xrdp.ini(5)

1xrdp.ini(5)                                                        xrdp.ini(5)
2
3
4

NAME

6       xrdp.ini - Configuration file for xrdp(8)
7
8

DESCRIPTION

10       This  is  the man page for xrdp.ini, xrdp(8) configuration file.  It is
11       composed by a number of sections, each one composed by a section  name,
12       enclosed  by square brackets, followed by a list of <parameter>=<value>
13       lines.
14
15       xrdp.ini supports the following sections:
16
17
18       [Globals] - sets some global configuration settings for xrdp(8).
19
20
21       [Logging] - logging subsystem parameters
22
23
24       [Channels] - channel subsystem parameters
25
26
27       All options and values (except for  file  names  and  paths)  are  case
28       insensitive, and are described in detail below.
29
30

GLOBALS

32       The options to be specified in the [Globals] section are the following:
33
34
35       address=ip address
36              Specify  xrdp  listening  address. If not specified, defaults to
37              0.0.0.0 (all interfaces).
38
39
40       autorun=session_name
41              Section name for automatic login. If set and the client supplies
42              valid username and password, the user will be logged in automat‐
43              ically using the connection specified by session_name.
44
45              If session_name is empty, the LOGIN DOMAIN from the client  with
46              be  used  to  select the section. If no domain name is supplied,
47              the first suitable section will be used for automatic login.
48
49
50       bitmap_cache=[true|false]
51              If set to 1, true or yes this option enables bitmap  caching  in
52              xrdp(8).
53
54
55       bitmap_compression=[true|false]
56              If  set to 1, true or yes this option enables bitmap compression
57              in xrdp(8).
58
59
60       bulk_compression=[true|false]
61              If set to 1, true or yes this option enables compression of bulk
62              data in xrdp(8).
63
64
65       certificate=/path/to/certificate
66
67       key_file=/path/to/private_key
68              Set  location  of  TLS certificate and private key. They must be
69              written  in  PEM  format.   If  not   specified,   defaults   to
70              /etc/xrdp/cert.pem, /etc/xrdp/key.pem.
71
72              This parameter is effective only if security_layer is set to tls
73              or negotiate.
74
75
76       channel_code=[true|false]
77              If set to 0, false or  no  this  option  disables  all  channels
78              xrdp(8).   See  section  CHANNELS  below  for  more fine grained
79              options.
80
81
82       crypt_level=[low|medium|high|fips]
83              Regulate encryption level of Standard RDP Security.  This param‐
84              eter  is effective only if security_layer is set to rdp or nego‐
85              tiate.
86
87              Encryption in Standard RDP Security is controlled  by  two  set‐
88              tings:  Encryption  Level  and Encryption Method.  The only sup‐
89              ported Encryption Method are 40BIT_ENCRYPTION and 128BIT_ENCRYP‐
90              TION.  56BIT_ENCRYPTION  is not supported.  This option controls
91              the Encryption Level:
92
93               low    All data sent from the client to the server is protected
94                      by  encryption  based  on  the maximum key strength sup‐
95                      ported by the client.  This is the only level  that  the
96                      traffic sent by the server to client is not encrypted.
97
98               medium All  data sent between the client and the server is pro‐
99                      tected by encryption based on the maximum  key  strength
100                      supported by the client (client compatible).
101
102               high   All  data sent between the client and the server is pro‐
103                      tected by encryption based on the server's  maximum  key
104                      strength (sever compatible).
105
106               fips   All data sent between the client and server is protected
107                      using Federal Information Processing Standard 140-1 val‐
108                      idated  encryption  methods.  This level is required for
109                      Windows clients (mstsc.exe) if the client's group policy
110                      enforces FIPS-compliance mode.
111
112
113       fork=[true|false]
114              If  set  to  1, true or yes for each incoming connection xrdp(8)
115              forks a sub-process instead of using threads.
116
117
118       hidelogwindow=[true|false]
119              If set to 1, true or yes, xrdp will not show a  window  for  log
120              messages.  If not specified, defaults to false.
121
122
123       max_bpp=[8|15|16|24|32]
124              Limit  the  color depth by specifying the maximum number of bits
125              per pixel.  If not specified or set to 0, unlimited.
126
127
128       pamerrortxt=error_text
