Chapter 5. The Files kdm Uses for Configuration

This chapter documents the files that control kdm's behavior. Some of this can be also controlled from the System Settings module, but not all.

kdmrc - The kdm master configuration file

The basic format of the file is INI-like. Options are key/value pairs, placed in sections. Everything in the file is case sensitive. Syntactic errors and unrecognized key/section identifiers cause kdm to issue non-fatal error messages.

Lines beginning with # are comments; empty lines are ignored as well.

Sections are denoted by [Name of Section].

You can configure every X-display individually.

Every display has a display name, which consists of a host name (which is empty for local displays specified in StaticServers or ReserveServers), a colon, and a display number. Additionally, a display belongs to a display class (which can be ignored in most cases).

Sections with display-specific settings have the formal syntax [X- host [ : number [ _ class ] ] - sub-section ]

All sections with the same sub-section make up a section class.

You can use the wildcard * (match any) for host, number, and class. You may omit trailing components; they are assumed to be * then. The host part may be a domain specification like .inf.tu-dresden.de or the wildcard + (match non-empty).

From which section a setting is actually taken is determined by these rules:

  • An exact match takes precedence over a partial match (for the host part), which in turn takes precedence over a wildcard (+ taking precendence over *).

  • Precedence decreases from left to right for equally exact matches.

  • Example: display name myhost.foo:0, class dpy

    • [X-myhost.foo:0_dpy] precedes

    • [X-myhost.foo:0_*] (same as [X-myhost.foo:0]) precedes

    • [X-myhost.foo:*_dpy] precedes

    • [X-myhost.foo:*_*] (same as [X-myhost.foo]) precedes

    • [X-.foo:*_*] (same as [X-.foo]) precedes

    • [X-+:0_dpy] precedes

    • [X-*:0_dpy] precedes

    • [X-*:0_*] (same as [X-*:0]) precedes

    • [X-*:*_*] (same as [X-*]).

    • These sections do not match this display:

      [X-hishost], [X-myhost.foo:0_dec], [X-*:1], [X-:*]

Common sections are [X-*] (all displays), [X-:*] (all local displays) and [X-:0] (the first local display).

The format for all keys is key = value. Keys are only valid in the section class they are defined for. Some keys do not apply to particular displays, in which case they are ignored.

If a setting is not found in any matching section, the default is used.

Special characters need to be backslash-escaped (leading and trailing spaces (\s), tab (\t), linefeed (\n), carriage return (\r) and the backslash itself (\\)).

In lists, fields are separated with commas without whitespace in between.

Some command strings are subject to simplified sh-style word splitting: single quotes (') and double quotes (") have the usual meaning; the backslash quotes everything (not only special characters). Note that the backslashes need to be doubled because of the two levels of quoting.

Note

A pristine kdmrc is very thoroughly commented. All comments will be lost if you change this file with the System Settings frontend.

The [General] section of kdmrc

This section contains global options that do not fit into any specific section.

ConfigVersion

This option exists solely for the purpose of clean automatic upgrades. Do not change it, you may interfere with future upgrades and this could result in kdm failing to run.

StaticServers

List of displays (X-Servers) permanently managed by kdm. Displays with a hostname are foreign displays which are expected to be already running, the others are local displays for which kdm starts an own X-Server; see ServerCmd. Each display may belong to a display class; append it to the display name separated by an underscore. See the section called “Specifying permanent X-Servers” for the details.

The default is :0.

ReserveServers

List of on-demand displays. See StaticServers for syntax.

Empty by default.

ServerVTs

List of Virtual Terminals to allocate to X-Servers. For negative numbers the absolute value is used, and the VT will be allocated only if the kernel says it is free. If kdm exhausts this list, it will allocate free VTs greater than the absolute value of the last entry in this list. Currently Linux only.

Empty by default.

ConsoleTTYs

This option is for operating systems (OSs) with support for virtual terminals (VTs), by both kdm and the OSs itself. Currently this applies only to Linux.

