Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
xrdp.ini(5)							   xrdp.ini(5)

NAME
       xrdp.ini	- Configuration	file for xrdp(8)

DESCRIPTION
       This  is	 the man page for xrdp.ini, xrdp(8) configuration file.	 It is
       composed	by a number of sections, each one composed by a	section	 name,
       enclosed	 by square brackets, followed by a list	of _parameter_=_value_
       lines.

       xrdp.ini	supports the following sections:

       [Globals] - sets	some global configuration settings for xrdp(8).

       [Logging] - logging subsystem parameters

       [Channels] - channel subsystem parameters

       All options and values (except for file names and paths)	are  case  in-
       sensitive, and are described in detail below.

GLOBALS
       The options to be specified in the [Globals] section are	the following:

       autorun=session_name
	      Section name for automatic login.	If set and the client supplies
	      valid username and password, the user will be logged in automat-
	      ically using the connection specified by session_name.

	      If  session_name is empty, the LOGIN DOMAIN from the client with
	      be used to select	the section. If	no domain  name	 is  supplied,
	      the first	suitable section will be used for automatic login.

       bitmap_cache=[true|false]
	      If  set  to 1, true or yes this option enables bitmap caching in
	      xrdp(8).

       bitmap_compression=[true|false]
	      If set to	1, true	or yes this option enables bitmap  compression
	      in xrdp(8).

       bulk_compression=[true|false]
	      If set to	1, true	or yes this option enables compression of bulk
	      data in xrdp(8).

       certificate=/path/to/certificate

       key_file=/path/to/private_key
	      Set location of TLS certificate and private key.	They  must  be
	      written  in  PEM format.	If not specified, defaults to /usr/lo-
	      cal/etc/xrdp/cert.pem, /usr/local/etc/xrdp/key.pem.

	      This parameter is	effective only if security_layer is set	to tls
	      or negotiate.

       channel_code=[true|false]
	      If  set  to  0,  false  or  no this option disables all channels
	      xrdp(8).	See section CHANNELS below for more fine  grained  op-
	      tions.

       crypt_level=[low|medium|high|fips]
	      Regulate encryption level	of Standard RDP	Security.  This	param-
	      eter is effective	only if	security_layer is set to rdp or	 nego-
	      tiate.

	      Encryption  in  Standard	RDP Security is	controlled by two set-
	      tings: Encryption	Level and Encryption Method.   The  only  sup-
	      ported Encryption	Method are 40BIT_ENCRYPTION and	128BIT_ENCRYP-
	      TION. 56BIT_ENCRYPTION is	not supported.	This  option  controls
	      the Encryption Level:

	       low    All data sent from the client to the server is protected
		      by encryption based on the  maximum  key	strength  sup-
		      ported  by  the client.  This is the only	level that the
		      traffic sent by the server to client is not encrypted.

	       medium All data sent between the	client and the server is  pro-
		      tected  by  encryption based on the maximum key strength
		      supported	by the client (client compatible).

	       high   All data sent between the	client and the server is  pro-
		      tected  by  encryption based on the server's maximum key
		      strength (sever compatible).

	       fips   All data sent between the	client and server is protected
		      using Federal Information	Processing Standard 140-1 val-
		      idated encryption	methods.  This level is	 required  for
		      Windows clients (mstsc.exe) if the client's group	policy
		      enforces FIPS-compliance mode.

       fork=[true|false]
	      If set to	1, true	or yes for each	 incoming  connection  xrdp(8)
	      forks a sub-process instead of using threads.

       hidelogwindow=[true|false]
	      If  set  to  1, true or yes, xrdp	will not show a	window for log
	      messages.	 If not	specified, defaults to false.

       max_bpp=[8|15|16|24|32]
	      Limit the	color depth by specifying the maximum number  of  bits
	      per pixel.  If not specified or set to 0,	unlimited.

       pamerrortxt=error_text
	      Specify text passed to PAM when authentication failed. The maxi-
	      mum length is 256.

       port=port
	      Specify TCP port and interface to	listen on for incoming connec-
	      tions.   Specifying only the port	means that xrdp	will listen on
	      all interfaces.  The default port	for RDP	is 3389.  Multiple ad-
	      dress:port  instances  must  be  separated  by spaces or commas.
	      Check the	.ini file for  examples.   Specifying  interfaces  re-
	      quires said interfaces to	be UP before xrdp starts.

       require_credentials=[true|false]
	      If  set to 1, true or yes, xrdp will scan	the user name provided
	      by the client for	the ASCII field	separator character (0x1F). It
	      will  then copy over what	is after the separator as the password
	      supplied by the user and treats it as autologon. If  not	speci-
	      fied, defaults to	false.

       omain_user_separator=arator
	      If  specified the	domain name supplied by	the client is appended
	      to the username separated	by separator.

