1xrdp.ini(5) xrdp.ini(5)
2
3
4
6 xrdp.ini - Configuration file for xrdp(8)
7
8
10 This is the man page for xrdp.ini, xrdp(8) configuration file. It is
11 composed by a number of sections, each one composed by a section name,
12 enclosed by square brackets, followed by a list of <parameter>=<value>
13 lines.
14
15 xrdp.ini supports the following sections:
16
17
18 [Globals] - sets some global configuration settings for xrdp(8).
19
20
21 [Logging] - logging subsystem parameters
22
23
24 [Channels] - channel subsystem parameters
25
26
27 All options and values (except for file names and paths) are case in‐
28 sensitive, and are described in detail below.
29
30
32 The options to be specified in the [Globals] section are the following:
33
34
35 autorun=session_name
36 Section name for automatic login. If set and the client supplies
37 valid username and password, the user will be logged in automat‐
38 ically using the connection specified by session_name.
39
40 If session_name is empty, the LOGIN DOMAIN from the client with
41 be used to select the section. If no domain name is supplied,
42 the first suitable section will be used for automatic login.
43
44
45 bitmap_cache=[true|false]
46 If set to 1, true or yes this option enables bitmap caching in
47 xrdp(8).
48
49
50 bitmap_compression=[true|false]
51 If set to 1, true or yes this option enables bitmap compression
52 in xrdp(8).
53
54
55 bulk_compression=[true|false]
56 If set to 1, true or yes this option enables compression of bulk
57 data in xrdp(8).
58
59
60 certificate=/path/to/certificate
61
62 key_file=/path/to/private_key
63 Set location of TLS certificate and private key. They must be
64 written in PEM format. If not specified, defaults to
65 /etc/xrdp/cert.pem, /etc/xrdp/key.pem.
66
67 This parameter is effective only if security_layer is set to tls
68 or negotiate.
69
70
71 channel_code=[true|false]
72 If set to 0, false or no this option disables all channels
73 xrdp(8). See section CHANNELS below for more fine grained op‐
74 tions.
75
76
77 crypt_level=[low|medium|high|fips]
78 Regulate encryption level of Standard RDP Security. This param‐
79 eter is effective only if security_layer is set to rdp or nego‐
80 tiate.
81
82 Encryption in Standard RDP Security is controlled by two set‐
83 tings: Encryption Level and Encryption Method. The only sup‐
84 ported Encryption Method are 40BIT_ENCRYPTION and 128BIT_ENCRYP‐
85 TION. 56BIT_ENCRYPTION is not supported. This option controls
86 the Encryption Level:
87
88 low All data sent from the client to the server is protected
89 by encryption based on the maximum key strength sup‐
90 ported by the client. This is the only level that the
91 traffic sent by the server to client is not encrypted.
92
93 medium All data sent between the client and the server is pro‐
94 tected by encryption based on the maximum key strength
95 supported by the client (client compatible).
96
97 high All data sent between the client and the server is pro‐
98 tected by encryption based on the server's maximum key
99 strength (sever compatible).
100
101 fips All data sent between the client and server is protected
102 using Federal Information Processing Standard 140-1 val‐
103 idated encryption methods. This level is required for
104 Windows clients (mstsc.exe) if the client's group policy
105 enforces FIPS-compliance mode.
106
107
108 fork=[true|false]
109 If set to 1, true or yes for each incoming connection xrdp(8)
110 forks a sub-process instead of using threads.
111
112
113 hidelogwindow=[true|false]
114 If set to 1, true or yes, xrdp will not show a window for log
115 messages. If not specified, defaults to false.
116
117
118 max_bpp=[8|15|16|24|32]
119 Limit the color depth by specifying the maximum number of bits
120 per pixel. If not specified or set to 0, unlimited.
121
122
123 pamerrortxt=error_text
124 Specify text passed to PAM when authentication failed. The maxi‐
125 mum length is 256.
126
127
128 port=port
129 Specify TCP port and interface to listen on for incoming connec‐
130 tions. Specifying only the port means that xrdp will listen on
131 all interfaces. The default port for RDP is 3389. Multiple ad‐
132 dress:port instances must be separated by spaces or commas.
133 Check the .ini file for examples. Specifying interfaces re‐
134 quires said interfaces to be UP before xrdp starts.
135
136
137 require_credentials=[true|false]
138 If set to 1, true or yes, xrdp will scan the user name provided
139 by the client for the ASCII field separator character (0x1F). It
140 will then copy over what is after the separator as the password
141 supplied by the user and treats it as autologon. If not speci‐
142 fied, defaults to false.
