Hide username on lock screen

Since I did not want the username to appear on login screen, I did what the Fedora Docs say at Displaying a user prompt on the GNOME login screen :: Fedora Docs.

It works like a charm, but (there is always ‘a but’) after the screen lock, either automatic or forced by Super+l, the username is already there and all you have to do is enter the password to unlock it.

Is there a way to force the need to enter the username as well on the lock screen?

I’m on Fedora Linux 37 (Workstation Edition).
Kernel: Linux 6.2.8-200.fc37.x86_64.

It’s only a partial solution. Still the username/nickname is visible. I know it might not be the best idea to mention MS-Windows here, but it was fairly simple to do that there. Just change one of the local security policies to ‘do not show username on login screen’ and that was it for both login and lock screen.

Browsing the depths of the Internet I found this:
In: /etc/pam.d/gdm-password
change: auth substack password-auth
to: auth required pam_succeed_if.so user != root quiet

I have no idea what it does, and the file looks scary, so am not sure if I will not blow things away.

What does it do?

The GDM login screen is implemented differently than the GNOME lock screen, so a similar approach will not work.

To tell the truth, this is not really a Fedora specific issue, so you’re more likely to get a definitive answer if you ask the GNOME devs directly.

I see. Will look at GNOME discussion board, then. Thank you.

Linking the discussion: User prompt on lock screen - Desktop - GNOME Discourse

Replacing the lock screen with the switch user screen and hiding user names:

# GDM dconf
sudo machinectl shell gdm@ ${BASH} -c \
"gsettings set org.gnome.login-screen disable-user-list true"

# GNOME session lock
mkdir -p ~/.local/bin
tee ~/.local/bin/gnome-session-lock << "EOF" > /dev/null
#!/usr/bin/bash
loginctl lock-session
busctl call org.gnome.DisplayManager \
/org/gnome/DisplayManager/LocalDisplayFactory \
org.gnome.DisplayManager.LocalDisplayFactory \
CreateTransientDisplay > /dev/null
EOF
chmod +x ~/.local/bin/gnome-session-lock

# GNOME shortcuts
gsettings set org.gnome.settings-daemon.plugins.media-keys screensaver "[]"
gsettings set org.gnome.settings-daemon.plugins.media-keys custom-keybindings \
"['/org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/custom0/']"
gsettings set org.gnome.settings-daemon.plugins.media-keys.custom-keybinding:\
/org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/custom0/ \
binding "<Super>L"
gsettings set org.gnome.settings-daemon.plugins.media-keys.custom-keybinding:\
/org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/custom0/ \
command "gnome-session-lock"
gsettings set org.gnome.settings-daemon.plugins.media-keys.custom-keybinding:\
/org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/custom0/ \
name "Lock screen"

But this still leaves a loophole if you switch back to the user session with Alt+Ctrl+F2.

I did some reading on GNOME and did some talking on discord on that matter and it’s all because lock screen is a part of a session and login screen is not. The way folks at GNOME thought it to work leave no straight solution to my problem. All the possible workarounds are not worth it. It’s a shame, imho. I know that for some it might be nothing, but the strict rules in the organization I work for do not allow username (real or pretty) to be visible on the login/lock screen.

How about this:

busctl call org.freedesktop.Accounts \
    /org/freedesktop/Accounts/User${UID} \
    org.freedesktop.Accounts.User SetRealName s " "

Nice and simple workaround as for the visual part of the issue. Still it is enough to “guess” the password and you’re in, as opposed to having figure out both user/pass.

Technically the username is not the second factor, so the problem is in the size of the resulting entropy, which can be increased by using a stronger password, otherwise you should consider setting up a proper MFA.