Provided by: xrdp_0.9.17-2ubuntu2_amd64 bug

NAME

       xrdp.ini - Configuration file for xrdp(8)

DESCRIPTION

       This is the man page for xrdp.ini, xrdp(8) configuration file.  It is composed by a number
       of sections, each one composed by a section name, enclosed by square brackets, followed by
       a list of <parameter>=<value> lines.

       xrdp.ini supports the following sections:

       [Globals] - sets some global configuration settings for xrdp(8).

       [Logging] - logging subsystem parameters

       [Channels] - channel subsystem parameters

       All  options  and  values  (except for file names and paths) are case insensitive, and are
       described in detail below.

GLOBALS

       The options to be specified in the [Globals] section are the following:

       autorun=session_name
              Section name for automatic login. If set and the client supplies valid username and
              password,  the  user will be logged in automatically using the connection specified
              by session_name.

              If session_name is empty, the LOGIN DOMAIN from the client with be used  to  select
              the section. If no domain name is supplied, the first suitable section will be used
              for automatic login.

       bitmap_cache=[true|false]
              If set to 1, true or yes this option enables bitmap caching in xrdp(8).

       bitmap_compression=[true|false]
              If set to 1, true or yes this option enables bitmap compression in xrdp(8).

       bulk_compression=[true|false]
              If set to 1, true or yes this option enables compression of bulk data in xrdp(8).

       certificate=/path/to/certificate

       key_file=/path/to/private_key
              Set location of TLS certificate and private  key.  They  must  be  written  in  PEM
              format.  If not specified, defaults to /etc/xrdp/cert.pem, /etc/xrdp/key.pem.

              This parameter is effective only if security_layer is set to tls or negotiate.

       channel_code=[true|false]
              If  set  to  0, false or no this option disables all channels xrdp(8).  See section
              CHANNELS below for more fine grained options.

       crypt_level=[low|medium|high|fips]
              Regulate encryption level of Standard RDP Security.  This  parameter  is  effective
              only if security_layer is set to rdp or negotiate.

              Encryption in Standard RDP Security is controlled by two settings: Encryption Level
              and Encryption Method.  The only supported Encryption Method  are  40BIT_ENCRYPTION
              and 128BIT_ENCRYPTION. 56BIT_ENCRYPTION is not supported.  This option controls the
              Encryption Level:

               low    All data sent from the client to the  server  is  protected  by  encryption
                      based  on  the  maximum  key strength supported by the client.  This is the
                      only level that the traffic sent by the server to client is not encrypted.

               medium All data sent between the client and the server is protected by  encryption
                      based  on  the  maximum  key  strength  supported  by  the  client  (client
                      compatible).

               high   All data sent between the client and the server is protected by  encryption
                      based on the server's maximum key strength (sever compatible).

               fips   All  data  sent  between  the  client and server is protected using Federal
                      Information Processing Standard 140-1 validated encryption  methods.   This
                      level  is  required  for  Windows clients (mstsc.exe) if the client's group
                      policy enforces FIPS-compliance mode.

       fork=[true|false]
              If set to 1, true or yes for each incoming connection xrdp(8) forks  a  sub-process
              instead of using threads.

       hidelogwindow=[true|false]
              If  set  to  1,  true or yes, xrdp will not show a window for log messages.  If not
              specified, defaults to false.

       max_bpp=[8|15|16|24|32]
              Limit the color depth by specifying the maximum number of bits per pixel.   If  not
              specified or set to 0, unlimited.

       pamerrortxt=error_text
              Specify text passed to PAM when authentication failed. The maximum length is 256.

       port=port
              Specify  TCP  port and interface to listen on for incoming connections.  Specifying
              only the port means that xrdp will listen on all interfaces.  The default port  for
              RDP  is  3389.   Multiple  address:port  instances  must  be separated by spaces or
              commas. Check the .ini file for  examples.   Specifying  interfaces  requires  said
              interfaces to be UP before xrdp starts.

       require_credentials=[true|false]
              If  set  to 1, true or yes, xrdp will scan the user name provided by the client for
              the ASCII field separator character (0x1F). It will then copy over  what  is  after
              the  separator  as the password supplied by the user and treats it as autologon. If
              not specified, defaults to false.

       omain_user_separator=arator
              If specified the domain name supplied by the client is  appended  to  the  username
              separated by separator.

