access to the machine's data by simply booting a live ISO or stealing the system's storage drive. Even if FDE is used, a sophisticated attacker with sufficient time can likely bypass the login screen if they gain physical access to the device while it is powered on.
* '''FDE makes login screen redundant:''' If using the {{project_name_short}} ISO to install {{project_name_short}} onto a machine, FDE is enabled by default. This requires the user to authenticate before the system will boot, thus making the login screen redundant in most single-user scenarios. Auententcation is done during [[Grub#initramfs_.28initramfs-tools_or_dracut.29_Based_Encryption_Password_Prompt|initramfs (initramfs-tools or dracut) Based Encryption Password Prompt]].
* '''Virtual machines and host security:''' If using {{project_name_short}} in a Virtual Machine, the VM's login security is not as important as the host system's login security. There are numerous ways to modify a virtual machine's state from the host system, allowing an attacker with access to an unlocked host machine to bypass a virtual machine's login screen. Virtual machine users are expected to keep their host system physically secure from in-person attackers.
However, there are situations in which it is valuable to require password authentication for administrative actions or for login purposes. Users should be aware of their [[Threat Modeling|threat model]] and adjust login settings accordingly. Users interested in this topic should read the [[Default_Passwords|Default Passwords]] and [[Protection_Against_Physical_Attacks|Protection against Physical Attacks]] wiki pages.
= Configuring GUI Autologin =
Platform specific.
* [[{{non_q_project_name_short}}|{{non_q_project_name_short}}]]: Applicable. See below.
* [[Qubes|{{q_project_name_short}}]]: Users can skip this section, except for HVM Qube. [
Except for desktop HVM Qube, virtual machines in Qubes OS do not use a traditional GUI login mechanism, and thus do not have a concept of GUI autologin.
]
Host {{os}} versus {{VM}}.
* '''Host operating system:'''
** '''Simple login screen:''' Disabling autologin can be useful if the user wants to enable a login screen.
** '''No full disk encryption:''' Note, the login screen is not providing [[Full_Disk_Encryption|Full Disk Encryption (FDE)]]. The purpose of the login screen is elaborated in chapter [[Protection_Against_Physical_Attacks#Login_Screen|Login Screen]].
* '''VMs:''' It is not very useful to disable autologin to enable a login screen inside VMs. It's much more secure to have a login screen on the host operating system.
== Automatic Autologin Configuration ==
To view which user accounts on the system have autologin enabled, run [[systemcheck]]. This will show you a [[Systemcheck#Physical_Security_Check|Physical Security Check]] table, indicating which users on the system are not password protected and/or have autologin enabled.
Only one normal user account can have autologin enabled at once. The reason for this is fairly obvious - if two users had autologin enabled at the same time, which user would be automatically logged into? For this reason, if you enable autologin for one user account when autologin is already enabled for a different user account, autologin will be disabled for that different user account. The only exception to this rule is if [[Sysmaint|user-sysmaint-split]] is installed. In this case, the sysmaint user account can have autologin enabled or disabled independently of the other user accounts. This is because the sysmaint account is only accessible when the system is booted in PERSISTENT mode - SYSMAINT session.
To enable or disable autologin on a user account, you can use the autologinchange utility.
{{IconSet|h1|1}} {{sysmaint_notice}}
{{IconSet|h1|2}} Launch autologinchange.
* {{IconSet|h2|A}} System Maintenance Panel: You can do this by clicking the Manage GUI Autologin button in the [[System Maintenance Panel]].
* {{IconSet|h2|B}} Terminal: You can also run the tool by running the following command in a terminal:
** {{CodeSelect|inline=true|code=
sudo autologinchange
}}
{{IconSet|h1|3}} autologinchange will display a list of user accounts on the system. Identify the user you want to enable or disable autologin for.
{{IconSet|h1|4}} Type the user account's name and press {{keypress|Enter}}.
{{IconSet|h1|5}} You will be told whether autologin is currently enabled or disabled for the current user account. To toggle autologin on the selected account, press {{keypress|y}}, then press {{keypress|Enter}}.
{{IconSet|h1|6}} Done.
Autologin has now been toggled on the specified user account.
== Manual Autologin Configuration ==
It is strongly recommended that you do ''not'' attempt to manually configure autologin when using {{project_name_short}} 18 and higher. This procedure is [[Unsupported]]. For details about why, see the footnote.[
This is because {{project name_short}} uses ]greetd + wlgreet to provide a display manager. greetd supports being configured for automatic login, but it only supports a single configuration file, whereas {{project_name_short}} requires a drop-in configuration directory. {{project_name_short}} works around this by using drop-in configuration directories that greetd and wlgreet do not understand by default. It then uses a special tool ([https://github.com/Kicksecure/helper-scripts/blob/master/usr/bin/build-config-file build-config-file]) to build the config directories into the single config files needed by greetd and wlgreet.
This means that {{project_name_short}} assumes that it has total control over the config files for greetd and wlgreet. Normal manual configuration is likely to be overwritten, and manual configuration would be entirely specific to {{project_name_short}}. The manual configuration mechanism is also subject to change. The supported way of configuring autologin in {{project_name_short}} is the autologinchange tool documented [[Login#Automatic_Autologin_Configuration|above]], so manual autologin configuration is not supported.
= Configuring Passwords =
{{IntroLike|
The user can set or change the password for Linux user accounts in {{project_name_gateway_short}}, if this is useful for the user's threat model based on this [[Default_Passwords|default passwords information]].
}}
{{mbox
| image = [[File:Ambox_notice.png|40px|alt={{project_name_short}} default password info box]]
| text = '''Platform specific.'''
* [[Kicksecure|Kicksecure]]: Applicable. See below.