143
144
145 omain_user_separator=arator
146 If specified the domain name supplied by the client is appended
147 to the username separated by separator.
148
149
150 \nable_token_login=[true|false]
151 If set to 1, true or yes, xrdp requires clients to include user‐
152 name and password initial connection phase. In other words, xrdp
153 doesn't allow clients to show login screen if set to true. If
154 not specified, defaults to false.
155
156
157 security_layer=[tls|rdp|negotiate]
158 Regulate security methods. If not specified, defaults to negoti‐
159 ate.
160
161 tls Enhanced RDP Security is used. All security operations
162 (encryption, decryption, data integrity verification,
163 and server authentication) are implemented by TLS.
164
165
166 rdp Standard RDP Security, which is not safe from man-in-
167 the-middle attack, is used. The encryption level of
168 Standard RDP Security is controlled by crypt_level.
169
170
171 negotiate
172 Negotiate these security methods with clients.
173
174
175 ssl_protocols=[SSLv3] [TLSv1] [TLSv1.1] [TLSv1.2] [TLSv1.3]
176 Enables the specified SSL/TLS protocols. Each value should be
177 separated by comma. SSLv2 is always disabled. At least one pro‐
178 tocol should be given to accept TLS connections. This parameter
179 is effective only if security_layer is set to tls or negotiate.
180
181
182 tcp_keepalive=[true|false]
183 Regulate if the listening socket uses socket option
184 SO_KEEPALIVE. If set to 1, true or yes and the network connec‐
185 tion disappears without closing messages, the connection will be
186 closed.
187
188
189 tcp_nodelay=[true|false]
190 Regulate if the listening socket uses socket option TCP_NODELAY.
191 If set to 1, true or yes, no buffering will be performed in the
192 TCP stack.
193
194
195 tcp_send_buffer_bytes=buffer_size
196
197 tcp_recv_buffer_bytes=buffer_size
198 Specify send/recv buffer sizes in bytes. The default value de‐
199 pends on operating system.
200
201
202 tls_ciphers=cipher_suite
203 Specifies TLS cipher suite. The format of this parameter is
204 equivalent to which openssl(1) ciphers subcommand accepts.
205
206 (ex. $ openssl ciphers 'HIGH:!ADH:!SHA1')
207
208 This parameter is effective only if security_layer is set to tls
209 or negotiate.
210
211
212 use_fastpath=[input|output|both|none]
213 If not specified, defaults to none.
214
215
216 black=000000
217
218 grey=c0c0c0
219
220 dark_grey=808080
221
222 blue=0000ff
223
224 dark_blue=00007f
225
226 white=ffffff
227
228 red=ff0000
229
230 green=00ff00
231
232 background=000000
233 These options override the colors used internally by xrdp(8) to
234 draw the login and log windows. Colors are defined using a
235 hexadecimal (hex) notation for the combination of Red, Green,
236 and Blue color values (RGB). The lowest value that can be given
237 to one of the light sources is 0 (hex 00). The highest value is
238 255 (hex FF).
239
240
242 The following parameters can be used in the [Logging] section:
243
244
245 LogFile=/var/log/xrdp.log
246 This options contains the path to logfile. It can be either ab‐
247 solute or relative.
248
249
250 LogLevel=level
251 This option can have one of the following values:
252
253 CORE or 0 - Log only core messages. these messages are _always_
254 logged, regardless the logging level selected.
255
256 ERROR or 1 - Log only error messages
257
258 WARNING, WARN or 2 - Logs warnings and error messages
259
260 INFO or 3 - Logs errors, warnings and informational messages
261
262 DEBUG or 4 - Log everything. If xrdp-sesman is compiled in debug
263 mode, this options will output many more low-level message, use‐
264 ful for developers
265
266
267 EnableSyslog=[true|false]
268 If set to 1, true or yes this option enables logging to syslog.
269 Otherwise syslog is disabled.
270
271
272 SyslogLevel=level
273 This option sets the logging level for syslog. It can have the
274 same values of LogLevel. If SyslogLevel is greater than
275 LogLevel, its value is lowered to that of LogLevel.
276
277
278 EnableConsole=[true|false]
279 If set to 1, true or yes, this option enables logging to the
280 console (ie. stdout).
281
282
283 ConsoleLevel=level
284 Logging level for the console. It can have the same values as
285 LogLevel. Defaults to DEBUG.
286
287
288 EnableProcessId=[true|false]
289 If set to 1, true or yes, this option enables logging the
290 process id in all log messages. Defaults to false.
