FreeBSD Manual Pages
xrdp.ini(5) xrdp.ini(5) NAME xrdp.ini - Configuration file for xrdp(8) DESCRIPTION This is the man page for xrdp.ini, xrdp(8) configuration file. It is composed by a number of sections, each one composed by a section name, enclosed by square brackets, followed by a list of <parameter>=<value> lines. xrdp.ini supports the following sections: [Globals] - sets some global configuration settings for xrdp(8). [Logging] - logging subsystem parameters [Channels] - channel subsystem parameters All options and values (except for file names and paths) are case in- sensitive, and are described in detail below. GLOBALS The options to be specified in the [Globals] section are the following: port=port_specification [ port_specification ... ] Specify the port(s) that xrdp should listen on. More instruc- tions and examples can be found within xrdp.ini itself. instance_name=<arbitrary-string> Specify an arbitrary name for the xrdp instance that can be used to identify sessions that this xrdp instance started, or which were spun up with the same name using xrdp-sesrun. When using the N policy in sesman.ini these sessions are kept distinct and can be reconnected to by connecting to the respective xrdp in- stance. vmconnect=[true|false] (Hyper-V VMs only). Enables a wider support of security proto- cols when a virtual machine running xrdp is hosted on Hyper-V, and the user connects to it via the vmms service on TCP port 2179. In this configuration, RDP security is handled by the vmms service, and security features which are not yet added to xrdp itself can be supported. This parameter is required in environments which do not support 'classic' RDP encryption. The parameter is ignored for connections which are not made to the virtual machine over the vsock transport. autorun=session_name Section name for automatic login. If set and the client supplies valid username and password, the user will be logged in automat- ically using the connection specified by session_name. If session_name is empty, the LOGIN DOMAIN from the client with be used to select the section. If no domain name is supplied, the first suitable section will be used for automatic login. bitmap_cache=[true|false] If set to 1, true or yes this option enables bitmap caching in xrdp(8). bitmap_compression=[true|false] If set to 1, true or yes this option enables bitmap compression in xrdp(8). bulk_compression=[true|false] If set to 1, true or yes this option enables compression of bulk data in xrdp(8). certificate=/path/to/certificate key_file=/path/to/private_key Set location of TLS certificate and private key. They must be written in PEM format. If not specified, defaults to /usr/lo- cal/etc/xrdp-devel/cert.pem, /usr/local/etc/xrdp-devel/key.pem. This parameter is effective only if security_layer is set to tls or negotiate. tls_pms_log_file=<path-to-log-file> Logs TLS pre-master secrets to the specified file. This allows packet capture tools (e.g. Wireshark) to decrypt captured PDUs. The file must be writeable by xrdp and readable by the packet capture tool. A good way to achive this is to create a tempo- rary directory with permissions 2750 owned by the user running xrdp, and in the group used by the packet sniffer. SETTING THIS OPTION IS A SECURITY RISK. ONLY SET THIS OPTION FOR DEBUGGING COMMUNICATIONS BETWEEN XRDP AND A CLIENT. channel_code=[true|false] If set to 0, false or no this option disables all channels xrdp(8). See section CHANNELS below for more fine grained op- tions. crypt_level=[low|medium|high|fips] Regulate encryption level of Classic RDP Security. This parame- ter is effective only if security_layer is set to rdp or negoti- ate. Encryption in Classic RDP Security is controlled by two set- tings: Encryption Level and Encryption Method. The only sup- ported Encryption Method are 40BIT_ENCRYPTION and 128BIT_ENCRYP- TION. 56BIT_ENCRYPTION is not supported. This option controls the Encryption Level: low All data sent from the client to the server is protected by encryption based on the maximum key strength sup- ported by the client. This is the only level that the traffic sent by the server to client is not encrypted. medium All data sent between the client and the server is pro- tected by encryption based on the maximum key strength supported by the client (client compatible). high All data sent between the client and the server is pro- tected by encryption based on the server's maximum key strength (sever compatible). fips All data sent between the client and server is protected using Federal Information Processing Standard 140-1 val- idated encryption methods. Note that FIPS 140-1 is no longer considered secure. This level is required for Windows clients (mstsc.exe) if the client's group policy enforces FIPS-compliance mode. fork=[true|false] If set to 1, true or yes for each incoming connection xrdp(8) forks a sub-process instead of using threads. hidelogwindow=[true|false] If set to 1, true or yes, xrdp will not show a window for log messages. If not specified, defaults to false. max_bpp=[8|15|16|24|32] Limit the color depth by specifying the maximum number of bits per pixel. If not specified or set to 0, unlimited. pamerrortxt=error_text Specify additional text displayed to user if authentication fails. The maximum length is 256. The use of 'pam' in the name of this option is historic port=port Specify TCP port and interface to listen on