NAME¶
xrdp.ini - Configuration file for
xrdp(8)
DESCRIPTION¶
This is the man page for
xrdp.ini,
xrdp(8) configuration file. It
is composed by a number of sections, each one composed by a section name,
enclosed by square brackets, followed by a list of
<parameter>=
<value> lines.
xrdp.ini supports the following sections:
- [Globals] - sets some global configuration settings for
xrdp(8).
-
- [Logging] - logging subsystem parameters
-
- [Channels] - channel subsystem parameters
-
All options and values (except for file names and paths) are case insensitive,
and are described in detail below.
GLOBALS¶
The options to be specified in the
[Globals] section are the following:
- address=ip address
- Specify xrdp listening address. If not specified, defaults to 0.0.0.0 (all
interfaces).
- autorun=session_name
- Section name for automatic login. If set and the client supplies valid
username and password, the user will be logged in automatically using the
connection specified by session_name.
If session_name is empty, the LOGIN DOMAIN from the client
with be used to select the section. If no domain name is supplied, the
first suitable section will be used for automatic login.
- bitmap_cache=[true|false]
- If set to 1, true or yes this option enables bitmap
caching in xrdp(8).
- bitmap_compression=[true|false]
- If set to 1, true or yes this option enables bitmap
compression in xrdp(8).
- bulk_compression=[true|false]
- If set to 1, true or yes this option enables
compression of bulk data in xrdp(8).
- certificate=/path/to/certificate
- key_file=/path/to/private_key
- Set location of TLS certificate and private key. They must be written in
PEM format. If not specified, defaults to ${XRDP_CFG_DIR}/cert.pem,
${XRDP_CFG_DIR}/key.pem.
This parameter is effective only if security_layer is set to
tls or negotiate.
- channel_code=[true|false]
- If set to 0, false or no this option disables all
channels xrdp(8). See section CHANNELS below for more fine
grained options.
- crypt_level=[low|medium|high|fips]
- Regulate encryption level of Standard RDP Security. This parameter is
effective only if security_layer is set to rdp or
negotiate.
Encryption in Standard RDP Security is controlled by two settings:
Encryption Level and Encryption Method. The only supported
Encryption Method are 40BIT_ENCRYPTION and
128BIT_ENCRYPTION. 56BIT_ENCRYPTION is not supported. This
option controls the Encryption Level:
- low
- All data sent from the client to the server is protected by encryption
based on the maximum key strength supported by the client. This is the
only level that the traffic sent by the server to client is not
encrypted.
- medium
- All data sent between the client and the server is protected by encryption
based on the maximum key strength supported by the client (client
compatible).
- high
- All data sent between the client and the server is protected by encryption
based on the server's maximum key strength (sever compatible).
- fips
- All data sent between the client and server is protected using Federal
Information Processing Standard 140-1 validated encryption methods.
This level is required for Windows clients (mstsc.exe) if the client's
group policy enforces FIPS-compliance mode.
- disableSSLv3=[true|false]
- If set to 1, true or yes, xrdp will not accept
SSLv3 connections. If not specified, defaults to false. This
parameter is effective only if security_layer is set to tls
or negotiate.
- fork=[true|false]
- If set to 1, true or yes for each incoming connection
xrdp(8) forks a sub-process instead of using threads.
- hidelogwindow=[true|false]
- If set to 1, true or yes, xrdp will not show a
window for log messages. If not specified, defaults to false.
- max_bpp=[8|15|16|24|32]
- Limit the color depth by specifying the maximum number of bits per pixel.
If not specified or set to 0, unlimited.
- pamerrortxt=error_text
- Specify text passed to PAM when authentication failed. The maximum length
is 256.
- port=port
- Specify TCP port to listen on for incoming connections. The default for
RDP is 3389.
- require_credentials=[true|false]
- If set to 1, true or yes, xrdp requires
clients to include username and password initial connection phase. In
other words, xrdp doesn't allow clients to show login screen if set to
true. If not specified, defaults to false.
- security_layer=[tls|rdp|negotiate]
- Regulate security methods. If not specified, defaults to
negotiate.
- tls
- Enhanced RDP Security is used. All security operations (encryption,
decryption, data integrity verification, and server authentication) are
implemented by TLS.
- rdp
- Standard RDP Security, which is not safe from man-in-the-middle attack, is
used. The encryption level of Standard RDP Security is controlled by
crypt_level.
- negotiate
- Negotiate these security methods with clients.
- tcp_keepalive=[true|false]
- Regulate if the listening socket uses socket option SO_KEEPALIVE.
If set to 1, true or yes and the network connection
disappears without closing messages, the connection will be closed.
- tcp_nodelay=[true|false]
- Regulate if the listening socket uses socket option TCP_NODELAY. If
set to 1, true or yes, no buffering will be performed
in the TCP stack.