* [[Qubes|{{q_project_name_short}}]]: Not applicable. Users can skip this section. [
By default, Qubes does not require a password for superuser access. See also: https://www.qubes-os.org/doc/vm-sudo/
]
}}
{{Box|text=
{{IconSet|h1|1}} '''Default password notice.'''
{{Default_Passwords}}
{{IconSet|h1|2}} '''[[Post_Install_Advice#Change Keyboard Layout|Change Keyboard Layout]] if necessary.'''
{{IconSet|h1|3}} '''Review [[Post_Install_Advice#Test Keyboard Layout|Test Keyboard Layout]] before proceeding further.'''
{{IconSet|h1|5}} {{sysmaint_notice}}
{{IconSet|h1|6}} '''sudo password notice.'''
There is no separate sudo password. sudo uses the same password as the user account that is invoking sudo. [
This is the usual Debian / ]sudo default and [[Unspecific|Unspecific to {{project_name_short}}]].
For example:
* '''user-sysmaint-split:''' Changing the password for account sysmaint will also change the sudo password for account sysmaint.
* '''unrestricted admin mode:''' Changing the password for account user will also change the sudo password, provided the account user is authorized to use sudo.
{{IconSet|h1|7}} '''Start pwchange.'''
Open a terminal (such as QTerminal Emulator) or start pwchange using the System Maintenance Panel.
* {{IconSet|h2|A}} '''user-sysmaint-split:'''
** {{IconSet|h3|1}} Using the System Maintenance Panel: You can change user passwords using the Manage Passwords button in the [[System Maintenance Panel]]. The Manage Passwords button will simply start the pwchange utility.
** {{IconSet|h3|2}} Terminal: Alternatively, you can also change user passwords from a terminal. A terminal can be started using the System Maintenance Panel.
* {{IconSet|h2|B}} '''[[Unrestricted admin mode]]:''' Use any method to start any terminal. For example: Start menu → Applications → System → Terminal
{{IconSet|h1|8}} '''Test command.'''
Run a test command with [[root|administrative ("root") rights]] by using sudo.
This is only a simple test to confirm that the user can currently escalate to administrative rights. [
This is to avoid falsely suspecting ]pwchange as the cause of issues, while in fact the issue lies with sudo authentication.
Type the following command in the terminal and press
root
{{IconSet|h1|9}} '''Change a Linux user account password.''' [
* Using [https://github.com/Kicksecure/usability-misc/blob/master/man/pwchange.8.ronn ]pwchange].
* [https://github.com/Kicksecure/usability-misc/blob/master/usr/sbin/pwchange /usr/sbin/pwchange] source code.
* Alternatively, Debian standard command: {{CodeSelect|code=
sudo passwd user
}}
While using passwd and typing the password, it will not appear on the screen, nor will the asterisk sign (*) be visible. This is normal behavior and does not mean your keyboard isn’t working. It is necessary to type blindly and trust the procedure.
{{CodeSelect|code=
sudo pwchange
}}
pwchange will display a prompt.
What user's password do you want to change?
Type the account name such as user or sysmaint and then press pwchange.
{{IconSet|h1|10}} '''Root password.'''
No changes required. Optional. For details, see [[Root#Root_Account|root account in {{project_name_short}}]].
{{IconSet|h1|11}} '''Done.'''
The procedure of changing passwords is complete.
}}
Another option is to [[Recovery#Recovery_Mode|boot into recovery mode]] and change passwords there.
= Graphical Login Screen =
For {{gui}}.
Platform specific.
* [[Non-Qubes-Kicksecure|{{non_q_project_name_short}}]]: Applicable. See below.
* [[Qubes|{{q_project_name_long}}]]: Mostly, not applicable except if using a Qubes HVM. This is up to the host operating system, Qubes, not {{project_name_short}}.
A login screen can be provided by a login manager. For example, greetd + wlgreet is the login manager used by default in {{project_name_short}}.
'''Figure:''' ''greetd + wlgreet login manager''
[[File:Gui_login.png|600px]]
= Console Login Screen =
For {{cli}}.
What is a virtual console? See [[Desktop#Virtual_Consoles|Virtual Console]].
== Login Instructions for Virtual Console ==
Platform specific.
* [[Non-Qubes-Kicksecure|{{non_q_project_name_short}}]]: Applicable. See below.
* [[Qubes|{{q_project_name_short}}]]: Mostly, not applicable except if using a Qubes HVM. This is up to the host operating system, Qubes, not {{project_name_short}}.
'''Figure:''' ''virtual console login screen''
[[File:virtual_console.png|600px]]
{{IconSet|h1|1}} Type the ''username''.
The default username is: user. Press {{keypress|Enter}} after typing the username.
{{IconSet|h1|2}} Type the ''password''.
If a password has been set, type it and press {{keypress|Enter}}.
Note: No feedback (such as asterisks "*") will be shown when typing the password.
{{IconSet|h1|3}} Done.
Login on the virtual console login screen has been completed.
== Notes ==
* The default root account is locked for security reasons. For more information, visit the [[root|root account documentation]].
* If you are using a virtual machine, ignore any host login: prompts. Do not enter your host computer username or password.
= Troubleshooting =
* '''Forgot Username or Password''': If you have forgotten your username or password, please refer to the [[Recovery]] page for steps on recovering your account.
= See Also =
* [[Protection_Against_Physical_Attacks#Login_Screen|Login Screen]]
* Learn more about default passwords, when it is useful to set a password, see [[Default Passwords]].
* [https://github.com/Kicksecure/kicksecure-base-files/blob/master/etc/issue.kicksecure /etc/issue file]
* Learn more about securing your Kicksecure installation by visiting our [[System Hardening Checklist]]
= Footnotes =
{{reflist|close=1}}
{{Footer}}
[[Category:Documentation]]
.