x SuSE Linux 13.1-RELEASE x
x SuSE Linux 13.1-RELEASEx
xrdp.ini(5) xrdp.ini(5)
NAME
xrdp.ini - Configuration file for xrdp(8)
DESCRIPTION
This is the man page for xrdp.ini, xrdp(8) configuration file. It is
composed by a number of sections, each one composed by a section name,
enclosed by square brackets, followed by a list of <parameter>=<value>
lines.
xrdp.ini supports the following sections:
[Globals] - sets some global configuration settings for xrdp(8).
[Logging] - logging subsystem parameters
[Channels] - channel subsystem parameters
All options and values (except for file names and paths) are case
insensitive, and are described in detail below.
GLOBALS
The options to be specified in the [Globals] section are the following:
address=ip address
Specify xrdp listening address. If not specified, defaults to
0.0.0.0 (all interfaces).
autorun=session_name
Section name for automatic login. If set and the client supplies
valid username and password, the user will be logged in automat-
ically using the connection specified by session_name.
If session_name is empty, the LOGIN DOMAIN from the client with
be used to select the section. If no domain name is supplied,
the first suitable section will be used for automatic login.
bitmap_cache=[true|false]
If set to 1, true or yes this option enables bitmap caching in
xrdp(8).
bitmap_compression=[true|false]
If set to 1, true or yes this option enables bitmap compression
in xrdp(8).
bulk_compression=[true|false]
If set to 1, true or yes this option enables compression of bulk
data in xrdp(8).
certificate=/path/to/certificate
key_file=/path/to/private_key
Set location of TLS certificate and private key. They must be
written in PEM format. If not specified, defaults to
/etc/xrdp/cert.pem, /etc/xrdp/key.pem.
This parameter is effective only if security_layer is set to tls
or negotiate.
channel_code=[true|false]
If set to 0, false or no this option disables all channels
xrdp(8). See section CHANNELS below for more fine grained
options.
crypt_level=[low|medium|high|fips]
Regulate encryption level of Standard RDP Security. This param-
eter is effective only if security_layer is set to rdp or nego-
tiate.
Encryption in Standard RDP Security is controlled by two set-
tings: Encryption Level and Encryption Method. The only sup-
ported Encryption Method are 40BIT_ENCRYPTION and 128BIT_ENCRYP-
TION. 56BIT_ENCRYPTION is not supported. This option controls
the Encryption Level:
low All data sent from the client to the server is protected
by encryption based on the maximum key strength sup-
ported by the client. This is the only level that the
traffic sent by the server to client is not encrypted.
medium All data sent between the client and the server is pro-
tected by encryption based on the maximum key strength
supported by the client (client compatible).
high All data sent between the client and the server is pro-
tected by encryption based on the server's maximum key
strength (sever compatible).
fips All data sent between the client and server is protected
using Federal Information Processing Standard 140-1 val-
idated encryption methods. This level is required for
Windows clients (mstsc.exe) if the client's group policy
enforces FIPS-compliance mode.
fork=[true|false]
If set to 1, true or yes for each incoming connection xrdp(8)
forks a sub-process instead of using threads.
hidelogwindow=[true|false]
If set to 1, true or yes, xrdp will not show a window for log
messages. If not specified, defaults to false.
max_bpp=[8|15|16|24|32]
Limit the color depth by specifying the maximum number of bits
per pixel. If not specified or set to 0, unlimited.
pamerrortxt=error_text
Specify text passed to PAM when authentication failed. The maxi-
mum length is 256.
port=port
Specify TCP port to listen on for incoming connections. The
default for RDP is 3389.
require_credentials=[true|false]
If set to 1, true or yes, xrdp requires clients to include user-
name and password initial connection phase. In other words, xrdp
doesn't allow clients to show login screen if set to true. If
not specified, defaults to false.
security_layer=[tls|rdp|negotiate]
Regulate security methods. If not specified, defaults to negoti-
ate.
tls Enhanced RDP Security is used. All security operations
(encryption, decryption, data integrity verification,
and server authentication) are implemented by TLS.
rdp Standard RDP Security, which is not safe from man-in-
the-middle attack, is used. The encryption level of
Standard RDP Security is controlled by crypt_level.
negotiate
Negotiate these security methods with clients.
ssl_protocols=[SSLv3] [TLSv1] [TLSv1.1] [TLSv1.2] [TLSv1.3]
Enables the specified SSL/TLS protocols. Each value should be
separated by comma. SSLv2 is always disabled. At least one pro-
tocol should be given to accept TLS connections. This parameter
is effective only if security_layer is set to tls or negotiate.
tcp_keepalive=[true|false]
Regulate if the listening socket uses socket option
SO_KEEPALIVE. If set to 1, true or yes and the network connec-
tion disappears without closing messages, the connection will be
closed.
tcp_nodelay=[true|false]
Regulate if the listening socket uses socket option TCP_NODELAY.