       \nable_token_login=[true|false]
              If  set  to  1, true or yes, xrdp requires clients to include username and password
              initial connection phase. In other words, xrdp doesn't allow clients to show  login
              screen if set to true. If not specified, defaults to false.

       security_layer=[tls|rdp|negotiate]
              Regulate security methods. If not specified, defaults to negotiate.

               tls    Enhanced  RDP  Security  is  used.  All  security  operations  (encryption,
                      decryption, data integrity verification,  and  server  authentication)  are
                      implemented by TLS.

               rdp    Standard  RDP Security, which is not safe from man-in-the-middle attack, is
                      used. The encryption level  of  Standard  RDP  Security  is  controlled  by
                      crypt_level.

               negotiate
                      Negotiate these security methods with clients.

       ssl_protocols=[SSLv3] [TLSv1] [TLSv1.1] [TLSv1.2] [TLSv1.3]
              Enables  the  specified SSL/TLS protocols. Each value should be separated by comma.
              SSLv2 is always disabled. At least one protocol  should  be  given  to  accept  TLS
              connections.   This  parameter is effective only if security_layer is set to tls or
              negotiate.

       tcp_keepalive=[true|false]
              Regulate if the listening socket uses socket option SO_KEEPALIVE.   If  set  to  1,
              true  or  yes  and  the network connection disappears without closing messages, the
              connection will be closed.

       tcp_nodelay=[true|false]
              Regulate if the listening socket uses socket option TCP_NODELAY.  If set to 1, true
              or yes, no buffering will be performed in the TCP stack.

       tcp_send_buffer_bytes=buffer_size

       tcp_recv_buffer_bytes=buffer_size
              Specify  send/recv  buffer  sizes in bytes.  The default value depends on operating
              system.

       tls_ciphers=cipher_suite
              Specifies TLS cipher suite. The format of this parameter  is  equivalent  to  which
              openssl(1) ciphers subcommand accepts.

              (ex. $ openssl ciphers 'HIGH:!ADH:!SHA1')

              This parameter is effective only if security_layer is set to tls or negotiate.

       use_fastpath=[input|output|both|none]
              If not specified, defaults to none.

       black=000000

       grey=c0c0c0

       dark_grey=808080

       blue=0000ff

       dark_blue=00007f

       white=ffffff

       red=ff0000

       green=00ff00

       background=000000
              These  options override the colors used internally by xrdp(8) to draw the login and
              log windows.  Colors are  defined  using  a  hexadecimal  (hex)  notation  for  the
              combination  of Red, Green, and Blue color values (RGB).  The lowest value that can
              be given to one of the light sources is 0 (hex 00).  The highest value is 255  (hex
              FF).

LOGGING

       The following parameters can be used in the [Logging] section:

       LogFile=/var/log/xrdp.log
              This options contains the path to logfile. It can be either absolute or relative.

       LogLevel=level
              This option can have one of the following values:

              CORE  or 0 - Log only core messages. these messages are _always_ logged, regardless
              the logging level selected.

              ERROR or 1 - Log only error messages

              WARNING, WARN or 2 - Logs warnings and error messages

              INFO or 3 - Logs errors, warnings and informational messages

              DEBUG or 4 - Log everything. If xrdp-sesman is compiled in debug mode, this options
              will output many more low-level message, useful for developers

       EnableSyslog=[true|false]
              If set to 1, true or yes this option enables logging to syslog. Otherwise syslog is
              disabled.

       SyslogLevel=level
              This option sets the logging level for syslog. It  can  have  the  same  values  of
              LogLevel.  If SyslogLevel is greater than LogLevel, its value is lowered to that of
              LogLevel.

       EnableConsole=[true|false]
              If set to 1, true or yes, this option enables logging to the console (ie. stdout).

       ConsoleLevel=level
              Logging level for the console. It can have the same values as LogLevel. Defaults to
              DEBUG.

