Provided by: xrdp_0.10.1-3_amd64 
NAME
xrdp.ini - Configuration file for xrdp(8)
DESCRIPTION
This is the man page for xrdp.ini, xrdp(8) configuration file. It is composed by a number of sections,
each one composed by a section name, enclosed by square brackets, followed by a list of
<parameter>=<value> lines.
xrdp.ini supports the following sections:
[Globals] - sets some global configuration settings for xrdp(8).
[Logging] - logging subsystem parameters
[Channels] - channel subsystem parameters
All options and values (except for file names and paths) are case insensitive, and are described in
detail below.
GLOBALS
The options to be specified in the [Globals] section are the following:
autorun=session_name
Section name for automatic login. If set and the client supplies valid username and password, the
user will be logged in automatically using the connection specified by session_name.
If session_name is empty, the LOGIN DOMAIN from the client with be used to select the section. If
no domain name is supplied, the first suitable section will be used for automatic login.
bitmap_cache=[true|false]
If set to 1, true or yes this option enables bitmap caching in xrdp(8).
bitmap_compression=[true|false]
If set to 1, true or yes this option enables bitmap compression in xrdp(8).
bulk_compression=[true|false]
If set to 1, true or yes this option enables compression of bulk data in xrdp(8).
certificate=/path/to/certificate
key_file=/path/to/private_key
Set location of TLS certificate and private key. They must be written in PEM format. If not
specified, defaults to /etc/xrdp/cert.pem, /etc/xrdp/key.pem.
This parameter is effective only if security_layer is set to tls or negotiate.
channel_code=[true|false]
If set to 0, false or no this option disables all channels xrdp(8). See section CHANNELS below
for more fine grained options.
crypt_level=[low|medium|high|fips]
Regulate encryption level of Standard RDP Security. This parameter is effective only if
security_layer is set to rdp or negotiate.
Encryption in Standard RDP Security is controlled by two settings: Encryption Level and Encryption
Method. The only supported Encryption Method are 40BIT_ENCRYPTION and 128BIT_ENCRYPTION.
56BIT_ENCRYPTION is not supported. This option controls the Encryption Level:
low All data sent from the client to the server is protected by encryption based on the
maximum key strength supported by the client. This is the only level that the traffic
sent by the server to client is not encrypted.
medium All data sent between the client and the server is protected by encryption based on the
maximum key strength supported by the client (client compatible).
high All data sent between the client and the server is protected by encryption based on the
server's maximum key strength (sever compatible).
fips All data sent between the client and server is protected using Federal Information
Processing Standard 140-1 validated encryption methods. This level is required for
Windows clients (mstsc.exe) if the client's group policy enforces FIPS-compliance mode.
fork=[true|false]
If set to 1, true or yes for each incoming connection xrdp(8) forks a sub-process instead of using
threads.
hidelogwindow=[true|false]
If set to 1, true or yes, xrdp will not show a window for log messages. If not specified,
defaults to false.
max_bpp=[8|15|16|24|32]
Limit the color depth by specifying the maximum number of bits per pixel. If not specified or set
to 0, unlimited.
pamerrortxt=error_text
Specify additional text displayed to user if authentication fails. The maximum length is 256.
The use of 'pam' in the name of this option is historic
port=port
Specify TCP port and interface to listen on for incoming connections. Specifying only the port
means that xrdp will listen on all interfaces. The default port for RDP is 3389. Multiple
address:port instances must be separated by spaces or commas. Check the .ini file for examples.
Specifying interfaces requires said interfaces to be UP before xrdp starts.
enable_token_login=[true|false]
If set to 1, true or yes, xrdp will scan the user name provided by the client for the ASCII field
separator character (0x1F). It will then copy over what is after the separator as the password
supplied by the user and treats it as autologon. If not specified, defaults to false.
domain_user_separator=separator
If specified the domain name supplied by the client is appended to the username separated by
separator.
require_credentials=[true|false]
If set to 1, true or yes, xrdp requires clients to include username and password initial
connection phase. In other words, xrdp doesn't allow clients to show login screen if set to true.