for incoming connec- tions. Specifying only the port means that xrdp will listen on all interfaces. The default port for RDP is 3389. Multiple ad- dress:port instances must be separated by spaces or commas. Check the .ini file for examples. Specifying interfaces re- quires said interfaces to be UP before xrdp starts. runtime_user=username runtime_group=groupname User name and group to run the xrdp daemon under. After xrdp starts, it sets its UID and GID to values derived from these settings, so that it's running without system privi- lege. The runtime_group MUST be set to the same value as SessionSock- dirGroup in sesman.ini if you want to run sessions. A suitable user and group can be added with a command like this (Linux):- useradd xrdp -d / -c 'xrdp daemon' -s /usr/sbin/nologin In order to establish secure connections, the xrdp daemon needs permission to access sensitive cryptographic files. After chang- ing either or both of these values, check that xrdp has access to required files by running this script:- /usr/local/share/xrdp/xrdp-chkpriv enable_token_login=[true|false] If set to 1, true or yes, xrdp will scan the user name provided by the client for the ASCII field separator character (0x1F). It will then copy over what is after the separator as the password supplied by the user and treats it as autologon. If not speci- fied, defaults to false. domain_user_separator=separator If specified the domain name supplied by the client is appended to the username separated by separator. require_credentials=[true|false] If set to 1, true or yes, xrdp requires clients to include user- name and password initial connection phase. In other words, xrdp doesn't allow clients to show login screen if set to true. It follows that an incorrect password will cause the login to imme- diately fail without displaying the login screen. If not speci- fied, defaults to false. security_layer=[tls|rdp|negotiate] Regulate security methods. If not specified, defaults to negoti- ate. tls Enhanced RDP Security is used. All security operations (encryption, decryption, data integrity verification, and server authentication) are implemented by TLS. rdp Classic RDP Security is used. The encryption level of Classic RDP Security is controlled by crypt_level. Use this setting for testing only. negotiate Negotiate these security methods with clients. ssl_protocols=[SSLv3] [TLSv1] [TLSv1.1] [TLSv1.2] [TLSv1.3] Enables the specified SSL/TLS protocols. Each value should be separated by comma. SSLv2 is always disabled. At least one pro- tocol should be given to accept TLS connections. This parameter is effective only if security_layer is set to tls or negotiate. tcp_keepalive=[true|false] Regulate if the listening socket uses socket option SO_KEEPALIVE. If set to 1, true or yes and the network connec- tion disappears without closing messages, the connection will be closed. tcp_nodelay=[true|false] Regulate if the listening socket uses socket option TCP_NODELAY. If set to 1, true or yes, no buffering will be performed in the TCP stack. tcp_send_buffer_bytes=buffer_size tcp_recv_buffer_bytes=buffer_size Specify send/recv buffer sizes in bytes. The default value de- pends on the operating system. It is recommended not to set these on systems with dynamic TCP buffer sizing tls_ciphers=cipher_suite Specifies TLS cipher suite. The format of this parameter is equivalent to which openssl(1) ciphers subcommand accepts. (ex. $ openssl ciphers 'HIGH:!ADH:!SHA1') This parameter is effective only if security_layer is set to tls or negotiate. use_fastpath=[input|output|both|none] If not specified, defaults to none. black=000000 grey=c0c0c0 dark_grey=808080 blue=0000ff dark_blue=00007f white=ffffff red=ff0000 green=00ff00 background=000000 These options override the colors used internally by xrdp(8) to draw the login and log windows. Colors are defined using a hexadecimal (hex) notation for the combination of Red, Green, and Blue color values (RGB). The lowest value that can be given to one of the light sources is 0 (hex 00). The highest value is 255 (hex FF). fv1_select=130:sans-18.fv1,0:sans-10.fv1 Selects a default fv1 font. This parameter is a comma-separated list of DPI:name pairs. The list is scanned from left-to-right. The font used is the first font whose DPI value is less-than-or- equal to the vertical DPI of the monitor used for the login screen. default_dpi=96 Default DPI used for a monitor if the client does not send phys- ical size information. LOGGING The following parameters can be used in the [Logging] section: LogFile=/var/log/xrdp.log This options contains the path to logfile. It can be either ab- solute or relative. If set to <stdout>, log will go to stdout. Use for debugging only LogLevel=level This option can have one of the following values: CORE or 0 - Log only core messages. these messages are _always_ logged, regardless the logging level selected. ERROR or 1 - Log only error messages WARNING, WARN or 2 - Logs warnings and error messages INFO or 3 - Logs errors, warnings and informational messages DEBUG or 4 - Log everything. If xrdp-sesman is compiled in debug mode, this options will output many more low-level message, use- ful for developers EnableSyslog=[true|false] If set to 1, true or yes this option enables logging to syslog. Otherwise syslog is disabled. SyslogLevel=level This option sets the logging level for syslog. It can have the same values