       EnableProcessId=[true|false]
              If  set  to  1,  true or yes, this option enables logging the process id in all log
              messages. Defaults to false.

CHANNELS

       The Remote Desktop  Protocol  supports  several  channels,  which  are  used  to  transfer
       additional data like sound, clipboard data and others.  Channel names not listed here will
       be blocked by xrdp.  Not all channels are supported in all cases, so setting  a  value  to
       true is a prerequisite, but does not force its use.
       Channels  can  also  be  enabled  or  disabled on a per connection basis by prefixing each
       setting with channel. in the channel section.

       rdpdr=[true|false]
              If set to 1, true or yes using the RDP channel for device redirection is allowed.

       rdpsnd=[true|false]
              If set to 1, true or yes using the RDP channel for sound is allowed.

       drdynvc=[true|false]
              If set to 1, true or yes using the  RDP  channel  to  initiate  additional  dynamic
              virtual channels is allowed.

       cliprdr=[true|false]
              If  set  to  1,  true  or  yes  using  the RDP channel for clipboard redirection is
              allowed.

       rail=[true|false]
              If set to 1, true or yes using the RDP channel for remote  applications  integrated
              locally (RAIL) is allowed.

       xrdpvr=[true|false]
              If set to 1, true or yes using the RDP channel for XRDP Video streaming is allowed.

CONNECTIONS

       A  connection  section  is  made  of  a section name, enclosed in square brackets, and the
       following entries:

       name=<session name>
              The name displayed in xrdp(8) login window's combo box.

       lib=../vnc/libvnc.so
              Sets the library to be used with this connection.

       username=<username>|{base64}<base64-encoded-username>|ask
              Specifies the username used for authenticating in the connection.  If set  to  ask,
              user name should be provided in the login window.

              If  the username includes comment out symbols such as '#', or ';', the username can
              be provided in base64 form prefixing "{base64}".

       password=<password>|{base64}<base64-encoded-password>|ask
              Specifies the password used for authenticating in the connection.  If set  to  ask,
              password should be provided in the login window.

              This  parameter  can  be  provided  in  base64  form  as well as username. See also
              examples below.

       ip=127.0.0.1
              Specifies the ip address of the host to connect to.

       port=<number>|-1
              Specifies the port number to connect to. If set to -1, the  default  port  for  the
              specified library is used.

       xserverbpp=<number>
              Specifies  color  depth  of the backend X server. The default is the color depth of
              the client. Only Xvnc and X11rdp use that setting. Xorg runs at 24 bpp.

       disabled_encodings_mask=<number>
              Set this bitmask to a non-zero value to prevent xrdp(8)  requesting  some  features
              from the Xvnc server. You should only need to set this to  a non-zero value to work
              around bugs in your Xvnc server. The bit values supported for a particular  release
              of xrdp(8) are documented in xrdp.ini.

       code=<number>|0
              Specifies  the  session type. The default, 0, is Xvnc, 10 is X11rdp, and 20 is Xorg
              with xorgxrdp modules.

       chansrvport=DISPLAY(n)|/path/to/domain-socket
              Asks xrdp to connect to a manually started  xrdp-chansrv  instance.   This  can  be
              useful  if  you  wish to use to use xrdp to connect to a VNC session which has been
              started other than by xrdp-sesman,  as  you  can  then  make  use  of  xrdp-chansrv
              facilities in the VNC session.

              The  first  form  of  this setting is recommended, replacing n with the X11 display
              number of the session.

EXAMPLES

       This is an example xrdp.ini:

       [Globals]
       bitmap_cache=true
       bitmap_compression=true

       [Xorg]
       name=Xorg
       lib=libxup.so
       username=ask
       password=ask
       ip=127.0.0.1
       port=-1
       code=20

       [vnc-any]
       name=vnc-any
       lib=libvnc.so
       ip=ask
       port=ask5900
       username=na
       password={base64}cGFzc3dvcmQhCg==

FILES

       /etc/xrdp/xrdp.ini

SEE ALSO

       xrdp(8), xrdp-chansrv(8), xrdp-sesman(8), xrdp-sesrun(8), sesman.ini(5)

       For more info on xrdp see ⟨http://www.xrdp.org/