When kdm switches to console mode, it starts monitoring all TTY lines listed here (without the leading /dev/). If none of them is active for some time, kdm switches back to the X login.

Empty by default.

PidFile

The filename specified will be created to contain an ASCII representation of the process ID of the main kdm process; the PID will not be stored if the filename is empty.

Empty by default.

LockPidFile

This option controls whether kdm uses file locking to keep multiple display managers from running onto each other.

The default is true.

AuthDir

This names a directory under which kdm stores X-Server authorization files while initializing the session. kdm expects the system to clean up this directory from stale files on reboot.

The authorization file to be used for a particular display can be specified with the AuthFile option in [X-*-Core].

The default is /var/run/xauth.

AutoRescan

This boolean controls whether kdm automatically re-reads its configuration files if it finds them to have changed.

The default is true.

ExportList

Additional environment variables kdm should pass on to all programs it runs. LD_LIBRARY_PATH and XCURSOR_THEME are good candidates; otherwise, it should not be necessary very often.

Empty by default.

RandomFile

If the system has no native entropy source like /dev/urandom (see RandomDevice) and no entropy daemon like EGD (see PrngdSocket and PrngdPort) is running, kdm will fall back to its own pseudo-random number generator that will, among other things, successively checksum parts of this file (which, obviously, should change frequently).

This option does not exist on Linux and various BSDs.

The default is /dev/mem.

PrngdSocket

If the system has no native entropy source like /dev/urandom (see RandomDevice), read random data from a Pseudo-Random Number Generator Daemon, like EGD (http://egd.sourceforge.net) via this UNIX domain socket.

This option does not exist on Linux and various BSDs.

Empty by default.

PrngdPort

Same as PrngdSocket, only use a TCP socket on localhost.

RandomDevice

The path to a character device which kdm should read random data from. Empty means to use the system's preferred entropy device if there is one.

This option does not exist on OpenBSD, as it uses the arc4_random function instead.

Empty by default.

FifoDir

The directory in which the command sockets should be created; make it empty to disable them.

The default is /var/run/xdmctl.

FifoGroup

The group to which the global command socket should belong; can be either a name or a numerical ID.

GreeterUID

The user the greeter should run as. Empty results in root. Consider the impact on LogSource when setting it.

Empty by default.

DataDir

The directory in which kdm should store persistent working data; such data is, for example, the previous user that logged in on a particular display.

The default is /var/lib/kdm.

DmrcDir

The directory in which kdm should store users' .dmrc files. This is only needed if the home directories are not readable before actually logging in (like with AFS).

Empty by default.

The [Xdmcp] section of kdmrc

This section contains options that control kdm's handling of XDMCP requests.

Enable

Whether kdm should listen to incoming XDMCP requests.

The default is true.

Port

This indicates the UDP port number which kdm uses to listen for incoming XDMCP requests. Unless you need to debug the system, leave this with its default value.

The default is 177.

KeyFile

XDM-AUTHENTICATION-1 style XDMCP authentication requires a private key to be shared between kdm and the terminal. This option specifies the file containing those values. Each entry in the file consists of a display name and the shared key.

Empty by default.

Xaccess

To prevent unauthorized XDMCP service and to allow forwarding of XDMCP IndirectQuery requests, this file contains a database of hostnames which are either allowed direct access to this machine, or have a list of hosts to which queries should be forwarded to. The format of this file is described in the section called “XDMCP access control”.

The default is ${kde_confdir}/kdm/Xaccess.

ChoiceTimeout

Number of seconds to wait for the display to respond after the user has selected a host from the chooser. If the display sends an XDMCP IndirectQuery within this time, the request is forwarded to the chosen host; otherwise, it is assumed to be from a new session and the chooser is offered again.

The default is 15.

RemoveDomainname

When computing the display name for XDMCP clients, the name resolver will typically create a fully qualified host name for the terminal. As this is sometimes confusing, kdm will remove the domain name portion of the host name if it is the same as the domain name of the local host when this option is enabled.

