if you are hiding users by minimal id, root will still be shown; this is on purpose, you have to hide him explicitly.
however, this would be consistent and not "from time to time". please clarify.

> if you are hiding users by minimal id, root will still be shown; this is on
> purpose, you have to hide him explicitly.

Well, I don't know if I did it -- I set it to show only me (macias) and guest (guest). So normally only two accounts are visible. But from time to time -- let's say once per 7 switches, there are still two accounts on the left but in "login" "edit-box" there is "root" suggested. Why KDM suggest on the switch that I should login as root, I don't know, what's more -- if this account is hidden (left pane) it should not suggest it either, right?

 Turn on computer, wait till KDE is loaded and you are logged in. Start new session. Look at the public user names (I have 3: me, guest and postgres -- the last is temporary). Log in as hidden user, for example root. When session is opened turn off computer. Turn it on again. Wait for KDE, start new session --> "root" is suggested by KDM.

i thought a bit about this.
- from a security pov, this is irrelevant - preselecting *any* user is silly: once the attacker is on the system, he can find about any other account anyway.
- from a usability pov, i'm not sure. the filter is an "accelerator" - it shortens the time needed to load the user list and to actually pick a user. so one can argue that preselecting a user not in the list is counterproductive, as it is unlikely that he'll login again in a row. otoh, this simply *is* an independent feature, so adding more logic might be unexpected if not annoying. on top of that, you can actually pick the user you want from the list or just activate autocompletion, which *does* obey the filter, thus regaining most of the would-be lost efficiency.
that is, i'm not convinced. i'm open to new arguments, but as it stands now, i won't change anything.

Bottom line is:
the settings are crystal-clear "do NOT show this user", and KDM answer is "what the heck, I will SHOW this user". KDM acts against specific user will.

For me it is an obvious bug, if it is not -- please remove this "visible" flag from settings because it is ignored anyway.

"Unrelated" note:
> - from a security pov, this is irrelevant - preselecting *any* user is
> silly: once the attacker is on the system, 

But she/he is not. Maybe she/he got only 2 seconds, pressed a key, and saw hidden account on the list. She/he saw it because KDM revealed it.
 

you are "slightly" overreacting. nothing in the setup screen indicates that the user list relates to the preselection setting; they are on different tabs and nothing suggests a relation. the documentation of ShowUsers and related options is pretty explicit about the effect - and the docu of the kcm_kdm users tab is so obviously outdated and inapplicable that nobody would even know what is meant anyway. so no matter how you twist it, it is *not* a bug, it is at most a missing feature.

regarding your "unrelated note", you just didn't get it. it is *irrelevant* which account the attacker gets to know about - he can crack that one. and once he is "in", he can effortlessly find further victims. so what difference does it make to you?

Oswald, I am completely lost about the first paragraph. I am only saying what I see on the screen. And I see "DO NOT SHOW A", and the program SHOWS A. Is this a missing feature? I didn't refer to any doc, besides I didn't read any.

> it is *irrelevant* which account the attacker gets to know about - he can
> crack that one. and once he is "in", he can effortlessly find further
> victims. so what difference does it make to you? 

I am not a security expert but I have a different opinion. One bit more the attacker know about my system is one bit more easier system to crack. So it does differ. I would like to see system a bit more secure than unsecure. And besides the difference is this, that attacker could know about regular user vs. admin user. This piece of information is valuable too.
 
============================================================================

Let's go to basic things:
Do you agree with me there is a setting related to revealing (visually) the login names during the process of logging in? Do you think this setting should be ignored or not?

About overreacting, sorry, I hope I didn't insult you in any way. I am pretty calm about this issue, however I would like to see well polished DM. I can contribute currently only by sending reports (and discussing them).

> Do you agree with me there is a setting related to revealing (visually)
> the login names during the process of logging in?
>
no.
there are settings for selecting users for listing and auto-completion.
actually, i think i'll change the naming from "not hidden" to "not excluded" - that's more complementary to "selected".

In my version there is label, quote "hidden users".

And here is (quote from documentation) explanation why bother with such settings:
"If you do not check this box, no list will be shown. This is the most secure setting, since an attacker would then have to guess a valid login name as well as a password."

It refers to the list, but the reason is clear -- it is more secure force user to enter both login+password, not only password.

I think this report qualifies for reopen but rather as a wish -- since there is no explicit explanation of "hidden users" impact on suggesting users.