- tcp_send_buffer_bytes=buffer_size
- tcp_recv_buffer_bytes=buffer_size
- Specify send/recv buffer sizes in bytes. The default value depends on
operating system.
- tls_ciphers=cipher_suite
- Specifies TLS cipher suite. The format of this parameter is equivalent to
which openssl(1) ciphers subcommand accepts.
(ex. $ openssl ciphers 'HIGH:!ADH:!SHA1')
This parameter is effective only if security_layer is set to
tls or negotiate.
- use_fastpath=[input|output|both|none]
- If not specified, defaults to none.
- black=000000
- grey=c0c0c0
- dark_grey=808080
- blue=0000ff
- dark_blue=00007f
- white=ffffff
- red=ff0000
- green=00ff00
- background=000000
- These options override the colors used internally by xrdp(8) to
draw the login and log windows. Colors are defined using a hexadecimal
(hex) notation for the combination of Red, Green, and Blue color values
(RGB). The lowest value that can be given to one of the light sources is 0
(hex 00). The highest value is 255 (hex FF).
LOGGING¶
The following parameters can be used in the
[Logging] section:
- LogFile=${SESMAN_LOG_DIR}/sesman.log
- This options contains the path to logfile. It can be either absolute or
relative, and the default is ${SESMAN_LOG_DIR}/sesman.log
- LogLevel=level
- This option can have one of the following values:
CORE or 0 - Log only core messages. these messages are
_always_ logged, regardless the logging level selected.
ERROR or 1 - Log only error messages
WARNING, WARN or 2 - Logs warnings and error messages
INFO or 3 - Logs errors, warnings and informational messages
DEBUG or 4 - Log everything. If sesman is compiled in
debug mode, this options will output many more low-level message, useful
for developers
- EnableSyslog=[true|false]
- If set to 1, true or yes this option enables logging
to syslog. Otherwise syslog is disabled.
- SyslogLevel=level
- This option sets the logging level for syslog. It can have the same values
of LogLevel. If SyslogLevel is greater than LogLevel,
its value is lowered to that of LogLevel.
CHANNELS¶
The Remote Desktop Protocol supports several channels, which are used to
transfer additional data like sound, clipboard data and others. Channel names
not listed here will be blocked by
xrdp. Not all channels are supported
in all cases, so setting a value to
true is a prerequisite, but does
not force its use.
Channels can also be enabled or disabled on a per connection basis by prefixing
each setting with
channel. in the channel section.
- rdpdr=[true|false]
- If set to 1, true or yes using the RDP channel for
device redirection is allowed.
- rdpsnd=[true|false]
- If set to 1, true or yes using the RDP channel for
sound is allowed.
- drdynvc=[true|false]
- If set to 1, true or yes using the RDP channel to
initiate additional dynamic virtual channels is allowed.
- cliprdr=[true|false]
- If set to 1, true or yes using the RDP channel for
clipboard redirection is allowed.
- rail=[true|false]
- If set to 1, true or yes using the RDP channel for
remote applications integrated locally (RAIL) is allowed.
- xrdpvr=[true|false]
- If set to 1, true or yes using the RDP channel for
XRDP Video streaming is allowed.
CONNECTIONS¶
A connection section is made of a section name, enclosed in square brackets, and
the following entries:
- name=<session name>
- The name displayed in xrdp(8) login window's combo box.
- lib=../vnc/libvnc.so
- Sets the library to be used with this connection.
- username=<username>|ask
- Specifies the username used for authenticating in the connection. If set
to ask, user name should be provided in the login window.
- password=<password>|ask
- Specifies the password used for authenticating in the connection. If set
to ask, password should be provided in the login window.
- ip=127.0.0.1
- Specifies the ip address of the host to connect to.
- port=<number>|-1
- Specifies the port number to connect to. If set to -1, the default
port for the specified library is used.
- xserverbpp=<number>
- Specifies color depth of the backend X server. The default is the color
depth of the client. Only Xvnc and X11rdp use that setting. Xorg runs at
24 bpp.
- code=<number>|0
- Specifies the session type. The default, 0, is Xvnc, 10 is
X11rdp, and 20 is Xorg with xorgxrdp modules.
EXAMPLES¶
This is an example
xrdp.ini:
[Globals]
bitmap_cache=true
bitmap_compression=true
[vnc1]
name=sesman
lib=../vnc/libvnc.so
username=ask
password=ask
ip=127.0.0.1
port=-1
FILES¶
${XRDP_CFG_DIR}/xrdp.ini
SEE ALSO¶
xrdp(8),
sesman(8),
sesrun(8),
sesman.ini(5)
for more info on
xrdp see
http://www.xrdp.org/