The default is true.

SourceAddress

Use the numeric IP address of the incoming connection on multihomed hosts instead of the host name. This is to avoid trying to connect on the wrong interface which might be down at this time.

The default is false.

Willing

This specifies a program which is run (as root) when an XDMCP DirectQuery or BroadcastQuery is received and this host is configured to offer XDMCP display management. The output of this program may be displayed in a chooser window. If no program is specified, the string Willing to manage is sent.

Empty by default.

The [Shutdown] section of kdmrc

This section contains global options concerning system shutdown.

HaltCmd

The command (subject to word splitting) to run to halt/poweroff the system.

The default is something reasonable for the system on which kdm was built, like /sbin/shutdown -h now.

RebootCmd

The command (subject to word splitting) to run to reboot the system.

The default is something reasonable for the system kdm on which was built, like /sbin/shutdown -r now.

AllowFifo

Whether it is allowed to shut down the system via the global command socket.

The default is false.

AllowFifoNow

Whether it is allowed to abort active sessions when shutting down the system via the global command socket.

This will have no effect unless AllowFifo is enabled.

The default is true.

BootManager

The boot manager kdm should use for offering boot options in the shutdown dialog.

None

no boot manager

Grub

Grub boot manager

Grub2

Grub2 boot manager

Lilo

Lilo boot manager (Linux on i386 & x86-64 only)

The default is None.

The [X-*-Core] section class of kdmrc

This section class contains options concerning the configuration of the kdm backend (core).

OpenDelay

See OpenRepeat.

The default is 15.

OpenTimeout

See OpenRepeat.

The default is 120.

OpenRepeat

These options control the behavior of kdm when attempting to open a connection to an X-Server. OpenDelay is the length of the pause (in seconds) between successive attempts, OpenRepeat is the number of attempts to make and OpenTimeout is the amount of time to spend on a connection attempt. After OpenRepeat attempts have been made, or if OpenTimeout seconds elapse in any particular connection attempt, the start attempt is considered failed.

The default is 5.

StartAttempts

How many times kdm should attempt to start a foreign display listed in StaticServers before giving up and disabling it. Local displays are attempted only once, and XDMCP displays are retried indefinitely by the client (unless the option -once was given to the X-Server).

The default is 4.

ServerAttempts

How many times kdm should attempt to start up a local X-Server. Starting up includes executing it and waiting for it to come up.

The default is 1.

ServerTimeout

How many seconds kdm should wait for a local X-Server to come up.

The default is 30.

ServerCmd

The command line to start the X-Server, without display number and VT spec. Note that with some X-Servers (in particular, OpenSolaris') it is necessary to put most additional arguments into ServerArgsLocal and ServerArgsRemote even if they are the same for both. This string is subject to word splitting.

The default is something reasonable for the system on which kdm was built, like /usr/X11R6/bin/X.

ServerArgsLocal

Additional arguments for the X-Servers for local sessions. This string is subject to word splitting.

Empty by default.

ServerArgsRemote

Additional arguments for the X-Servers for remote sessions. This string is subject to word splitting.

Empty by default.

ServerVT

The VT the X-Server should run on. ServerVTs should be used instead of this option. Leave it zero to let kdm assign a VT automatically. Set it to -1 to avoid assigning a VT alltogether - this is required for setups with multiple physical consoles. Currently Linux only.

ServerTTY

This option is for OSs without support for VTs, either by kdm or the OS itself. Currently this applies to all OSs but Linux.

When kdm switches to console mode, it starts monitoring this TTY line (specified without the leading /dev/) for activity. If the line is not used for some time, kdm switches back to the X login.

Empty by default.

ServerUID

The user the X-Server should run as. Empty results in root.

Empty by default.

PingInterval

See PingTimeout.

The default is 5.

PingTimeout

To discover when remote displays disappear, kdm regularly pings them. PingInterval specifies the time (in minutes) between the pings and PingTimeout specifies the maximum amount of time (in minutes) to wait for the terminal to respond to the request. If the terminal does not respond, the session is declared dead and terminated.

