1[Globals] 2; xrdp.ini file version number 3ini_version=1 4 5; fork a new process for each incoming connection 6fork=true 7 8; ports to listen on, number alone means listen on all interfaces 9; 0.0.0.0 or :: if ipv6 is configured 10; space between multiple occurrences 11; ALL specified interfaces must be UP when xrdp starts, otherwise xrdp will fail to start 12; 13; Examples: 14; port=3389 15; port=unix://./tmp/xrdp.socket 16; port=tcp://.:3389 127.0.0.1:3389 17; port=tcp://:3389 *:3389 18; port=tcp://<any ipv4 format addr>:3389 192.168.1.1:3389 19; port=tcp6://.:3389 ::1:3389 20; port=tcp6://:3389 *:3389 21; port=tcp6://{<any ipv6 format addr>}:3389 {FC00:0:0:0:0:0:0:1}:3389 22; port=vsock://<cid>:<port> 23port=3389 24 25; 'port' above should be connected to with vsock instead of tcp 26; use this only with number alone in port above 27; prefer use vsock://<cid>:<port> above 28use_vsock=false 29 30; regulate if the listening socket use socket option tcp_nodelay 31; no buffering will be performed in the TCP stack 32tcp_nodelay=true 33 34; regulate if the listening socket use socket option keepalive 35; if the network connection disappear without close messages the connection will be closed 36tcp_keepalive=true 37 38; set tcp send/recv buffer (for experts) 39#tcp_send_buffer_bytes=32768 40#tcp_recv_buffer_bytes=32768 41 42; security layer can be 'tls', 'rdp' or 'negotiate' 43; for client compatible layer 44security_layer=negotiate 45 46; minimum security level allowed for client for classic RDP encryption 47; use tls_ciphers to configure TLS encryption 48; can be 'none', 'low', 'medium', 'high', 'fips' 49crypt_level=high 50 51; X.509 certificate and private key 52; openssl req -x509 -newkey rsa:2048 -nodes -keyout key.pem -out cert.pem -days 365 53certificate= 54key_file= 55 56; set SSL protocols 57; can be comma separated list of 'SSLv3', 'TLSv1', 'TLSv1.1', 'TLSv1.2', 'TLSv1.3' 58ssl_protocols=TLSv1.2, TLSv1.3 59; set TLS cipher suites 60#tls_ciphers=HIGH 61 62; concats the domain name to the user if set for authentication with the separator 63; for example when the server is multi homed with SSSd 64#domain_user_separator=@ 65 66; Section name to use for automatic login if the client sends username 67; and password. If empty, the domain name sent by the client is used. 68; If empty and no domain name is given, the first suitable section in 69; this file will be used. 70autorun= 71 72allow_channels=true 73allow_multimon=true 74bitmap_cache=true 75bitmap_compression=true 76bulk_compression=true 77#hidelogwindow=true 78max_bpp=32 79new_cursors=true 80; fastpath - can be 'input', 'output', 'both', 'none' 81use_fastpath=both 82; when true, userid/password *must* be passed on cmd line 83#require_credentials=true 84; when true, the userid will be used to try to authenticate 85#enable_token_login=true 86; You can set the PAM error text in a gateway setup (MAX 256 chars) 87#pamerrortxt=change your password according to policy at http://url 88 89; 90; colors used by windows in RGB format 91; 92blue=009cb5 93grey=dedede 94#black=000000 95#dark_grey=808080 96#blue=08246b 97#dark_blue=08246b 98#white=ffffff 99#red=ff0000 100#green=00ff00 101#background=626c72 102 103; 104; configure login screen 105; 106 107; Login Screen Window Title 108#ls_title=My Login Title 109 110; top level window background color in RGB format 111ls_top_window_bg_color=009cb5 112 113; width and height of login screen 114ls_width=350 115ls_height=430 116 117; login screen background color in RGB format 118ls_bg_color=dedede 119 120; optional background image filename (bmp format). 121#ls_background_image= 122 123; logo 124; full path to bmp-file or file in shared folder 125ls_logo_filename= 126ls_logo_x_pos=55 127ls_logo_y_pos=50 128 129; for positioning labels such as username, password etc 130ls_label_x_pos=30 131ls_label_width=65 132 133; for positioning text and combo boxes next to above labels 134ls_input_x_pos=110 135ls_input_width=210 136 137; y pos for first label and combo box 138ls_input_y_pos=220 139 140; OK button 141ls_btn_ok_x_pos=142 142ls_btn_ok_y_pos=370 143ls_btn_ok_width=85 144ls_btn_ok_height=30 145 146; Cancel button 147ls_btn_cancel_x_pos=237 148ls_btn_cancel_y_pos=370 149ls_btn_cancel_width=85 150ls_btn_cancel_height=30 151 152[Logging] 153; Note: Log levels can be any of: core, error, warning, info, debug, or trace 154LogFile=xrdp.log 155LogLevel=INFO 156EnableSyslog=true 157#SyslogLevel=INFO 158#EnableConsole=false 159#ConsoleLevel=INFO 160#EnableProcessId=false 161 162[LoggingPerLogger] 163; Note: per logger configuration is only used in XRDP_DEBUG builds of XRDP. 164#xrdp.c=INFO 165#main()=INFO 166 167[Channels] 168; Channel names not listed here will be blocked by XRDP. 169; You can block any channel by setting its value to false. 170; IMPORTANT! All channels are not supported in all use 171; cases even if you set all values to true. 172; You can override these settings on each session type 173; These settings are only used if allow_channels=true 174rdpdr=true 175rdpsnd=true 176drdynvc=true 177cliprdr=true 178rail=true 179xrdpvr=true 180tcutils=true 181 182; for debugging xrdp, in section xrdp1, change port=-1 to this: 183#port=/tmp/.xrdp/xrdp_display_10 184 185 186; 187; Session types 188; 189 190; Some session types such as Xorg, X11rdp and Xvnc start a display server. 191; Startup command-line parameters for the display server are configured 192; in sesman.ini. See and configure also sesman.ini. 193[Xorg] 194name=Xorg 195lib=libxup.@lib_extension@ 196username=ask 197password=ask 198ip=127.0.0.1 199port=-1 200code=20 201 202[Xvnc] 203name=Xvnc 204lib=libvnc.@lib_extension@ 205username=ask 206password=ask 207ip=127.0.0.1 208port=-1 209#xserverbpp=24 210#delay_ms=2000 211; Disable requested encodings to support buggy VNC servers 212; (1 = ExtendedDesktopSize) 213#disabled_encodings_mask=0 214; Use this to connect to a chansrv instance created outside of sesman 215; (e.g. as part of an x11vnc console session). Replace '0' with the 216; display number of the session 217#chansrvport=DISPLAY(0) 218 219[vnc-any] 220name=vnc-any 221lib=libvnc.@lib_extension@ 222ip=ask 223port=ask5900 224username=na 225password=ask 226#pamusername=asksame 227#pampassword=asksame 228#pamsessionmng=127.0.0.1 229#delay_ms=2000 230 231[neutrinordp-any] 232name=neutrinordp-any 233lib=libxrdpneutrinordp.@lib_extension@ 234ip=ask 235port=ask3389 236username=ask 237password=ask 238; Currently NeutrinoRDP doesn't support dynamic resizing. Uncomment 239; this line if you're using a client which does. 240#enable_dynamic_resizing=false 241 242; You can override the common channel settings for each session type 243#channel.rdpdr=true 244#channel.rdpsnd=true 245#channel.drdynvc=true 246#channel.cliprdr=true 247#channel.rail=true 248#channel.xrdpvr=true 249