Kicksecure ™

Download

On Computer USB Installation Debian morph to Kicksecure Windows (VM) Linux (VM) Mac (VM) VirtualBox (VM) KVM (VM) Qubes (VM) More options Source Code

About

Overview Features Why Open Source? Project Activities Contributors Mission & Vision

Docs

Documentation FAQ Troubleshooting

Community

Forums Forum Best Practices Contribute

Support

Self Support First Policy Search Engines, Docs and AI Support (Limited) Reporting Bugs Contact (Restricted)

Tools Upload file Special pages Recent changes Print VersionDebug Helper Page meta What links here Related changes Page information

Page Read Edit History Move Protection Unwatch Watch Delete Purge

User Preferences Watchlist Contributions Logout Create account Login

Donate

This page provides detailed information about the Kicksecure login screen, how to configure it, and how to log in securely.

Login Security Concepts[edit]

By default, Kicksecure provides a user account, user, with graphical user interface (GUI) autologin enabled if applicable, and no password set. When using a system with a GUI, Kicksecure will boot directly into a graphical desktop when powered on. For many users and situations, this configuration is not a security hazard because:

• Single-user machines: Desktop and laptop systems are generally single-user machines and do not need to authenticate multiple human users. Users of a single-user machine are expected to keep their machine physically secure from in-person attackers.
• Multi-user configuration: For machines that aren't single-user, the system administrator will generally be the first person to use the machine after installation and will have the opportunity to configure the system's user accounts to meet the needs of all users.
• Weak login screen protection: The login screen is usually only a weak security barrier. If Full Disk Encryption (FDE) is not used, a malicious individual can gain access to the machine's data by simply booting a live ISO or stealing the system's storage drive. Even if FDE is used, a sophisticated attacker with sufficient time can likely bypass the login screen if they gain physical access to the device while it is powered on.
• FDE makes login screen redundant: If using the Kicksecure ISO to install Kicksecure onto a machine, FDE is enabled by default. This requires the user to authenticate before the system will boot, thus making the login screen redundant in most single-user scenarios. Auententcation is done during initramfs (initramfs-tools or dracut) Based Encryption Password Prompt.
• Virtual machines and host security: If using Kicksecure in a Virtual Machine, the VM's login security is not as important as the host system's login security. There are numerous ways to modify a virtual machine's state from the host system, allowing an attacker with access to an unlocked host machine to bypass a virtual machine's login screen. Virtual machine users are expected to keep their host system physically secure from in-person attackers.

However, there are situations in which it is valuable to require password authentication for administrative actions or for login purposes. Users should be aware of their threat model and adjust login settings accordingly. Users interested in this topic should read the Default Passwords and Protection against Physical Attacks wiki pages.

Configuring GUI Autologin[edit]

Platform specific.

• Non-Qubes-Kicksecure: Applicable. See below.
• Kicksecure-Qubes users can skip this section, except for HVM Qube. ^[1]

Host operating system (OS) versus virtual machine (VM).

• Host operating system:
  • Simple login screen: Disabling autologin can be useful if the user wants to enable a login screen.
  • No full disk encryption: Note, the login screen is not providing Full Disk Encryption (FDE). The purpose of the login screen is elaborated in chapter Login Screen.
• VMs: It is not very useful to disable autologin to enable a login screen inside VMs. It's much more secure to have a login screen on the host operating system.

Automatic Autologin Configuration[edit]

To view which user accounts on the system have autologin enabled, run systemcheck. This will show you a login security table, indicating which users on the system are not password protected and/or have autologin enabled.

Only one normal user account can have autologin enabled at once. The reason for this is fairly obvious - if two users had autologin enabled at the same time, which user would be automatically logged into? For this reason, if you enable autologin for one user account when autologin is already enabled for a different user account, autologin will be disabled for that different user account. The only exception to this rule is if user-sysmaint-split is installed. In this case, the sysmaint user account can have autologin enabled or disabled independently of the other user accounts. This is because the sysmaint account is only accessible when the system is booted in PERSISTENT mode SYSMAINT.