If you frequently use X terminals which can become isolated from the managing host, you may wish to increase the timeout. The only worry is that sessions will continue to exist after the terminal has been accidentally disabled.

The default is 5.

TerminateServer

Whether kdm should restart the local X-Server after session exit instead of resetting it. Use this if the X-Server leaks memory or crashes the system on reset attempts.

The default is false.

Authorize

Controls whether kdm generates and uses authorization for local X-Server connections. For XDMCP displays the authorization requested by the display is used; foreign non-XDMCP displays do not support authorization at all.

The default is true.

AuthNames

If Authorize is true, use the authorization mechanisms listed herein. The MIT-MAGIC-COOKIE-1 authorization is always available; XDM-AUTHORIZATION-1, SUN-DES-1 and MIT-KERBEROS-5 might be available as well, depending on the build configuration.

The default is DEF_AUTH_NAME.

ResetForAuth

Some old X-Servers re-read the authorization file at X-Server reset time, instead of when checking the initial connection. As kdm generates the authorization information just before connecting to the display, an old X-Server would not get up-to-date authorization information. This option causes kdm to send SIGHUP to the X-Server after setting up the file, causing an additional X-Server reset to occur, during which time the new authorization information will be read.

The default is false.

AuthFile

This file is used to communicate the authorization data from kdm to the X-Server, using the -auth X-Server command line option. It should be kept in a directory which is not world-writable as it could easily be removed, disabling the authorization mechanism in the X-Server. If not specified, a random name is generated from AuthDir and the name of the display.

Empty by default.

Resources

This option specifies the name of the file to be loaded by xrdb as the resource database onto the root window of screen 0 of the display. KDE programs generally do not use X-resources, so this option is only needed if the Setup program needs some X-resources.

Empty by default.

Xrdb

The xrdb program to use to read the X-resources file specified in Recources. The command is subject to word splitting.

The default is ${x_bindir}/xrdb.

Setup

This string is subject to word splitting. It specifies a program which is run (as root) before offering the greeter window. This may be used to change the appearance of the screen around the greeter window or to put up other windows (e.g., you may want to run xconsole here). Usually, a script named Xsetup is used here. See the section called “Setup program”.

Empty by default.

Startup

This string is subject to word splitting. It specifies a program which is run (as root) after the user authentication process succeeds. Usually, a script named Xstartup is used here. See the section called “Startup program”.

Empty by default.

Reset

This string is subject to word splitting. It specifies a program which is run (as root) after the session terminates. Usually, a script named Xreset is used here. See the section called “Reset program”.

Empty by default.

Session

This string is subject to word splitting. It specifies the session program to be executed (as the user owning the session). Usually, a script named Xsession is used here. See the section called “Session program”.

The default is ${x_bindir}/xterm -ls -T.

FailsafeClient

If the Session program fails to execute, kdm will fall back to this program. This program is executed with no arguments, but executes using the same environment variables as the session would have had (see the section called “Session program”).

The default is ${x_bindir}/xterm.

UserPath

The PATH environment variable for non-root Sessions.

The default depends on the system kdm was built on.

SystemPath

The PATH environment variable for all programs but non-root Sessions. Note that it is good practice not to include . (the current directory) into this entry.

The default depends on the system kdm was built on.

SystemShell

The SHELL environment variable for all programs but the Session.

The default is /bin/sh.

UserAuthDir

When kdm is unable to write to the usual user authorization file ($HOME/.Xauthority), it creates a unique file name in this directory and points the environment variable XAUTHORITY at the created file.

The default is /tmp.

ForceUserAuthDir

If true, UserAuthDir will be used unconditionally.

The default is false.

AutoReLogin

If enabled, kdm will automatically restart a session after an X-Server crash (or if it is killed by Alt-Ctrl-BackSpace). Note that enabling this feature opens a security hole: a secured display lock can be circumvented (unless KDE's built-in screen locker is used).