129              Specify text passed to PAM when authentication failed. The maxi‐
130              mum length is 256.
131
132
133       port=port
134              Specify  TCP  port  to  listen on for incoming connections.  The
135              default for RDP is 3389.
136
137
138       require_credentials=[true|false]
139              If set to 1, true or yes, xrdp requires clients to include user‐
140              name and password initial connection phase. In other words, xrdp
141              doesn't allow clients to show login screen if set  to  true.  If
142              not specified, defaults to false.
143
144
145       security_layer=[tls|rdp|negotiate]
146              Regulate security methods. If not specified, defaults to negoti‐
147              ate.
148
149               tls    Enhanced RDP Security is used. All  security  operations
150                      (encryption,  decryption,  data  integrity verification,
151                      and server authentication) are implemented by TLS.
152
153
154               rdp    Standard RDP Security, which is not  safe  from  man-in-
155                      the-middle  attack,  is  used.  The  encryption level of
156                      Standard RDP Security is controlled by crypt_level.
157
158
159               negotiate
160                      Negotiate these security methods with clients.
161
162
163       ssl_protocols=[SSLv3] [TLSv1] [TLSv1.1] [TLSv1.2] [TLSv1.3]
164              Enables the specified SSL/TLS protocols. Each  value  should  be
165              separated by comma.  SSLv2 is always disabled. At least one pro‐
166              tocol should be given to accept TLS connections.  This parameter
167              is effective only if security_layer is set to tls or negotiate.
168
169
170       tcp_keepalive=[true|false]
171              Regulate   if   the   listening   socket   uses   socket  option
172              SO_KEEPALIVE.  If set to 1, true or yes and the network  connec‐
173              tion disappears without closing messages, the connection will be
174              closed.
175
176
177       tcp_nodelay=[true|false]
178              Regulate if the listening socket uses socket option TCP_NODELAY.
179              If  set to 1, true or yes, no buffering will be performed in the
180              TCP stack.
181
182
183       tcp_send_buffer_bytes=buffer_size
184
185       tcp_recv_buffer_bytes=buffer_size
186              Specify send/recv buffer sizes  in  bytes.   The  default  value
187              depends on operating system.
188
189
190       tls_ciphers=cipher_suite
191              Specifies  TLS  cipher  suite.  The  format of this parameter is
192              equivalent to which openssl(1) ciphers subcommand accepts.
193
194              (ex. $ openssl ciphers 'HIGH:!ADH:!SHA1')
195
196              This parameter is effective only if security_layer is set to tls
197              or negotiate.
198
199
200       use_fastpath=[input|output|both|none]
201              If not specified, defaults to none.
202
203
204       black=000000
205
206       grey=c0c0c0
207
208       dark_grey=808080
209
210       blue=0000ff
211
212       dark_blue=00007f
213
214       white=ffffff
215
216       red=ff0000
217
218       green=00ff00
219
220       background=000000
221              These  options override the colors used internally by xrdp(8) to
222              draw the login and log windows.   Colors  are  defined  using  a
223              hexadecimal  (hex)  notation  for the combination of Red, Green,
224              and Blue color values (RGB).  The lowest value that can be given
225              to one of the light sources is 0 (hex 00).  The highest value is
226              255 (hex FF).
227
228

LOGGING

230       The following parameters can be used in the [Logging] section:
231
232
233       LogFile=/var/log/xrdp.log
234              This options contains the path to  logfile.  It  can  be  either
235              absolute or relative.
236
237
238       LogLevel=level
239              This option can have one of the following values:
240
241              CORE  or 0 - Log only core messages. these messages are _always_
242              logged, regardless the logging level selected.
243
244              ERROR or 1 - Log only error messages
245
246              WARNING, WARN or 2 - Logs warnings and error messages
247
248              INFO or 3 - Logs errors, warnings and informational messages
249
250              DEBUG or 4 - Log everything. If  sesman  is  compiled  in  debug
251              mode, this options will output many more low-level message, use‐
252              ful for developers
253
254
255       EnableSyslog=[true|false]
256              If set to 1, true or yes this option enables logging to  syslog.
257              Otherwise syslog is disabled.
258
259
260       SyslogLevel=level
261              This  option  sets the logging level for syslog. It can have the
262              same  values  of  LogLevel.  If  SyslogLevel  is  greater   than
263              LogLevel, its value is lowered to that of LogLevel.
264
265