If set to 1, true or yes, no buffering will be performed in the
TCP stack.
tcp_send_buffer_bytes=buffer_size
tcp_recv_buffer_bytes=buffer_size
Specify send/recv buffer sizes in bytes. The default value
depends on operating system.
tls_ciphers=cipher_suite
Specifies TLS cipher suite. The format of this parameter is
equivalent to which openssl(1) ciphers subcommand accepts.
(ex. $ openssl ciphers 'HIGH:!ADH:!SHA1')
This parameter is effective only if security_layer is set to tls
or negotiate.
use_fastpath=[input|output|both|none]
If not specified, defaults to none.
black=000000
grey=c0c0c0
dark_grey=808080
blue=0000ff
dark_blue=00007f
white=ffffff
red=ff0000
green=00ff00
background=000000
These options override the colors used internally by xrdp(8) to
draw the login and log windows. Colors are defined using a
hexadecimal (hex) notation for the combination of Red, Green,
and Blue color values (RGB). The lowest value that can be given
to one of the light sources is 0 (hex 00). The highest value is
255 (hex FF).
LOGGING
The following parameters can be used in the [Logging] section:
LogFile=/var/log/xrdp.log
This options contains the path to logfile. It can be either
absolute or relative.
LogLevel=level
This option can have one of the following values:
CORE or 0 - Log only core messages. these messages are _always_
logged, regardless the logging level selected.
ERROR or 1 - Log only error messages
WARNING, WARN or 2 - Logs warnings and error messages
INFO or 3 - Logs errors, warnings and informational messages
DEBUG or 4 - Log everything. If sesman is compiled in debug
mode, this options will output many more low-level message, use-
ful for developers
EnableSyslog=[true|false]
If set to 1, true or yes this option enables logging to syslog.
Otherwise syslog is disabled.
SyslogLevel=level
This option sets the logging level for syslog. It can have the
same values of LogLevel. If SyslogLevel is greater than
LogLevel, its value is lowered to that of LogLevel.
CHANNELS
The Remote Desktop Protocol supports several channels, which are used
to transfer additional data like sound, clipboard data and others.
Channel names not listed here will be blocked by xrdp. Not all chan-
nels are supported in all cases, so setting a value to true is a pre-
requisite, but does not force its use.
Channels can also be enabled or disabled on a per connection basis by
prefixing each setting with channel. in the channel section.
rdpdr=[true|false]
If set to 1, true or yes using the RDP channel for device redi-
rection is allowed.
rdpsnd=[true|false]
If set to 1, true or yes using the RDP channel for sound is
allowed.
drdynvc=[true|false]
If set to 1, true or yes using the RDP channel to initiate addi-
tional dynamic virtual channels is allowed.
cliprdr=[true|false]
If set to 1, true or yes using the RDP channel for clipboard re-
direction is allowed.
rail=[true|false]
If set to 1, true or yes using the RDP channel for remote appli-
cations integrated locally (RAIL) is allowed.
xrdpvr=[true|false]
If set to 1, true or yes using the RDP channel for XRDP Video
streaming is allowed.
CONNECTIONS
A connection section is made of a section name, enclosed in square
brackets, and the following entries:
name=<session name>
The name displayed in xrdp(8) login window's combo box.
lib=../vnc/libvnc.so
Sets the library to be used with this connection.
username=<username>|{base64}<base64-encoded-username>|ask
Specifies the username used for authenticating in the connec-
tion. If set to ask, user name should be provided in the login
window.
If the username includes comment out symbols such as '#', or
';', the username can be provided in base64 form prefixing
"{base64}".
password=<password>|{base64}<base64-encoded-password>|ask
Specifies the password used for authenticating in the connec-
tion. If set to ask, password should be provided in the login
window.
This parameter can be provided in base64 form as well as user-
name. See also examples below.
ip=127.0.0.1
Specifies the ip address of the host to connect to.
port=<number>|-1
Specifies the port number to connect to. If set to -1, the
default port for the specified library is used.
xserverbpp=<number>
Specifies color depth of the backend X server. The default is
the color depth of the client. Only Xvnc and X11rdp use that
setting. Xorg runs at 24 bpp.
code=<number>|0
Specifies the session type. The default, 0, is Xvnc, 10 is
X11rdp, and 20 is Xorg with xorgxrdp modules.
EXAMPLES
This is an example xrdp.ini:
[Globals]
bitmap_cache=true
bitmap_compression=true
[Xorg]
name=Xorg
lib=libxup.so
username=ask
password=ask
ip=127.0.0.1
port=-1
code=20
[vnc-any]
name=vnc-any
lib=libvnc.so
ip=ask
port=ask5900
username=na
password={base64}cGFzc3dvcmQhCg==
FILES
/etc/xrdp/xrdp.ini
SEE ALSO
xrdp(8), sesman(8), sesrun(8), sesman.ini(5)
for more info on xrdp see http://www.xrdp.org/
xrdp team 0.9.13.1 xrdp.ini(5)
Want to link to this manual page? Use this URL:
<http://star2.abcm.com/cgi-bin/bsdi-man?query=xrdp.ini&sektion=5&manpath=>