The default is false.

AllowRootLogin

If disabled, do not allow root (and any other user with UID = 0) to log in directly.

The default is true.

AllowNullPasswd

If disabled, only users that have passwords assigned can log in.

The default is true.

AllowShutdown

Who is allowed to shut down the system. This applies both to the greeter and to the command sockets.

None

no Shutdown... menu entry is shown at all

Root

the root password must be entered to shut down

All

everybody can shut down the machine

The default is All.

AllowSdForceNow

Who is allowed to abort active sessions when shutting down.

None

no forced shutdown is allowed at all

Root

the root password must be entered to shut down forcibly

All

everybody can shut down the machine forcibly

The default is All.

DefaultSdMode

The default choice for the shutdown condition/timing.

Schedule

shut down after all active sessions exit (possibly at once)

TryNow

shut down, if no active sessions are open; otherwise, do nothing

ForceNow

shut down unconditionally

The default is Schedule.

ScheduledSd

How to offer shutdown scheduling options:

Never

not at all

Optional

as a button in the simple shutdown dialogs

Always

instead of the simple shutdown dialogs

The default is Never.

NoPassEnable

Enable password-less logins on this display. Use with extreme care!

The default is false.

NoPassUsers

The users that do not need to provide a password to log in. Items which are prefixed with @ represent all users in the user group named by that item. * means all users but root (and any other user with UID = 0). Never list root.

Empty by default.

AutoLoginEnable

Enable automatic login. Use with extreme care!

The default is false.

AutoLoginAgain

If true, auto-login after logout. If false, auto-login is performed only when a display session starts up.

The default is false.

AutoLoginDelay

The delay in seconds before automatic login kicks in. This is also known as Timed Login.

AutoLoginUser

The user to log in automatically. Never specify root!

Empty by default.

AutoLoginPass

The password for the user to log in automatically. This is not required unless the user is logged into a NIS or Kerberos domain. If you use this option, you should chmod 600 kdmrc for obvious reasons.

Empty by default.

AutoLoginLocked

Immediately lock the automatically started session. This works only with KDE sessions.

The default is false.

SessionsDirs

A list of directories containing session type definitions. Ordered by falling priority.

The default is ${kde_datadir}/kdm/sessions.

ClientLogFile

The file (relative to the user's home directory) to redirect the session output to.

The following character pairs are replaced by their value:

%d

name of the current display

%u

login name of the current user

%r

empty at first. See below.

%%

a single %

When the constructed filename cannot be used safely and the specification contains %stuffr, other names will be tried - this time expanding %stuffr to stuff followed by a random number.

The default is .xsession-errors.

ClientLogFallback

Fallback when ClientLogFile cannot be used. The same expansions are supported. Do not use relative paths here.

The default is /tmp/xerr-%u-%d%-r.

UseSessReg

Specify whether kdm's built-in utmp/wtmp/lastlog registration should be used. If it is not, the tool sessreg should be used in the Startup and Reset scripts, or, alternatively, the pam_lastlog module should be used on PAM-enabled systems.

The default is true.

The [X-*-Greeter] section class of kdmrc

This section class contains options concerning the configuration of the kdm frontend (greeter).

GUIStyle

Specify the widget style for the greeter. Empty means to use the built-in default which currently is Oxygen-air.

Empty by default.

ColorScheme

Specify the widget color scheme for the greeter. Empty means to use the built-in default which currently is Oxygen-air.

Empty by default.

LogoArea

What should be shown in the greeter righthand of the input lines (if UserList is disabled) or above them (if UserList is enabled):

None

nothing

Logo

the image specified by LogoPixmap

Clock

a neat analog clock

The default is Clock.

LogoPixmap

The image to show in the greeter if LogoArea is Logo.

Empty by default.

GreeterPos

The relative coordinates (percentages of the screen size; X,Y) at which the center of the greeter is put. kdm aligns the greeter to the edges of the screen it would cross otherwise.

The default is 50,50.