It follows that an incorrect password will cause the login to immediately fail without displaying
the login screen. If not specified, defaults to false.
security_layer=[tls|rdp|negotiate]
Regulate security methods. If not specified, defaults to negotiate.
tls Enhanced RDP Security is used. All security operations (encryption, decryption, data
integrity verification, and server authentication) are implemented by TLS.
rdp Standard RDP Security, which is not safe from man-in-the-middle attack, is used. The
encryption level of Standard RDP Security is controlled by crypt_level.
negotiate
Negotiate these security methods with clients.
ssl_protocols=[SSLv3] [TLSv1] [TLSv1.1] [TLSv1.2] [TLSv1.3]
Enables the specified SSL/TLS protocols. Each value should be separated by comma. SSLv2 is always
disabled. At least one protocol should be given to accept TLS connections. This parameter is
effective only if security_layer is set to tls or negotiate.
tcp_keepalive=[true|false]
Regulate if the listening socket uses socket option SO_KEEPALIVE. If set to 1, true or yes and
the network connection disappears without closing messages, the connection will be closed.
tcp_nodelay=[true|false]
Regulate if the listening socket uses socket option TCP_NODELAY. If set to 1, true or yes, no
buffering will be performed in the TCP stack.
tcp_send_buffer_bytes=buffer_size
tcp_recv_buffer_bytes=buffer_size
Specify send/recv buffer sizes in bytes. The default value depends on the operating system. It is
recommended not to set these on systems with dynamic TCP buffer sizing
tls_ciphers=cipher_suite
Specifies TLS cipher suite. The format of this parameter is equivalent to which openssl(1) ciphers
subcommand accepts.
(ex. $ openssl ciphers 'HIGH:!ADH:!SHA1')
This parameter is effective only if security_layer is set to tls or negotiate.
use_fastpath=[input|output|both|none]
If not specified, defaults to none.
black=000000
grey=c0c0c0
dark_grey=808080
blue=0000ff
dark_blue=00007f
white=ffffff
red=ff0000
green=00ff00
background=000000
These options override the colors used internally by xrdp(8) to draw the login and log windows.
Colors are defined using a hexadecimal (hex) notation for the combination of Red, Green, and Blue
color values (RGB). The lowest value that can be given to one of the light sources is 0 (hex 00).
The highest value is 255 (hex FF).
fv1_select=130:sans-18.fv1,0:sans-10.fv1
Selects a default fv1 font. This parameter is a comma-separated list of DPI:name pairs. The list
is scanned from left-to-right. The font used is the first font whose DPI value is less-than-or-
equal to the vertical DPI of the monitor used for the login screen.
default_dpi=96
Default DPI used for a monitor if the client does not send physical size information.
LOGGING
The following parameters can be used in the [Logging] section:
LogFile=/var/log/xrdp.log
This options contains the path to logfile. It can be either absolute or relative. If set to
<stdout>, log will go to stdout. Use for debugging only
LogLevel=level
This option can have one of the following values:
CORE or 0 - Log only core messages. these messages are _always_ logged, regardless the logging
level selected.
ERROR or 1 - Log only error messages
WARNING, WARN or 2 - Logs warnings and error messages
INFO or 3 - Logs errors, warnings and informational messages
DEBUG or 4 - Log everything. If xrdp-sesman is compiled in debug mode, this options will output
many more low-level message, useful for developers
EnableSyslog=[true|false]
If set to 1, true or yes this option enables logging to syslog. Otherwise syslog is disabled.
SyslogLevel=level
This option sets the logging level for syslog. It can have the same values of LogLevel. If
SyslogLevel is greater than LogLevel, its value is lowered to that of LogLevel.
EnableConsole=[true|false]
If set to 1, true or yes, this option enables logging to the console (ie. stdout).
