Prevent users from switching to virtual terminals via Ctrl+Alt+F1 through F6, useful for kiosk mode, exam stations, and restricted environments.
Table of Contents#
- Overview
- Use Cases
- X11 Methods
- Wayland Methods
- systemd-logind Configuration
- Kernel-Level Methods
- Display Manager Configuration
- Security Considerations
- Troubleshooting
- See Also
- Sources
1. Overview#
Linux provides virtual terminals (VTs), typically on tty1 through tty6, accessible via Ctrl+Alt+F1 through Ctrl+Alt+F6. The graphical session usually runs on tty1 or tty7 depending on the distribution and display manager. Switching between VTs can be disabled at multiple levels:
| Level | Method | Scope |
|---|---|---|
| X11 server | setxkbmap or xorg.conf | Current X session only |
| Wayland compositor | Compositor-specific config | Current Wayland session only |
| systemd-logind | logind.conf | System-wide, all sessions |
| Kernel/systemd | Mask getty services | System-wide, removes VT login prompts |
| Display manager | GDM/SDDM configuration | Login screen and sessions |
Multiple methods can be combined for defense in depth.
2. Use Cases#
- Kiosk systems: prevent users from escaping the kiosk application to a terminal
- Exam workstations: restrict students to the exam application only
- Public terminals: libraries, information points, self-service stations
- Security hardening: reduce attack surface by removing interactive console access
- Presentation systems: prevent accidental VT switching during demos
3. X11 Methods#
3.1 Runtime (setxkbmap)#
Disable VT switching for the current X session:
setxkbmap -option srvrkeys:noneRe-enable VT switching:
setxkbmap -option ''Note: Resetting with
setxkbmap -option ''clears all xkb options (e.g.,caps:ctrl_modifier). Re-apply other options afterwards if needed.
3.2 Persistent (xorg.conf)#
Create a configuration file that persists across reboots:
# /etc/X11/xorg.conf.d/99-no-vt-switch.conf
Section "ServerFlags"
Option "DontVTSwitch" "true"
EndSectionThis can also be placed in ~/.xinitrc if using startx:
# ~/.xinitrc
setxkbmap -option srvrkeys:none
exec your-window-manager4. Wayland Methods#
Wayland compositors handle VT switching independently. The method varies by compositor.
4.1 GNOME (Mutter)#
GNOME on Wayland does not expose a direct setting to disable VT switching. Use the systemd-logind method (Section 5) or disable the getty services (Section 6).
Alternatively, use dconf to disable the keyboard shortcut (GNOME-specific, does not prevent programmatic switching):
# Disable switch-to-session shortcuts
gsettings set org.gnome.mutter.keybindings switch-monitor "[]"4.2 KDE Plasma (KWin)#
KDE Plasma on Wayland defers VT switching to logind. Disable via the systemd-logind method (Section 5).
4.3 Sway / wlroots-based Compositors#
Sway and other wlroots compositors can have VT switching disabled by not binding the switch keys. In ~/.config/sway/config, ensure no bindsym lines map to swaymsg exec chvt:
# Do NOT include lines like:
# bindsym Ctrl+Alt+F1 exec swaymsg -- chvt 1wlroots compositors use libseat for VT management. Disabling at the logind level (Section 5) is the most reliable approach.
4.4 Hyprland#
Similar to Sway, remove or do not add any VT switch keybindings. Combine with the logind method for full coverage.
5. systemd-logind Configuration#
systemd-logind manages VT allocation and switching. This method works for both X11 and Wayland.
# /etc/systemd/logind.conf.d/no-vt-switch.conf
[Login]
NAutoVTs=0
ReserveVT=0| Setting | Default | Effect when set to 0 |
|---|---|---|
NAutoVTs | 6 | Number of VTs to automatically spawn getty on; 0 disables auto-spawning |
ReserveVT | 6 | VT to always keep a getty on; 0 disables the reserved VT |
Apply without reboot:
sudo systemctl restart systemd-logindWarning: Restarting
systemd-logindwill terminate all user sessions (including the current graphical session). Schedule this change for a maintenance window or apply it before the graphical session starts.
6. Kernel-Level Methods#
6.1 Mask Getty Services#
Prevent login prompts on all virtual terminals by masking the getty services:
# Disable all VT gettys
sudo systemctl mask getty@tty{2..6}.service
# Re-enable if needed
sudo systemctl unmask getty@tty{2..6}.serviceNote: Keep
getty@tty1unmasked if the display manager launches on tty1, or if you need emergency console access.
6.2 Kernel Parameters#
Kernel boot parameters can limit console behavior:
# /etc/default/grub
GRUB_CMDLINE_LINUX="console=tty1"This restricts kernel console output to tty1. It does not prevent VT switching by itself but limits where kernel messages appear.
To disable console blanking (screen going blank after idle, unrelated to VT switching but often configured alongside it):
GRUB_CMDLINE_LINUX="consoleblank=0"Regenerate the GRUB config after changes:
sudo grub-mkconfig -o /boot/grub/grub.cfgFor systemd-boot, add the parameters to the relevant entry in /boot/loader/entries/.
7. Display Manager Configuration#
7.1 GDM (GNOME Display Manager)#
GDM can be configured to disable VT switching on the login screen:
# /etc/gdm/custom.conf (or /etc/gdm3/custom.conf on Debian)
[daemon]
InitialSetupEnable=false
[security]
DisallowTCP=trueGDM respects the logind NAutoVTs setting. Combining GDM with the logind method (Section 5) is recommended.
7.2 SDDM (KDE Display Manager)#
# /etc/sddm.conf.d/no-vt.conf
[General]
Numlock=none
[VirtualTerminal]
# Use a fixed VT for SDDM
VTNumber=1SDDM also respects logind settings. Disable VTs via logind for complete coverage.
7.3 LightDM#
# /etc/lightdm/lightdm.conf
[LightDM]
minimum-vt=1
[Seat:*]
allow-user-switching=false8. Security Considerations#
Disabling VT switching is a defense-in-depth measure, not a complete security boundary:
- A user with physical access can still boot from external media or reset the machine
Ctrl+Alt+Deletemay still trigger a reboot unless also disabled (maskctrl-alt-del.target)- SSH access is unaffected by VT restrictions
- Consider also disabling the Magic SysRq key for kiosk environments:
echo 0 > /proc/sys/kernel/sysrq
# Or persistently:
echo "kernel.sysrq = 0" > /etc/sysctl.d/90-disable-sysrq.confFor true kiosk lockdown, combine VT disabling with:
- Auto-login to a restricted user account
- Application launched in fullscreen/kiosk mode
- Disabled USB ports (if not needed) via udev rules
- BIOS/UEFI password to prevent boot media changes
- Encrypted disk to prevent offline data access
Troubleshooting#
| Issue | Cause | Solution |
|---|---|---|
VT switching still works after setxkbmap | Running under Wayland, not X11 | Use logind or compositor-specific method instead |
| Graphical session killed after logind restart | systemctl restart systemd-logind terminates sessions | Apply logind changes before starting the graphical session, or reboot |
| No login prompt on any terminal after masking gettys | All gettys masked, including the one used by the display manager | Unmask getty@tty1 or ensure the display manager is enabled |
consoleblank=0 does not prevent VT switching | consoleblank controls screen blanking timeout, not VT access | Use logind NAutoVTs=0 or xorg DontVTSwitch instead |
| Cannot recover from locked-out VT | All VTs disabled and graphical session crashed | Boot into recovery mode or use SSH to unmask gettys |
| GDM still shows user switcher | GDM user switching is separate from VT switching | Set allow-user-switching=false in GDM config or disable via dconf |