GreeterScreen

The screen the greeter should be displayed on in multi-headed and Xinerama setups. The numbering starts with 0. For Xinerama, it corresponds to the listing order in the active ServerLayout section of XF86Config; -1 means to use the upper-left screen, -2 means to use the upper-right screen.

GreetString

The headline in the greeter. An empty greeting means none at all.

The following character pairs are replaced by their value:

%d

name of the current display

%h

local host name, possibly with the domain name

%n

local node name, most probably the host name without the domain name

%s

operating system

%r

operating system version

%m

machine (hardware) type

%%

a single %

The default is Welcome to %s at %n.

AntiAliasing

Whether the fonts used in the greeter should be antialiased.

The default is false.

GreetFont

The font for the greeter headline. The value is encoded.

The default is Serif 20pt bold.

StdFont

The normal font used in the greeter. The value is encoded.

The default is Sans Serif 10pt.

FailFont

The font used for the Login Failed message. The value is encoded.

The default is Sans Serif 10pt bold.

NumLock

What to do with the Num Lock modifier for the time the greeter is running:

Off

turn off

On

turn on

Keep

do not change the state

The default is Keep.

Language

Language and locale to use in the greeter, encoded like $LANGUAGE. If empty, the settings from the environment are used.

Empty by default.

UserCompletion

Enable autocompletion in the username line edit.

The default is false.

UserList

Show a user list with unix login names, real names, and images in the greeter.

The default is true.

ShowUsers

This option controls which users will be shown in the user view (UserList) and/or offered for autocompletion (UserCompletion). If it is Selected, SelectedUsers contains the final list of users. If it is NotHidden, the initial user list contains all users found on the system. Users contained in HiddenUsers are removed from the list, just like all users with a UID greater than specified in MaxShowUID and users with a non-zero UID less than specified in MinShowUID. Items in SelectedUsers and HiddenUsers which are prefixed with @ represent all users in the user group named by that item. Finally, the user list will be sorted alphabetically, if SortUsers is enabled.

The default is NotHidden.

SelectedUsers

See ShowUsers.

Empty by default.

HiddenUsers

See ShowUsers.

Empty by default.

MinShowUID

See ShowUsers.

MaxShowUID

See ShowUsers.

The default is 65535.

SortUsers

See ShowUsers.

The default is true.

FaceSource

If UserList is enabled, this specifies where kdm gets the images from:

AdminOnly

from <FaceDir>/$USER.face[.icon]

PreferAdmin

prefer <FaceDir>, fallback on $HOME

PreferUser

... and the other way round

UserOnly

from the user's $HOME/.face[.icon]

The images can be in any format Qt recognizes, but the filename must match kdm's expectations: .face.icon should be a 48x48 icon, while .face should be a 300x300 image. Currently the big image is used only as a fallback and is scaled down, but in the future it might be displayed full-size in the logo area or a tooltip. To be accessible to kdm, the images must be world readable and their parent directories must be world executable.

The default is AdminOnly.

FaceDir

See FaceSource.

The default is ${kde_datadir}/kdm/faces.

PreselectUser

Specify, if/which user should be preselected for log in:

None

do not preselect any user

Previous

the user which successfully logged in last time

Default

the user specified in the DefaultUser option

If FocusPasswd is enabled and a user was preselected, the cursor is placed in the password input field automatically.

Note

Enabling user preselection can be considered a security hole, as it presents a valid login name to a potential attacker, so he only needs to guess the password. On the other hand, one could set DefaultUser to a fake login name.

The default is None.

DefaultUser

See PreselectUser.

Empty by default.

FocusPasswd

See PreselectUser.

The default is false.

EchoPasswd

If this is true, the entered password is echoed as bullets. Otherwise, no feedback is given at all.

The default is true.

UseBackground

If enabled, kdm will automatically start the krootimage program to set up the background; otherwise, the Setup program is responsible for the background.

The default is true.