291
292
294 The Remote Desktop Protocol supports several channels, which are used
295 to transfer additional data like sound, clipboard data and others.
296 Channel names not listed here will be blocked by xrdp. Not all chan‐
297 nels are supported in all cases, so setting a value to true is a pre‐
298 requisite, but does not force its use.
299 Channels can also be enabled or disabled on a per connection basis by
300 prefixing each setting with channel. in the channel section.
301
302
303 rdpdr=[true|false]
304 If set to 1, true or yes using the RDP channel for device redi‐
305 rection is allowed.
306
307
308 rdpsnd=[true|false]
309 If set to 1, true or yes using the RDP channel for sound is al‐
310 lowed.
311
312
313 drdynvc=[true|false]
314 If set to 1, true or yes using the RDP channel to initiate addi‐
315 tional dynamic virtual channels is allowed.
316
317
318 cliprdr=[true|false]
319 If set to 1, true or yes using the RDP channel for clipboard re‐
320 direction is allowed.
321
322
323 rail=[true|false]
324 If set to 1, true or yes using the RDP channel for remote appli‐
325 cations integrated locally (RAIL) is allowed.
326
327
328 xrdpvr=[true|false]
329 If set to 1, true or yes using the RDP channel for XRDP Video
330 streaming is allowed.
331
332
334 A connection section is made of a section name, enclosed in square
335 brackets, and the following entries:
336
337
338 name=<session name>
339 The name displayed in xrdp(8) login window's combo box.
340
341
342 lib=../vnc/libvnc.so
343 Sets the library to be used with this connection.
344
345
346 username=<username>|{base64}<base64-encoded-username>|ask
347 Specifies the username used for authenticating in the connec‐
348 tion. If set to ask, user name should be provided in the login
349 window.
350
351 If the username includes comment out symbols such as '#', or
352 ';', the username can be provided in base64 form prefixing
353 "{base64}".
354
355
356 password=<password>|{base64}<base64-encoded-password>|ask
357 Specifies the password used for authenticating in the connec‐
358 tion. If set to ask, password should be provided in the login
359 window.
360
361 This parameter can be provided in base64 form as well as user‐
362 name. See also examples below.
363
364
365 ip=127.0.0.1
366 Specifies the ip address of the host to connect to.
367
368
369 port=<number>|-1
370 Specifies the port number to connect to. If set to -1, the de‐
371 fault port for the specified library is used.
372
373
374 xserverbpp=<number>
375 Specifies color depth of the backend X server. The default is
376 the color depth of the client. Only Xvnc and X11rdp use that
377 setting. Xorg runs at 24 bpp.
378
379
380 disabled_encodings_mask=<number>
381 Set this bitmask to a non-zero value to prevent xrdp(8) request‐
382 ing some features from the Xvnc server. You should only need to
383 set this to a non-zero value to work around bugs in your Xvnc
384 server. The bit values supported for a particular release of
385 xrdp(8) are documented in xrdp.ini.
386
387
388 code=<number>|0
389 Specifies the session type. The default, 0, is Xvnc, 10 is
390 X11rdp, and 20 is Xorg with xorgxrdp modules.
391
392
393 chansrvport=DISPLAY(n)|/path/to/domain-socket
394 Asks xrdp to connect to a manually started xrdp-chansrv in‐
395 stance. This can be useful if you wish to use to use xrdp to
396 connect to a VNC session which has been started other than by
397 xrdp-sesman, as you can then make use of xrdp-chansrv facilities
398 in the VNC session.
399
400 The first form of this setting is recommended, replacing n with
401 the X11 display number of the session.
402
403
405 This is an example xrdp.ini:
406
407 [Globals]
408 bitmap_cache=true
409 bitmap_compression=true
410
411 [Xorg]
412 name=Xorg
413 lib=libxup.so
414 username=ask
415 password=ask
416 ip=127.0.0.1
417 port=-1
418 code=20
419
420 [vnc-any]
421 name=vnc-any
422 lib=libvnc.so
423 ip=ask
424 port=ask5900
425 username=na
426 password={base64}cGFzc3dvcmQhCg==
427
428
430 /etc/xrdp/xrdp.ini
431
432
434 xrdp(8), xrdp-chansrv(8), xrdp-sesman(8), xrdp-sesrun(8), sesman.ini(5)
435
436 For more info on xrdp see ⟨http://www.xrdp.org/⟩
437
438
439
440xrdp team 0.9.23.1 xrdp.ini(5)