CHANNELS

267       The  Remote  Desktop Protocol supports several channels, which are used
268       to transfer additional data like  sound,  clipboard  data  and  others.
269       Channel  names  not listed here will be blocked by xrdp.  Not all chan‐
270       nels are supported in all cases, so setting a value to true is  a  pre‐
271       requisite, but does not force its use.
272       Channels  can  also be enabled or disabled on a per connection basis by
273       prefixing each setting with channel. in the channel section.
274
275
276       rdpdr=[true|false]
277              If set to 1, true or yes using the RDP channel for device  redi‐
278              rection is allowed.
279
280
281       rdpsnd=[true|false]
282              If  set  to  1,  true  or yes using the RDP channel for sound is
283              allowed.
284
285
286       drdynvc=[true|false]
287              If set to 1, true or yes using the RDP channel to initiate addi‐
288              tional dynamic virtual channels is allowed.
289
290
291       cliprdr=[true|false]
292              If set to 1, true or yes using the RDP channel for clipboard re‐
293              direction is allowed.
294
295
296       rail=[true|false]
297              If set to 1, true or yes using the RDP channel for remote appli‐
298              cations integrated locally (RAIL) is allowed.
299
300
301       xrdpvr=[true|false]
302              If  set  to  1, true or yes using the RDP channel for XRDP Video
303              streaming is allowed.
304
305

CONNECTIONS

307       A connection section is made of a  section  name,  enclosed  in  square
308       brackets, and the following entries:
309
310
311       name=<session name>
312              The name displayed in xrdp(8) login window's combo box.
313
314
315       lib=../vnc/libvnc.so
316              Sets the library to be used with this connection.
317
318
319       username=<username>|{base64}<base64-encoded-username>|ask
320              Specifies  the  username  used for authenticating in the connec‐
321              tion.  If set to ask, user name should be provided in the  login
322              window.
323
324              If  the  username  includes  comment out symbols such as '#', or
325              ';', the username can  be  provided  in  base64  form  prefixing
326              "{base64}".
327
328
329       password=<password>|{base64}<base64-encoded-password>|ask
330              Specifies  the  password  used for authenticating in the connec‐
331              tion.  If set to ask, password should be provided in  the  login
332              window.
333
334              This  parameter  can be provided in base64 form as well as user‐
335              name. See also examples below.
336
337
338       ip=127.0.0.1
339              Specifies the ip address of the host to connect to.
340
341
342       port=<number>|-1
343              Specifies the port number to connect  to.  If  set  to  -1,  the
344              default port for the specified library is used.
345
346
347       xserverbpp=<number>
348              Specifies  color  depth  of the backend X server. The default is
349              the color depth of the client. Only Xvnc  and  X11rdp  use  that
350              setting. Xorg runs at 24 bpp.
351
352
353       code=<number>|0
354              Specifies  the  session  type.  The  default,  0, is Xvnc, 10 is
355              X11rdp, and 20 is Xorg with xorgxrdp modules.
356
357

EXAMPLES

359       This is an example xrdp.ini:
360
361       [Globals]
362       bitmap_cache=true
363       bitmap_compression=true
364
365       [Xorg]
366       name=Xorg
367       lib=libxup.so
368       username=ask
369       password=ask
370       ip=127.0.0.1
371       port=-1
372       code=20
373
374       [vnc-any]
375       name=vnc-any
376       lib=libvnc.so
377       ip=ask
378       port=ask5900
379       username=na
380       password={base64}cGFzc3dvcmQhCg==
381
382

FILES

384       /etc/xrdp/xrdp.ini
385
386