1[Globals] 2; xrdp.ini file version number 3ini_version=1 4 5; fork a new process for each incoming connection 6fork=true 7 8; ports to listen on, number alone means listen on all interfaces 9; 0.0.0.0 or :: if ipv6 is configured 10; space between multiple occurrences 11; ALL specified interfaces must be UP when xrdp starts, otherwise xrdp will fail to start 12; 13; Examples: 14; port=3389 15; port=unix://./tmp/xrdp.socket 16; port=tcp://.:3389 127.0.0.1:3389 17; port=tcp://:3389 *:3389 18; port=tcp://<any ipv4 format addr>:3389 192.168.1.1:3389 19; port=tcp6://.:3389 ::1:3389 20; port=tcp6://:3389 *:3389 21; port=tcp6://{<any ipv6 format addr>}:3389 {FC00:0:0:0:0:0:0:1}:3389 22; port=vsock://<cid>:<port> 23port=3389 24 25; 'port' above should be connected to with vsock instead of tcp 26; use this only with number alone in port above 27; prefer use vsock://<cid>:<port> above 28use_vsock=false 29 30; regulate if the listening socket use socket option tcp_nodelay 31; no buffering will be performed in the TCP stack 32tcp_nodelay=true 33 34; regulate if the listening socket use socket option keepalive 35; if the network connection disappear without close messages the connection will be closed 36tcp_keepalive=true 37 38; set tcp send/recv buffer (for experts) 39#tcp_send_buffer_bytes=32768 40#tcp_recv_buffer_bytes=32768 41 42; security layer can be 'tls', 'rdp' or 'negotiate' 43; for client compatible layer 44security_layer=negotiate 45 46; minimum security level allowed for client for classic RDP encryption 47; use tls_ciphers to configure TLS encryption 48; can be 'none', 'low', 'medium', 'high', 'fips' 49crypt_level=high 50 51; X.509 certificate and private key 52; openssl req -x509 -newkey rsa:2048 -nodes -keyout key.pem -out cert.pem -days 365 53certificate= 54key_file= 55 56; set SSL protocols 57; can be comma separated list of 'SSLv3', 'TLSv1', 'TLSv1.1', 'TLSv1.2', 'TLSv1.3' 58ssl_protocols=TLSv1.2, TLSv1.3 59; set TLS cipher suites 60#tls_ciphers=HIGH 61 62; concats the domain name to the user if set for authentication with the separator 63; for example when the server is multi homed with SSSd 64#domain_user_separator=@ 65 66; The following options will override the keyboard layout settings. 67; These options are for DEBUG and are not recommended for regular use. 68#xrdp.override_keyboard_type=0x04 69#xrdp.override_keyboard_subtype=0x01 70#xrdp.override_keylayout=0x00000409 71 72; Section name to use for automatic login if the client sends username 73; and password. If empty, the domain name sent by the client is used. 74; If empty and no domain name is given, the first suitable section in 75; this file will be used. 76autorun= 77 78allow_channels=true 79allow_multimon=true 80bitmap_cache=true 81bitmap_compression=true 82bulk_compression=true 83#hidelogwindow=true 84max_bpp=32 85new_cursors=true 86; fastpath - can be 'input', 'output', 'both', 'none' 87use_fastpath=both 88; when true, userid/password *must* be passed on cmd line 89#require_credentials=true 90; when true, the userid will be used to try to authenticate 91#enable_token_login=true 92; You can set the PAM error text in a gateway setup (MAX 256 chars) 93#pamerrortxt=change your password according to policy at http://url 94 95; 96; colors used by windows in RGB format 97; 98blue=009cb5 99grey=dedede 100#black=000000 101#dark_grey=808080 102#blue=08246b 103#dark_blue=08246b 104#white=ffffff 105#red=ff0000 106#green=00ff00 107#background=626c72 108 109; 110; configure login screen 111; 112 113; Login Screen Window Title 114#ls_title=My Login Title 115 116; top level window background color in RGB format 117ls_top_window_bg_color=009cb5 118 119; width and height of login screen 120; 121; The default height allows for about 5 fields to be comfortably displayed 122; above the buttons at the bottom. To display more fields, make <ls_height> 123; larger, and also increase <ls_btn_ok_y_pos> and <ls_btn_cancel_y_pos> 124; below 125; 126ls_width=350 127ls_height=430 128 129; login screen background color in RGB format 130ls_bg_color=dedede 131 132; optional background image filename (bmp format). 