Bug 666220

Not even Windows does this.  (Though Apple does.)  Windows will show the last user, but will not give a list of users on the machine. 

The reasons against it, in any kind of work environment, seem obvious to me. 

Typical situation, if the machine is used as workstation---John goes to Bob's machine, sees his login name and guesses that the password is Bob's wife's name.

You can turn off the user list via GConf configuration.

See http://library.gnome.org/admin/gdm/stable/configuration.html.en for more details.

Re-opening.

I'm sorry Ray but that Fedora-type response is not appropriate for RHEL.

The correct, default, configuration is with that security defect disabled. If an end user requires it turned on, then they can do so.

This is a security bug and it should be treated as such. The necessary correction should be made to the default configuration and a bug-fixed package released.

This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unfortunately unable to
address this request at this time. Red Hat invites you to
ask your support representative to propose this request, if
appropriate and relevant, in the next release of Red Hat
Enterprise Linux. If you would like it considered as an
exception in the current release, please ask your support
representative.

Since RHEL 6.2 External Beta has begun, and this bug remains
unresolved, it has been rejected as it is not proposed as
exception or blocker.
               
Red Hat invites you to ask your support representative to
propose this request, if appropriate and relevant, in the
next release of Red Hat Enterprise Linux.

There is a problem with the proposed gconf configuration command that supposedly fixes the problem: it kills smart card login support.

Increasingly, many secure environments are using smart cards to control access to their systems, and thus, this command is not a proper workaround to this problem.

I am currently in the process of submitting a support ticket for this to be resolved, because this is very serious.  Displaying all available user accounts on the system is a major security problem that is unacceptable for an enterprise class OS, such as RHEL.

This is a major regression from RHEL 5 which did not present a user list, and also allowed for proper smart card login support.

This problem should, at the very least, be addressed in RHEL 6.3 or 6.4.

Bumping this issue to ensure that it is not forgotten.

RHEL 6u4

Bumping this issue to ensure that it is not forgotten.

Smartcard login with disabled user list was fixed in gdm-2.30.4-38.el6.

Related errata in rhel64 https://rhn.redhat.com/errata/RHBA-2013-0381.html
[snip]
* With this update, GDM has been modified to allow smartcard authentication when
the visible user list is disabled. (BZ#719647)

We understand that displaying login user names can be undesirable in accordance with corporate security policies. Unfortunately, we cannot change the system installed default behaviour mid-stream. We can however, provide the following as a means to change the default behaviour for your environment:

This policy can be adjusted at machine-level via the /apps/gdm/simple-greeter/disable_user_list GConf configuration key.  To make this change, run gconf-editor as root, navigate to /apps/gdm/simple-greeter, right click on the disable-user-list key and choose "Set as Default" from the context menu.

Alternatively, the gconftool-2 command can be used to --load the updated policy from a suitable xml file:

<gconfentryfile>
  <entrylist base="/apps/gdm/simple-greeter">
    <entry>
      <key>disable_user_list</key>
      <schema_key>/schemas/apps/gdm/simple-greeter/disable_user_list</schema_key>
      <value>
        <bool>true</bool>
      </value>
    </entry>
  </entrylist>
</gconfentryfile>