1xrdp.ini(5)                                                        xrdp.ini(5)
2
3
4

NAME

6       xrdp.ini - Configuration file for xrdp(8)
7
8

DESCRIPTION

10       This  is  the man page for xrdp.ini, xrdp(8) configuration file.  It is
11       composed by a number of sections, each one composed by a section  name,
12       enclosed  by square brackets, followed by a list of <parameter>=<value>
13       lines.
14
15       xrdp.ini supports the following sections:
16
17
18       [Globals] - sets some global configuration settings for xrdp(8).
19
20
21       [Logging] - logging subsystem parameters
22
23
24       [Channels] - channel subsystem parameters
25
26
27       All options and values (except for file names and paths) are  case  in‐
28       sensitive, and are described in detail below.
29
30

GLOBALS

32       The options to be specified in the [Globals] section are the following:
33
34
35       autorun=session_name
36              Section name for automatic login. If set and the client supplies
37              valid username and password, the user will be logged in automat‐
38              ically using the connection specified by session_name.
39
40              If  session_name is empty, the LOGIN DOMAIN from the client with
41              be used to select the section. If no domain  name  is  supplied,
42              the first suitable section will be used for automatic login.
43
44
45       bitmap_cache=[true|false]
46              If  set  to 1, true or yes this option enables bitmap caching in
47              xrdp(8).
48
49
50       bitmap_compression=[true|false]
51              If set to 1, true or yes this option enables bitmap  compression
52              in xrdp(8).
53
54
55       bulk_compression=[true|false]
56              If set to 1, true or yes this option enables compression of bulk
57              data in xrdp(8).
58
59
60       certificate=/path/to/certificate
61
62       key_file=/path/to/private_key
63              Set location of TLS certificate and private key.  They  must  be
64              written   in   PEM   format.   If  not  specified,  defaults  to
65              /etc/xrdp/cert.pem, /etc/xrdp/key.pem.
66
67              This parameter is effective only if security_layer is set to tls
68              or negotiate.
69
70
71       channel_code=[true|false]
72              If  set  to  0,  false  or  no this option disables all channels
73              xrdp(8).  See section CHANNELS below for more fine  grained  op‐
74              tions.
75
76
77       crypt_level=[low|medium|high|fips]
78              Regulate encryption level of Standard RDP Security.  This param‐
79              eter is effective only if security_layer is set to rdp or  nego‐
80              tiate.
81
82              Encryption  in  Standard  RDP Security is controlled by two set‐
83              tings: Encryption Level and Encryption Method.   The  only  sup‐
84              ported Encryption Method are 40BIT_ENCRYPTION and 128BIT_ENCRYP‐
85              TION. 56BIT_ENCRYPTION is not supported.  This  option  controls
86              the Encryption Level:
87
88               low    All data sent from the client to the server is protected
89                      by encryption based on the  maximum  key  strength  sup‐
90                      ported  by  the client.  This is the only level that the
91                      traffic sent by the server to client is not encrypted.
92
93               medium All data sent between the client and the server is  pro‐
94                      tected  by  encryption based on the maximum key strength
95                      supported by the client (client compatible).
96
97               high   All data sent between the client and the server is  pro‐
98                      tected  by  encryption based on the server's maximum key
99                      strength (sever compatible).
100
101               fips   All data sent between the client and server is protected
102                      using Federal Information Processing Standard 140-1 val‐
103                      idated encryption methods.  This level is  required  for
104                      Windows clients (mstsc.exe) if the client's group policy
105                      enforces FIPS-compliance mode.
106
107
108       fork=[true|false]
109              If set to 1, true or yes for each  incoming  connection  xrdp(8)
110              forks a sub-process instead of using threads.
111
112
113       hidelogwindow=[true|false]
114              If  set  to  1, true or yes, xrdp will not show a window for log
115              messages.  If not specified, defaults to false.
116
117
118       max_bpp=[8|15|16|24|32]
119              Limit the color depth by specifying the maximum number  of  bits
120              per pixel.  If not specified or set to 0, unlimited.
121
122
123       pamerrortxt=error_text
124              Specify text passed to PAM when authentication failed. The maxi‐
125              mum length is 256.
126
127
128       port=port
129              Specify TCP port and interface to listen on for incoming connec‐
130              tions.   Specifying only the port means that xrdp will listen on
131              all interfaces.  The default port for RDP is 3389.  Multiple ad‐
132              dress:port  instances  must  be  separated  by spaces or commas.
133              Check the .ini file for  examples.   Specifying  interfaces  re‐
134              quires said interfaces to be UP before xrdp starts.
135
136
137       require_credentials=[true|false]
138              If  set to 1, true or yes, xrdp will scan the user name provided
139              by the client for the ASCII field separator character (0x1F). It
140              will  then copy over what is after the separator as the password
141              supplied by the user and treats it as autologon. If  not  speci‐
142              fied, defaults to false.
143
144
145       omain_user_separator=arator
146              If  specified the domain name supplied by the client is appended
147              to the username separated by separator.
148
149
150       \nable_token_login=[true|false]
151              If set to 1, true or yes, xrdp requires clients to include user‐
152              name and password initial connection phase. In other words, xrdp
153              doesn't allow clients to show login screen if set  to  true.  If
154              not specified, defaults to false.
155
156
157       security_layer=[tls|rdp|negotiate]
158              Regulate security methods. If not specified, defaults to negoti‐
159              ate.
160
161               tls    Enhanced RDP Security is used. All  security  operations
162                      (encryption,  decryption,  data  integrity verification,
163                      and server authentication) are implemented by TLS.
164
165
166               rdp    Standard RDP Security, which is not  safe  from  man-in-
167                      the-middle  attack,  is  used.  The  encryption level of
168                      Standard RDP Security is controlled by crypt_level.
169
170
171               negotiate
172                      Negotiate these security methods with clients.
173
174
175       ssl_protocols=[SSLv3] [TLSv1] [TLSv1.1] [TLSv1.2] [TLSv1.3]
176              Enables the specified SSL/TLS protocols. Each  value  should  be
177              separated by comma.  SSLv2 is always disabled. At least one pro‐
178              tocol should be given to accept TLS connections.  This parameter
179              is effective only if security_layer is set to tls or negotiate.
180
181
182       tcp_keepalive=[true|false]
183              Regulate   if   the   listening   socket   uses   socket  option
184              SO_KEEPALIVE.  If set to 1, true or yes and the network  connec‐
185              tion disappears without closing messages, the connection will be
186              closed.
187
188
189       tcp_nodelay=[true|false]
190              Regulate if the listening socket uses socket option TCP_NODELAY.
191              If  set to 1, true or yes, no buffering will be performed in the
192              TCP stack.
193
194
195       tcp_send_buffer_bytes=buffer_size
196
197       tcp_recv_buffer_bytes=buffer_size
198              Specify send/recv buffer sizes in bytes.  The default value  de‐
199              pends on operating system.
200
201
202       tls_ciphers=cipher_suite
203              Specifies  TLS  cipher  suite.  The  format of this parameter is
204              equivalent to which openssl(1) ciphers subcommand accepts.
205
206              (ex. $ openssl ciphers 'HIGH:!ADH:!SHA1')
207
208              This parameter is effective only if security_layer is set to tls
209              or negotiate.
210
211
212       use_fastpath=[input|output|both|none]
213              If not specified, defaults to none.
214
215
216       black=000000
217
218       grey=c0c0c0
219
220       dark_grey=808080
221
222       blue=0000ff
223
224       dark_blue=00007f
225
226       white=ffffff
227
228       red=ff0000
229
230       green=00ff00
231
232       background=000000
233              These  options override the colors used internally by xrdp(8) to
234              draw the login and log windows.   Colors  are  defined  using  a
235              hexadecimal  (hex)  notation  for the combination of Red, Green,
236              and Blue color values (RGB).  The lowest value that can be given
237              to one of the light sources is 0 (hex 00).  The highest value is
238              255 (hex FF).
239
240