133#ls_background_image= 134 135; logo 136; full path to bmp-file or file in shared folder 137ls_logo_filename= 138ls_logo_x_pos=55 139ls_logo_y_pos=50 140 141; for positioning labels such as username, password etc 142ls_label_x_pos=30 143ls_label_width=65 144 145; for positioning text and combo boxes next to above labels 146ls_input_x_pos=110 147ls_input_width=210 148 149; y pos for first label and combo box 150ls_input_y_pos=220 151 152; OK button 153ls_btn_ok_x_pos=142 154ls_btn_ok_y_pos=370 155ls_btn_ok_width=85 156ls_btn_ok_height=30 157 158; Cancel button 159ls_btn_cancel_x_pos=237 160ls_btn_cancel_y_pos=370 161ls_btn_cancel_width=85 162ls_btn_cancel_height=30 163 164[Logging] 165; Note: Log levels can be any of: core, error, warning, info, debug, or trace 166LogFile=xrdp.log 167LogLevel=INFO 168EnableSyslog=true 169#SyslogLevel=INFO 170#EnableConsole=false 171#ConsoleLevel=INFO 172#EnableProcessId=false 173 174[LoggingPerLogger] 175; Note: per logger configuration is only used if xrdp is built with 176; --enable-devel-logging 177#xrdp.c=INFO 178#main()=INFO 179 180[Channels] 181; Channel names not listed here will be blocked by XRDP. 182; You can block any channel by setting its value to false. 183; IMPORTANT! All channels are not supported in all use 184; cases even if you set all values to true. 185; You can override these settings on each session type 186; These settings are only used if allow_channels=true 187rdpdr=true 188rdpsnd=true 189drdynvc=true 190cliprdr=true 191rail=true 192xrdpvr=true 193tcutils=true 194 195; for debugging xrdp, in section xrdp1, change port=-1 to this: 196#port=/tmp/.xrdp/xrdp_display_10 197 198 199; 200; Session types 201; 202 203; Some session types such as Xorg, X11rdp and Xvnc start a display server. 204; Startup command-line parameters for the display server are configured 205; in sesman.ini. See and configure also sesman.ini. 206[Xorg] 207name=Xorg 208lib=libxup.@lib_extension@ 209username=ask 210password=ask 211ip=127.0.0.1 212port=-1 213code=20 214 215[Xvnc] 216name=Xvnc 217lib=libvnc.@lib_extension@ 218username=ask 219password=ask 220ip=127.0.0.1 221port=-1 222#xserverbpp=24 223#delay_ms=2000 224; Disable requested encodings to support buggy VNC servers 225; (1 = ExtendedDesktopSize) 226#disabled_encodings_mask=0 227; Use this to connect to a chansrv instance created outside of sesman 228; (e.g. as part of an x11vnc console session). Replace '0' with the 229; display number of the session 230#chansrvport=DISPLAY(0) 231 232; Generic VNC Proxy 233; Tailor this to specific hosts and VNC instances by specifying an ip 234; and port and setting a suitable name. 235[vnc-any] 236name=vnc-any 237lib=libvnc.@lib_extension@ 238ip=ask 239port=ask5900 240username=na 241password=ask 242#pamusername=asksame 243#pampassword=asksame 244#pamsessionmng=127.0.0.1 245#delay_ms=2000 246 247; Generic RDP proxy using NeutrinoRDP 248; Tailor this to specific hosts by specifying an ip and port and setting 249; a suitable name. 250[neutrinordp-any] 251name=neutrinordp-any 252; To use this section, you should build xrdp with configure option 253; --enable-neutrinordp. 254lib=libxrdpneutrinordp.@lib_extension@ 255ip=ask 256port=ask3389 257username=ask 258password=ask 259; Uncomment the following lines to enable PAM authentication for proxy 260; connections. 261#pamusername=ask 262#pampassword=ask 263#pamsessionmng=127.0.0.1 264; Currently NeutrinoRDP doesn't support dynamic resizing. Uncomment 265; this line if you're using a client which does. 266#enable_dynamic_resizing=false 267; By default, performance settings requested by the RDP client are ignored 268; and chosen by NeutrinoRDP. Uncomment this line to allow the user to 269; select performance settings in the RDP client. 270#perf.allow_client_experiencesettings=true 271; Override any experience setting by uncommenting one or more of the 272; following lines. 273#perf.wallpaper=false 274#perf.font_smoothing=false 275#perf.desktop_composition=false 276#perf.full_window_drag=false 277#perf.menu_anims=false 278#perf.themes=false 279#perf.cursor_blink=false 280; By default NeutrinoRDP supports cursor shadows. If this is giving 281; you problems (e.g. cursor is a black rectangle) try disabling cursor 282; shadows by uncommenting the following line. 283#perf.cursor_shadow=false 284; By default, NeutrinoRDP uses the keyboard layout of the remote RDP Server. 285; If you want to tell the remote the keyboard layout of the RDP Client, 286; by uncommenting the following line. 287#neutrinordp.allow_client_keyboardLayout=true 288; The following options will override the remote keyboard layout settings. 289; These options are for DEBUG and are not recommended for regular use. 290#neutrinordp.override_keyboardLayout_mask=0x0000FFFF 291#neutrinordp.override_kbd_type=0x04 292#neutrinordp.override_kbd_subtype=0x01 293#neutrinordp.override_kbd_fn_keys=12 294#neutrinordp.override_kbd_layout=0x00000409 295 296; You can override the common channel settings for each session type 297#channel.rdpdr=true 298#channel.rdpsnd=true 299#channel.drdynvc=true 300#channel.cliprdr=true 301#channel.rail=true 302#channel.xrdpvr=true 303