of LogLevel. If SyslogLevel is greater than LogLevel, its value is lowered to that of LogLevel. EnableConsole=[true|false] If set to 1, true or yes, this option enables logging to the console (ie. stdout). ConsoleLevel=level Logging level for the console. It can have the same values as LogLevel. Defaults to DEBUG. EnableProcessId=[true|false] If set to 1, true or yes, this option enables logging the process id in all log messages. Defaults to false. CHANNELS The Remote Desktop Protocol supports several channels, which are used to transfer additional data like sound, clipboard data and others. Channel names not listed here will be blocked by xrdp. Not all chan- nels are supported in all cases, so setting a value to true is a pre- requisite, but does not force its use. Channels can also be enabled or disabled on a per connection basis by prefixing each setting with channel. in the channel section. rdpdr=[true|false] If set to 1, true or yes using the RDP channel for device redi- rection is allowed. rdpsnd=[true|false] If set to 1, true or yes using the RDP channel for sound is al- lowed. drdynvc=[true|false] If set to 1, true or yes using the RDP channel to initiate addi- tional dynamic virtual channels is allowed. cliprdr=[true|false] If set to 1, true or yes using the RDP channel for clipboard redirection is allowed. rail=[true|false] If set to 1, true or yes using the RDP channel for remote appli- cations integrated locally (RAIL) is allowed. xrdpvr=[true|false] If set to 1, true or yes using the RDP channel for XRDP Video streaming is allowed. CONNECTIONS A connection section is made of a section name, enclosed in square brackets, and the following entries: name=<session name> The name displayed in xrdp(8) login window's combo box. lib=../vnc/libvnc.so Sets the library to be used with this connection. username=<username>|{base64}<base64-encoded-username>|ask Specifies the username used for authenticating in the connec- tion. If set to ask, user name should be provided in the login window. If the username includes comment out symbols such as '#', or ';', the username can be provided in base64 form prefixing "{base64}". password=<password>|{base64}<base64-encoded-password>|ask Specifies the password used for authenticating in the connec- tion. If set to ask, password should be provided in the login window. This parameter can be provided in base64 form as well as user- name. See also examples below. ip=127.0.0.1 Specifies the ip address of the host to connect to. port=<number>|-1 Specifies the port number to connect to. If set to -1, the de- fault port for the specified library is used. xserverbpp=<number> Specifies color depth of the backend X server. The default is the color depth of the client. Only Xvnc uses that setting. Xorg runs at 24 bpp. disabled_encodings_mask=<number> Set this bitmask to a non-zero value to prevent xrdp(8) request- ing some features from the Xvnc server. You should only need to set this to a non-zero value to work around bugs in your Xvnc server. The bit values supported for a particular release of xrdp(8) are documented in xrdp.ini. code=<number>|0 Specifies the session type. 0 is Xvnc over TCP, 1 is Xvnc over a UNIX domain socket, and 20 is Xorg with xorgxrdp modules. The default is 0 on non-FIPS systems, and 1 on FIPS systems. chansrvport=DISPLAY(n)|DISPLAY(n,u)||/path/to/domain-socket Asks xrdp to connect to a manually started xrdp-chansrv in- stance. This can be useful if you wish to use to use xrdp to connect to a VNC session which has been started other than by xrdp-sesman, as you can then make use of xrdp-chansrv facilities in the VNC session. Either the first or second form of this setting is recommended. Replace n with the X11 display number of the session, and (if applicable) u with the numeric ID of the session. The second form is only required if xrdp is unable to determine the session uid from the other values in the connection block. If you use this setting, you must also set SessionSockdirGroup in sesman.ini to be the same as runtime_group in this file. This is necessary to give xrdp the privilege to connect to xrdp-chan- srv. keycode_set=<string> [Xorg only] Asks for the specified keycode set to be used by the X server. Normally "evdev" or "base". The default should be correct for your system. h264_frame_interval=<integer> [Xorg only] Specify frame capture interval for H.264 captures in milliseconds. rfx_frame_interval=<integer> [Xorg only] Specify frame capture interval for RemoteFX captures in milliseconds. normal_frame_interval=<integer> [Xorg only] Specify frame capture interval for normal captures in milliseconds. EXAMPLES This is an example xrdp.ini: [Globals] bitmap_cache=true bitmap_compression=true [Xorg] name=Xorg lib=libxup.so username=ask password=ask ip=127.0.0.1 port=-1 code=20 h264_frame_interval=16 rfx_frame_interval=32 normal_frame_interval=40 [vnc-any] name=vnc-any lib=libvnc.so ip=ask port=ask5900 username=na password={base64}cGFzc3dvcmQhCg== FILES /usr/local/etc/xrdp-devel/xrdp.ini SEE ALSO xrdp(8), xrdp-chansrv(8), xrdp-sesman(8), xrdp-sesrun(8), sesman.ini(5) For more info on xrdp see <http://www.xrdp.org/> xrdp team 0.10.80.b20260203-4d9dde8 xrdp.ini(5)
NAME | DESCRIPTION | GLOBALS | LOGGING | CHANNELS | CONNECTIONS | EXAMPLES | FILES | SEE ALSO
Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=xrdp.ini&sektion=5&manpath=FreeBSD+Ports+15.1.quarterly>