LOGGING

242       The following parameters can be used in the [Logging] section:
243
244
245       LogFile=/var/log/xrdp.log
246              This options contains the path to logfile. It can be either  ab‐
247              solute or relative.
248
249
250       LogLevel=level
251              This option can have one of the following values:
252
253              CORE  or 0 - Log only core messages. these messages are _always_
254              logged, regardless the logging level selected.
255
256              ERROR or 1 - Log only error messages
257
258              WARNING, WARN or 2 - Logs warnings and error messages
259
260              INFO or 3 - Logs errors, warnings and informational messages
261
262              DEBUG or 4 - Log everything. If xrdp-sesman is compiled in debug
263              mode, this options will output many more low-level message, use‐
264              ful for developers
265
266
267       EnableSyslog=[true|false]
268              If set to 1, true or yes this option enables logging to  syslog.
269              Otherwise syslog is disabled.
270
271
272       SyslogLevel=level
273              This  option  sets the logging level for syslog. It can have the
274              same  values  of  LogLevel.  If  SyslogLevel  is  greater   than
275              LogLevel, its value is lowered to that of LogLevel.
276
277
278       EnableConsole=[true|false]
279              If  set  to  1,  true or yes, this option enables logging to the
280              console (ie. stdout).
281
282
283       ConsoleLevel=level
284              Logging level for the console. It can have the  same  values  as
285              LogLevel. Defaults to DEBUG.
286
287
288       EnableProcessId=[true|false]
289              If  set  to  1,  true  or  yes,  this option enables logging the
290              process id in all log messages. Defaults to false.
291
292