BackgroundCfg

The configuration file to be used by krootimage. It contains a section named [Desktop0] like kdesktoprc does. Its options are not described herein; guess their meanings or use the control center.

The default is ${kde_confdir}/kdm/backgroundrc.

GrabInput

To improve security, the greeter may grab mouse and keyboard input so no other X clients can eavesdrop it. However, the X authorization mechanism will usually prevent malicious X clients from connecting in the first place. Consequently, enabling grabs for local displays is pointless and only marginally improves security for remote displays.

Note

The mouse grab will make on-screen keyboards unusable.

Never

never grab

IfNoAuth

grab if the display requires no X authorization

Always

always grab

The default is IfNoAuth.

GrabServer

To improve security, the greeter grabs the X-Server and then the input when it starts up. This option specifies if the X-Server grab should be held for the duration of the name/password reading. When disabled, the X-Server is ungrabbed after the input grabs succeed; otherwise, the X-Server is grabbed until just before the session begins.

Note

Enabling this option disables UseBackground and Setup.

The default is false.

GrabTimeout

This option specifies the maximum time kdm will wait for the grabs to succeed. A grab may fail if some other X-client has the X-Server or the keyboard grabbed, or possibly if the network latencies are very high. You should be cautious when raising the timeout, as a user can be spoofed by a look-alike window on the display. If a grab fails, kdm kills and restarts the X-Server (if possible) and the session.

The default is 3.

AuthComplain

Warn, if a display has no X-authorization. This will be the case if

  • the authorization file for a local X-Server could not be created,

  • a remote display from XDMCP did not request any authorization or

  • the display is a foreign display specified in StaticServers.

The default is true.

LoginMode

Specify whether the greeter of local displays should start up in host chooser (remote) or login (local) mode and whether it is allowed to switch to the other mode.

LocalOnly

only local login possible

DefaultLocal

start up in local mode, but allow switching to remote mode

DefaultRemote

... and the other way round

RemoteOnly

only choice of remote host possible

The default is LocalOnly.

ChooserHosts

A list of hosts to be automatically added to the remote login menu. The special name * means broadcast. Has no effect if LoginMode is LocalOnly.

The default is *.

ForgingSeed

Use this number as a random seed when forging saved session types, etc. of unknown users. This is used to avoid telling an attacker about existing users by reverse conclusion. This value should be random but constant across the login domain.

ShowLog

Enable kdm's built-in xconsole. Note that this can be enabled for only one display at a time. This option is available only if kdm was configured with --enable-kdm-xconsole.

The default is false.

LogSource

The data source for kdm's built-in xconsole. If empty, a console log redirection is requested from /dev/console. Has no effect if ShowLog is disabled.

Empty by default.

PluginsLogin

Specify conversation plugins for the login dialog; the first in the list is selected initially. Each plugin can be specified as a base name (which expands to $kde_modulesdir/kgreet_base) or as a full pathname.

Conversation plugins are modules for the greeter which obtain authentication data from the user. Currently only the classic plugin is shipped with KDE; it presents the well-known username and password form.

The default is classic.

PluginsShutdown

Same as PluginsLogin, but for the shutdown dialog.

The default is classic.

PluginOptions

A list of options of the form Key=Value. The conversation plugins can query these settings; it is up to them what possible keys are.

Empty by default.

AllowConsole

Show the Console Login action in the greeter (if ServerTTY/ConsoleTTYs is configured).

The default is true.

AllowClose

Show the Restart X Server/Close Connection action in the greeter.

The default is true.

Preloader

A program to run while the greeter is visible. It is supposed to preload as much as possible of the session that is going to be started (most probably).

Empty by default.

UseTheme

Whether the greeter should be themed. Note that the themed greeter is challenged accessibility-wise, and themes may lack support for features like a user list or alternative authentication methods.

The default is false.

Theme

The theme to use for the greeter. Can point to either a directory or an XML file.

Empty by default.

AllowThemeDebug

Enable the Alt-Ctrl-D shortcut to toggle greeter theme debugging.

The default is false.