To enable or disable autologin on a user account, you can use the autologinchange utility.

1. Launch autologinchange. You can do this by clicking the "Manage GUI Autologin" button in the System Maintenance Panel. You can also run the tool by running the following command in a terminal:

sudo autologinchange

2. autologinchange will display a list of user accounts on the system. Identify the user you want to enable or disable autologin for.

3. Type the user account's name and press Enter.

4. You will be told whether autologin is currently enabled or disabled for the current user account. To toggle autologin on the selected account, press y, then press Enter.

5. Done. Autologin has now been toggled on the specified user account.

Manual Autologin Configuration[edit]

To change the auto login behavior, we have to edit the config file of lightdm which is the default display manager used by Kicksecure.

If you use another display manager, please look up in the manual of your display manager on how to change auto login behavior, for lightdm in Kicksecure it is:

Apply the following instructions to enable the login prompt at boot.

This requires configuration of LightDM in Kicksecure.

1. Disable LightDM autologin.

This is done by deleting the configuration files which enable autologin.

sudo rm /etc/lightdm/lightdm.conf.d/30_autologin.conf

sudo rm /etc/lightdm/lightdm.conf.d/40_autologin.conf

2. Linux user account password.

The user will need to Configuring Passwords if one has not already been set.

3. Reboot.

4. Done.

Autologin should be disabled after reboot and the user should see a login prompt after reboot.

Troubleshooting: See footnote for troubleshooting. ^[2]

Configuring Passwords[edit]

What user's password do you want to change?

If issues appear when gaining root, consider using dsudo.

Another option is to boot into recovery mode and change passwords there.

Graphical Login Screen[edit]

For graphical user interface (GUI).

Platform specific.

• Kicksecure: Applicable. See below.
• Kicksecure for Qubes: Mostly, not applicable except if using a Qubes HVM. This is up to the host operating system, Qubes, not Kicksecure.

A login screen can be provided by a login manager. For example, LightDM is the login manager used by default in Kicksecure.

Figure: LightDM login manager

Console Login Screen[edit]

For command line interface (CLI).

What is a virtual console? See Virtual Console.

Login Instructions for Virtual Console[edit]

Platform specific.

• Kicksecure: Applicable. See below.
• Kicksecure-Qubes: Mostly, not applicable except if using a Qubes HVM. This is up to the host operating system, Qubes, not Kicksecure.

Figure: virtual console login screen

1. Type the Username.

• The default username is: user
• Press <Enter> after typing the username.

2. Type the Password.

• If a password has been set, type it and press <Enter>.
• Note: No feedback (such as asterisks "*") will be shown when typing the password.

Notes[edit]

• The default root account is locked for security reasons. For more information, visit the root account documentation.
• If you are using a virtual machine, ignore any host login: prompts. Do not enter your host computer username or password.

Troubleshooting[edit]

• Forgot Username or Password: If you have forgotten your username or password, please refer to the Recovery page for steps on recovering your account.

See Also[edit]

• Login Screen
• Learn more about default passwords, when it is useful to set a password, see Default Passwords.
• /etc/issue file
• Learn more about securing your Kicksecure installation by visiting our System Hardening Checklist

Kicksecure A secure by default operating system with the latest security research in place.

Dark mode

Follow us on social media

Supported by Power Up Privacy

Kicksecure is proudly supported until 2025 by Power Up Privacy, a privacy advocacy group that seeks to supercharge privacy projects with resources so they can complete their mission of making our world a better place. (Strictly subject to our sponsorship policy.)

At Kicksecure we value freedom and trust, supporting Open Source and Freedom Software

By using this website, you acknowledge you have read, understood, and agree to be bound by these agreements: Terms of Service, Privacy Policy, Cookie Policy, E-Sign Consent, DMCA, Imprint 2012- 2025 ENCRYPTED SUPPORT LLC

Your support makes
all the difference!

We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!