CHANNELS

294       The Remote Desktop Protocol supports several channels, which  are  used
295       to  transfer  additional  data  like  sound, clipboard data and others.
296       Channel names not listed here will be blocked by xrdp.  Not  all  chan‐
297       nels  are  supported in all cases, so setting a value to true is a pre‐
298       requisite, but does not force its use.
299       Channels can also be enabled or disabled on a per connection  basis  by
300       prefixing each setting with channel. in the channel section.
301
302
303       rdpdr=[true|false]
304              If  set to 1, true or yes using the RDP channel for device redi‐
305              rection is allowed.
306
307
308       rdpsnd=[true|false]
309              If set to 1, true or yes using the RDP channel for sound is  al‐
310              lowed.
311
312
313       drdynvc=[true|false]
314              If set to 1, true or yes using the RDP channel to initiate addi‐
315              tional dynamic virtual channels is allowed.
316
317
318       cliprdr=[true|false]
319              If set to 1, true or yes using the RDP channel for clipboard re‐
320              direction is allowed.
321
322
323       rail=[true|false]
324              If set to 1, true or yes using the RDP channel for remote appli‐
325              cations integrated locally (RAIL) is allowed.
326
327
328       xrdpvr=[true|false]
329              If set to 1, true or yes using the RDP channel  for  XRDP  Video
330              streaming is allowed.
331
332

CONNECTIONS

334       A  connection  section  is  made  of a section name, enclosed in square
335       brackets, and the following entries:
336
337
338       name=<session name>
339              The name displayed in xrdp(8) login window's combo box.
340
341
342       lib=../vnc/libvnc.so
343              Sets the library to be used with this connection.
344
345
346       username=<username>|{base64}<base64-encoded-username>|ask
347              Specifies the username used for authenticating  in  the  connec‐
348              tion.   If set to ask, user name should be provided in the login
349              window.
350
351              If the username includes comment out symbols  such  as  '#',  or
352              ';',  the  username  can  be  provided  in base64 form prefixing
353              "{base64}".
354
355
356       password=<password>|{base64}<base64-encoded-password>|ask
357              Specifies the password used for authenticating  in  the  connec‐
358              tion.   If  set to ask, password should be provided in the login
359              window.
360
361              This parameter can be provided in base64 form as well  as  user‐
362              name. See also examples below.
363
364
365       ip=127.0.0.1
366              Specifies the ip address of the host to connect to.
367
368
369       port=<number>|-1
370              Specifies  the  port number to connect to. If set to -1, the de‐
371              fault port for the specified library is used.
372
373
374       xserverbpp=<number>
375              Specifies color depth of the backend X server.  The  default  is
376              the  color  depth  of  the client. Only Xvnc and X11rdp use that
377              setting. Xorg runs at 24 bpp.
378
379
380       disabled_encodings_mask=<number>
381              Set this bitmask to a non-zero value to prevent xrdp(8) request‐
382              ing  some features from the Xvnc server. You should only need to
383              set this to  a non-zero value to work around bugs in  your  Xvnc
384              server.  The  bit  values  supported for a particular release of
385              xrdp(8) are documented in xrdp.ini.
386
387
388       code=<number>|0
389              Specifies the session type. The  default,  0,  is  Xvnc,  10  is
390              X11rdp, and 20 is Xorg with xorgxrdp modules.
391
392
393       chansrvport=DISPLAY(n)|/path/to/domain-socket
394              Asks  xrdp  to  connect  to  a manually started xrdp-chansrv in‐
395              stance.  This can be useful if you wish to use to  use  xrdp  to
396              connect  to  a  VNC session which has been started other than by
397              xrdp-sesman, as you can then make use of xrdp-chansrv facilities
398              in the VNC session.
399
400              The  first form of this setting is recommended, replacing n with
401              the X11 display number of the session.
402
403

EXAMPLES

405       This is an example xrdp.ini:
406
407       [Globals]
408       bitmap_cache=true
409       bitmap_compression=true
410
411       [Xorg]
412       name=Xorg
413       lib=libxup.so
414       username=ask
415       password=ask
416       ip=127.0.0.1
417       port=-1
418       code=20
419
420       [vnc-any]
421       name=vnc-any
422       lib=libvnc.so
423       ip=ask
424       port=ask5900
425       username=na
426       password={base64}cGFzc3dvcmQhCg==
427
428

FILES

430       /etc/xrdp/xrdp.ini
431
432

SEE ALSO

434       xrdp(8), xrdp-chansrv(8), xrdp-sesman(8), xrdp-sesrun(8), sesman.ini(5)
435
436       For more info on xrdp see ⟨http://www.xrdp.org/
437
438
439
440xrdp team                           0.9.21                         xrdp.ini(5)
Impressum