ConsoleLevel=level
Logging level for the console. It can have the same values as LogLevel. Defaults to DEBUG.
EnableProcessId=[true|false]
If set to 1, true or yes, this option enables logging the process id in all log messages. Defaults
to false.
CHANNELS
The Remote Desktop Protocol supports several channels, which are used to transfer additional data like
sound, clipboard data and others. Channel names not listed here will be blocked by xrdp. Not all
channels are supported in all cases, so setting a value to true is a prerequisite, but does not force its
use.
Channels can also be enabled or disabled on a per connection basis by prefixing each setting with
channel. in the channel section.
rdpdr=[true|false]
If set to 1, true or yes using the RDP channel for device redirection is allowed.
rdpsnd=[true|false]
If set to 1, true or yes using the RDP channel for sound is allowed.
drdynvc=[true|false]
If set to 1, true or yes using the RDP channel to initiate additional dynamic virtual channels is
allowed.
cliprdr=[true|false]
If set to 1, true or yes using the RDP channel for clipboard redirection is allowed.
rail=[true|false]
If set to 1, true or yes using the RDP channel for remote applications integrated locally (RAIL)
is allowed.
xrdpvr=[true|false]
If set to 1, true or yes using the RDP channel for XRDP Video streaming is allowed.
CONNECTIONS
A connection section is made of a section name, enclosed in square brackets, and the following entries:
name=<session name>
The name displayed in xrdp(8) login window's combo box.
lib=../vnc/libvnc.so
Sets the library to be used with this connection.
username=<username>|{base64}<base64-encoded-username>|ask
Specifies the username used for authenticating in the connection. If set to ask, user name should
be provided in the login window.
If the username includes comment out symbols such as '#', or ';', the username can be provided in
base64 form prefixing "{base64}".
password=<password>|{base64}<base64-encoded-password>|ask
Specifies the password used for authenticating in the connection. If set to ask, password should
be provided in the login window.
This parameter can be provided in base64 form as well as username. See also examples below.
ip=127.0.0.1
Specifies the ip address of the host to connect to.
port=<number>|-1
Specifies the port number to connect to. If set to -1, the default port for the specified library
is used.
xserverbpp=<number>
Specifies color depth of the backend X server. The default is the color depth of the client. Only
Xvnc uses that setting. Xorg runs at 24 bpp.
disabled_encodings_mask=<number>
Set this bitmask to a non-zero value to prevent xrdp(8) requesting some features from the Xvnc
server. You should only need to set this to a non-zero value to work around bugs in your Xvnc
server. The bit values supported for a particular release of xrdp(8) are documented in xrdp.ini.
code=<number>|0
Specifies the session type. The default, 0, is Xvnc, and 20 is Xorg with xorgxrdp modules.
chansrvport=DISPLAY(n)|/path/to/domain-socket
Asks xrdp to connect to a manually started xrdp-chansrv instance. This can be useful if you wish
to use to use xrdp to connect to a VNC session which has been started other than by xrdp-sesman,
as you can then make use of xrdp-chansrv facilities in the VNC session.
The first form of this setting is recommended, replacing n with the X11 display number of the
session.
EXAMPLES
This is an example xrdp.ini:
[Globals]
bitmap_cache=true
bitmap_compression=true
[Xorg]
name=Xorg
lib=libxup.so
username=ask
password=ask
ip=127.0.0.1
port=-1
code=20
[vnc-any]
name=vnc-any
lib=libvnc.so
ip=ask
port=ask5900
username=na
password={base64}cGFzc3dvcmQhCg==
FILES
/etc/xrdp/xrdp.ini
SEE ALSO
xrdp(8), xrdp-chansrv(8), xrdp-sesman(8), xrdp-sesrun(8), sesman.ini(5)
For more info on xrdp see http://www.xrdp.org/
xrdp team 0.10.1 xrdp.ini(5)