       \nable_token_login=[true|false]
	      If set to	1, true	or yes,	xrdp requires clients to include user-
	      name and password	initial	connection phase. In other words, xrdp
	      doesn't allow clients to show login screen if set	 to  true.  If
	      not specified, defaults to false.

       security_layer=[tls|rdp|negotiate]
	      Regulate security	methods. If not	specified, defaults to negoti-
	      ate.

	       tls    Enhanced RDP Security is used. All  security  operations
		      (encryption,  decryption,	 data  integrity verification,
		      and server authentication) are implemented by TLS.

	       rdp    Standard RDP Security, which is not  safe	 from  man-in-
		      the-middle  attack,  is  used.  The  encryption level of
		      Standard RDP Security is controlled by crypt_level.

	       negotiate
		      Negotiate	these security methods with clients.

       ssl_protocols=[SSLv3] [TLSv1] [TLSv1.1] [TLSv1.2] [TLSv1.3]
	      Enables the specified SSL/TLS protocols. Each  value  should  be
	      separated	by comma.  SSLv2 is always disabled. At	least one pro-
	      tocol should be given to accept TLS connections.	This parameter
	      is effective only	if security_layer is set to tls	or negotiate.

       tcp_keepalive=[true|false]
	      Regulate	 if   the   listening	socket	 uses	socket	option
	      SO_KEEPALIVE.  If	set to 1, true or yes and the network  connec-
	      tion disappears without closing messages,	the connection will be
	      closed.

       tcp_nodelay=[true|false]
	      Regulate if the listening	socket uses socket option TCP_NODELAY.
	      If  set to 1, true or yes, no buffering will be performed	in the
	      TCP stack.

       tcp_send_buffer_bytes=buffer_size

       tcp_recv_buffer_bytes=buffer_size
	      Specify send/recv	buffer sizes in	bytes.	The default value  de-
	      pends on operating system.

       tls_ciphers=cipher_suite
	      Specifies	 TLS  cipher  suite.  The  format of this parameter is
	      equivalent to which openssl(1) ciphers subcommand	accepts.

	      (ex. $ openssl ciphers 'HIGH:!ADH:!SHA1')

	      This parameter is	effective only if security_layer is set	to tls
	      or negotiate.

       use_fastpath=[input|output|both|none]
	      If not specified,	defaults to none.

       black=000000

       grey=c0c0c0

       dark_grey=808080

       blue=0000ff

       dark_blue=00007f

       white=ffffff

       red=ff0000

       green=00ff00

       background=000000
	      These  options override the colors used internally by xrdp(8) to
	      draw the login and log windows.	Colors	are  defined  using  a
	      hexadecimal  (hex)  notation  for	the combination	of Red,	Green,
	      and Blue color values (RGB).  The	lowest value that can be given
	      to one of	the light sources is 0 (hex 00).  The highest value is
	      255 (hex FF).

LOGGING
       The following parameters	can be used in the [Logging] section:

       LogFile=/var/log/xrdp.log
	      This options contains the	path to	logfile. It can	be either  ab-
	      solute or	relative.

       LogLevel=level
	      This option can have one of the following	values:

	      CORE  or 0 - Log only core messages. these messages are _always_
	      logged, regardless the logging level selected.

	      ERROR or 1 - Log only error messages

	      WARNING, WARN or 2 - Logs	warnings and error messages

	      INFO or 3	- Logs errors, warnings	and informational messages

	      DEBUG or 4 - Log everything. If xrdp-sesman is compiled in debug
	      mode, this options will output many more low-level message, use-
	      ful for developers

       EnableSyslog=[true|false]
	      If set to	1, true	or yes this option enables logging to  syslog.
	      Otherwise	syslog is disabled.

       SyslogLevel=level
	      This  option  sets the logging level for syslog. It can have the
	      same  values  of	LogLevel.  If  SyslogLevel  is	greater	  than
	      LogLevel,	its value is lowered to	that of	LogLevel.

       EnableConsole=[true|false]
	      If  set  to  1,  true or yes, this option	enables	logging	to the
	      console (ie. stdout).

       ConsoleLevel=level
	      Logging level for	the console. It	can have the  same  values  as
	      LogLevel.	Defaults to DEBUG.

       EnableProcessId=[true|false]
	      If  set  to  1,  true  or	 yes,  this option enables logging the
	      process id in all	log messages. Defaults to false.

CHANNELS
       The Remote Desktop Protocol supports several channels, which  are  used
       to  transfer  additional	 data  like  sound, clipboard data and others.
       Channel names not listed	here will be blocked by	xrdp.  Not  all	 chan-
       nels  are  supported in all cases, so setting a value to	true is	a pre-
       requisite, but does not force its use.
       Channels	can also be enabled or disabled	on a per connection  basis  by
       prefixing each setting with channel. in the channel section.

       rdpdr=[true|false]
	      If  set to 1, true or yes	using the RDP channel for device redi-
	      rection is allowed.

       rdpsnd=[true|false]
	      If set to	1, true	or yes using the RDP channel for sound is  al-
	      lowed.

       drdynvc=[true|false]
	      If set to	1, true	or yes using the RDP channel to	initiate addi-
	      tional dynamic virtual channels is allowed.

       cliprdr=[true|false]
	      If set to	1, true	or yes using the RDP channel for clipboard re-
	      direction	is allowed.

       rail=[true|false]
	      If set to	1, true	or yes using the RDP channel for remote	appli-
	      cations integrated locally (RAIL)	is allowed.

       xrdpvr=[true|false]
	      If set to	1, true	or yes using the RDP channel  for  XRDP	 Video
	      streaming	is allowed.

CONNECTIONS
       A  connection  section  is  made	 of a section name, enclosed in	square
       brackets, and the following entries:

       name=_session name_
	      The name displayed in xrdp(8) login window's combo box.

       lib=../vnc/libvnc.so
	      Sets the library to be used with this connection.

       username=_username_|{base64}_base64-encoded-username_|ask
	      Specifies	the username used for authenticating  in  the  connec-
	      tion.   If set to	ask, user name should be provided in the login
	      window.

	      If the username includes comment out symbols  such  as  '#',  or
	      ';',  the	 username  can	be  provided  in base64	form prefixing
	      "{base64}".

       password=_password_|{base64}_base64-encoded-password_|ask
	      Specifies	the password used for authenticating  in  the  connec-
	      tion.   If  set to ask, password should be provided in the login
	      window.

	      This parameter can be provided in	base64 form as well  as	 user-
	      name. See	also examples below.

       ip=127.0.0.1
	      Specifies	the ip address of the host to connect to.

       port=_number_|-1
	      Specifies	 the  port number to connect to. If set	to -1, the de-
	      fault port for the specified library is used.

       xserverbpp=_number_
	      Specifies	color depth of the backend X server.  The  default  is
	      the  color  depth	 of  the client. Only Xvnc and X11rdp use that
	      setting. Xorg runs at 24 bpp.

       disabled_encodings_mask=_number_
	      Set this bitmask to a non-zero value to prevent xrdp(8) request-
	      ing  some	features from the Xvnc server. You should only need to
	      set this to  a non-zero value to work around bugs	in  your  Xvnc
	      server.  The  bit	 values	 supported for a particular release of
	      xrdp(8) are documented in	xrdp.ini.

       code=_number_|0
	      Specifies	the session type. The  default,	 0,  is	 Xvnc,	10  is
	      X11rdp, and 20 is	Xorg with xorgxrdp modules.

       chansrvport=DISPLAY(n)|/path/to/domain-socket
	      Asks  xrdp  to  connect  to  a manually started xrdp-chansrv in-
	      stance.  This can	be useful if you wish to use to	 use  xrdp  to
	      connect  to  a  VNC session which	has been started other than by
	      xrdp-sesman, as you can then make	use of xrdp-chansrv facilities
	      in the VNC session.

	      The  first form of this setting is recommended, replacing	n with
	      the X11 display number of	the session.

EXAMPLES
       This is an example xrdp.ini:

       [Globals]
       bitmap_cache=true
       bitmap_compression=true

       [Xorg]
       name=Xorg
       lib=libxup.so
       username=ask
       password=ask
       ip=127.0.0.1
       port=-1
       code=20

       [vnc-any]
       name=vnc-any
       lib=libvnc.so
       ip=ask
       port=ask5900
       username=na
       password={base64}cGFzc3dvcmQhCg==

FILES
       /usr/local/etc/xrdp/xrdp.ini

SEE ALSO
       xrdp(8),	xrdp-chansrv(8), xrdp-sesman(8), xrdp-sesrun(8), sesman.ini(5)

       For more	info on	xrdp see <http://www.xrdp.org/>

xrdp team			    0.9.16			   xrdp.ini(5)

NAME | DESCRIPTION | GLOBALS | LOGGING | CHANNELS | CONNECTIONS | EXAMPLES | FILES | SEE ALSO

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=xrdp.ini&sektion=5&manpath=FreeBSD+13.0-RELEASE+and+Ports>

home | help