diff options
Diffstat (limited to 'docs/man/xrdp.ini.5.in')
| -rw-r--r-- | docs/man/xrdp.ini.5.in | 331 |
1 files changed, 331 insertions, 0 deletions
diff --git a/docs/man/xrdp.ini.5.in b/docs/man/xrdp.ini.5.in new file mode 100644 index 00000000..779633ca --- /dev/null +++ b/docs/man/xrdp.ini.5.in @@ -0,0 +1,331 @@ +.TH "xrdp.ini" "5" "@PACKAGE_VERSION@" "xrdp team" "" +.SH "NAME" +\fBxrdp.ini\fR \- Configuration file for \fBxrdp\fR(8) + +.SH "DESCRIPTION" +This is the man page for \fBxrdp.ini\fR, \fBxrdp\fR(8) configuration file. +It is composed by a number of sections, each one composed by a section name, enclosed by square brackets, followed by a list of \fI<parameter>\fR=\fI<value>\fR lines. + +\fBxrdp.ini\fR supports the following sections: + +.TP +\fB[Globals]\fP \- sets some global configuration settings for \fBxrdp\fR(8). + +.TP +\fB[Logging]\fP \- logging subsystem parameters + +.TP +\fB[Channels]\fP \- channel subsystem parameters + +.LP +All options and values (except for file names and paths) are case insensitive, and are described in detail below. + +.SH "GLOBALS" +The options to be specified in the \fB[Globals]\fR section are the following: + +.TP +\fBaddress\fP=\fIip address\fP +Specify xrdp listening address. If not specified, defaults to 0.0.0.0 (all interfaces). + +.TP +\fBautorun\fP=\fIsession_name\fP +Section name for automatic login. If set and the client supplies valid +username and password, the user will be logged in automatically using the +connection specified by \fIsession_name\fP. + +If \fIsession_name\fP is empty, the \fBLOGIN DOMAIN\fR from the client +with be used to select the section. If no domain name is supplied, the +first suitable section will be used for automatic login. + +.TP +\fBbitmap_cache\fR=\fI[true|false]\fR +If set to \fB1\fR, \fBtrue\fR or \fByes\fR this option enables bitmap caching in \fBxrdp\fR(8). + +.TP +\fBbitmap_compression\fR=\fI[true|false]\fR +If set to \fB1\fR, \fBtrue\fR or \fByes\fR this option enables bitmap compression in \fBxrdp\fR(8). + +.TP +\fBbulk_compression\fP=\fI[true|false]\fP +If set to \fB1\fR, \fBtrue\fR or \fByes\fR this option enables compression of bulk data in \fBxrdp\fR(8). + +.TP +\fBcertificate\fP=\fI/path/to/certificate\fP +.TP +\fBkey_file\fP=\fI/path/to/private_key\fP +Set location of TLS certificate and private key. They must be written in PEM format. +If not specified, defaults to \fB${XRDP_CFG_DIR}/cert.pem\fP, \fB${XRDP_CFG_DIR}/key.pem\fP. + +This parameter is effective only if \fBsecurity_layer\fP is set to \fBtls\fP or \fBnegotiate\fP. + +.TP +\fBchannel_code\fP=\fI[true|false]\fP +If set to \fB0\fR, \fBfalse\fR or \fBno\fR this option disables all channels \fBxrdp\fR(8). +See section \fBCHANNELS\fP below for more fine grained options. + +.TP +\fBcrypt_level\fP=\fI[low|medium|high|fips]\fP +.\" <http://blogs.msdn.com/b/openspecification/archive/2011/12/08/encryption-negotiation-in-rdp-connection.aspx> +Regulate encryption level of Standard RDP Security. +This parameter is effective only if \fBsecurity_layer\fP is set to \fBrdp\fP or \fBnegotiate\fP. + +Encryption in Standard RDP Security is controlled by two settings: \fIEncryption Level\fP +and \fIEncryption Method\fP. The only supported \fIEncryption Method\fP are \fB40BIT_ENCRYPTION\fP +and \fB128BIT_ENCRYPTION\fP. \fB56BIT_ENCRYPTION\fP is not supported. +This option controls the \fIEncryption Level\fP: +.RS 8 +.TP +.B low +All data sent from the client to the server is protected by encryption based on +the maximum key strength supported by the client. +.I This is the only level that the traffic sent by the server to client is not encrypted. +.TP +.B medium +All data sent between the client and the server is protected by encryption based on +the maximum key strength supported by the client (client compatible). +.TP +.B high +All data sent between the client and the server is protected by encryption based on +the server's maximum key strength (sever compatible). +.TP +.B fips +All data sent between the client and server is protected using Federal Information +Processing Standard 140-1 validated encryption methods. +.I This level is required for Windows clients (mstsc.exe) if the client's group policy +.I enforces FIPS-compliance mode. +.RE + +.TP +\fBdisableSSLv3\fP=\fI[true|false]\fP +If set to \fB1\fP, \fBtrue\fP or \fByes\fP, \fBxrdp\fP will not accept SSLv3 connections. +If not specified, defaults to \fBfalse\fP. +This parameter is effective only if \fBsecurity_layer\fP is set to \fBtls\fP or \fBnegotiate\fP. + +.TP +\fBfork\fP=\fI[true|false]\fP +If set to \fB1\fR, \fBtrue\fR or \fByes\fR for each incoming connection \fBxrdp\fR(8) forks a sub-process instead of using threads. + +.TP +\fBhidelogwindow\fP=\fI[true|false]\fP +If set to \fB1\fP, \fBtrue\fP or \fByes\fP, \fBxrdp\fP will not show a window for log messages. +If not specified, defaults to \fBfalse\fP. + +.TP +\fBmax_bpp\fP=\fI[8|15|16|24|32]\fP +Limit the color depth by specifying the maximum number of bits per pixel. +If not specified or set to \fB0\fP, unlimited. + +.TP +\fBpamerrortxt\fP=\fIerror_text\fP +Specify text passed to PAM when authentication failed. The maximum length is \fB256\fP. + +.TP +\fBport\fP=\fIport\fP +Specify TCP port to listen on for incoming connections. +The default for RDP is \fB3389\fP. + +.TP +\fBrequire_credentials\fP=\fI[true|false]\fP +If set to \fB1\fP, \fBtrue\fP or \fByes\fP, \fBxrdp\fP requires clients to include username and +password initial connection phase. In other words, xrdp doesn't allow clients to show login +screen if set to true. If not specified, defaults to \fBfalse\fP. + +.TP +\fBsecurity_layer\fP=\fI[tls|rdp|negotiate]\fP +Regulate security methods. If not specified, defaults to \fBnegotiate\fP. +.RS 8 +.TP +.B tls +Enhanced RDP Security is used. All security operations (encryption, decryption, data integrity +verification, and server authentication) are implemented by TLS. + +.TP +.B rdp +Standard RDP Security, which is not safe from man-in-the-middle attack, is used. The encryption level +of Standard RDP Security is controlled by \fBcrypt_level\fP. + +.TP +.B negotiate +Negotiate these security methods with clients. +.RE + +.TP +\fBtcp_keepalive\fP=\fI[true|false]\fP +Regulate if the listening socket uses socket option \fBSO_KEEPALIVE\fP. +If set to \fB1\fP, \fBtrue\fP or \fByes\fP and the network connection disappears +without closing messages, the connection will be closed. + +.TP +\fBtcp_nodelay\fP=\fI[true|false]\fP +Regulate if the listening socket uses socket option \fBTCP_NODELAY\fP. +If set to \fB1\fP, \fBtrue\fP or \fByes\fP, no buffering will be performed in the TCP stack. + +.TP +\fBtcp_send_buffer_bytes\fP=\fIbuffer_size\fP +.TP +\fBtcp_recv_buffer_bytes\fP=\fIbuffer_size\fP +Specify send/recv buffer sizes in bytes. The default value depends on operating system. + +.TP +\fBtls_ciphers\fP=\fIcipher_suite\fP +Specifies TLS cipher suite. The format of this parameter is equivalent to which +\fBopenssl\fP(1) ciphers subcommand accepts. + +(ex. $ openssl ciphers 'HIGH:!ADH:!SHA1') + +This parameter is effective only if \fBsecurity_layer\fP is set to \fBtls\fP or \fBnegotiate\fP. + +.TP +\fBuse_fastpath\fP=\fI[input|output|both|none]\fP +If not specified, defaults to \fBnone\fP. + +.TP +\fBblack\fP=\fI000000\fP +.TP +\fBgrey\fP=\fIc0c0c0\fP +.TP +\fBdark_grey\fP=\fI808080\fP +.TP +\fBblue\fP=\fI0000ff\fP +.TP +\fBdark_blue\fP=\fI00007f\fP +.TP +\fBwhite\fP=\fIffffff\fP +.TP +\fBred\fP=\fIff0000\fP +.TP +\fBgreen\fP=\fI00ff00\fP +.TP +\fBbackground\fP=\fI000000\fP +These options override the colors used internally by \fBxrdp\fP(8) to draw the login and log windows. +Colors are defined using a hexadecimal (hex) notation for the combination of Red, Green, and Blue color values (RGB). +The lowest value that can be given to one of the light sources is 0 (hex 00). +The highest value is 255 (hex FF). + +.SH "LOGGING" +The following parameters can be used in the \fB[Logging]\fR section: + +.TP +\fBLogFile\fR=\fI${SESMAN_LOG_DIR}/sesman.log\fR +This options contains the path to logfile. It can be either absolute or relative, and the default is \fI${SESMAN_LOG_DIR}/sesman.log\fR + +.TP +\fBLogLevel\fR=\fIlevel\fR +This option can have one of the following values: + +\fBCORE\fR or \fB0\fR \- Log only core messages. these messages are _always_ logged, regardless the logging level selected. + +\fBERROR\fR or \fB1\fR \- Log only error messages + +\fBWARNING\fR, \fBWARN\fR or \fB2\fR \- Logs warnings and error messages + +\fBINFO\fR or \fB3\fR \- Logs errors, warnings and informational messages + +\fBDEBUG\fR or \fB4\fR \- Log everything. If \fBsesman\fR is compiled in debug mode, this options will output many more low\-level message, useful for developers + +.TP +\fBEnableSyslog\fR=\fI[true|false]\fR +If set to \fB1\fR, \fBtrue\fR or \fByes\fR this option enables logging to syslog. Otherwise syslog is disabled. + +.TP +\fBSyslogLevel\fR=\fIlevel\fR +This option sets the logging level for syslog. It can have the same values of \fBLogLevel\fR. If \fBSyslogLevel\fR is greater than \fBLogLevel\fR, its value is lowered to that of \fBLogLevel\fR. + +.SH "CHANNELS" +The Remote Desktop Protocol supports several channels, which are used to transfer additional data like sound, clipboard data and others. +Channel names not listed here will be blocked by \fBxrdp\fP. +Not all channels are supported in all cases, so setting a value to \fItrue\fP is a prerequisite, but does not force its use. +.br +Channels can also be enabled or disabled on a per connection basis by prefixing each setting with \fBchannel.\fP in the channel section. + +.TP +\fBrdpdr\fP=\fI[true|false]\fP +If set to \fB1\fR, \fBtrue\fR or \fByes\fR using the RDP channel for device redirection is allowed. + +.TP +\fBrdpsnd\fP=\fI[true|false]\fP +If set to \fB1\fR, \fBtrue\fR or \fByes\fR using the RDP channel for sound is allowed. + +.TP +\fBdrdynvc\fP=\fI[true|false]\fP +If set to \fB1\fR, \fBtrue\fR or \fByes\fR using the RDP channel to initiate additional dynamic virtual channels is allowed. + +.TP +\fBcliprdr\fP=\fI[true|false]\fP +If set to \fB1\fR, \fBtrue\fR or \fByes\fR using the RDP channel for clipboard redirection is allowed. + +.TP +\fBrail\fP=\fI[true|false]\fP +If set to \fB1\fR, \fBtrue\fR or \fByes\fR using the RDP channel for remote applications integrated locally (RAIL) is allowed. + +.TP +\fBxrdpvr\fP=\fI[true|false]\fP +If set to \fB1\fR, \fBtrue\fR or \fByes\fR using the RDP channel for XRDP Video streaming is allowed. + +.SH "CONNECTIONS" +A connection section is made of a section name, enclosed in square brackets, and the following entries: + +.TP +\fBname\fR=\fI<session name>\fR +The name displayed in \fBxrdp\fR(8) login window's combo box. + +.TP +\fBlib\fR=\fI../vnc/libvnc.so\fR +Sets the library to be used with this connection. + +.TP +\fBusername\fR=\fI<username>\fR|\fIask\fR +Specifies the username used for authenticating in the connection. +If set to \fIask\fR, user name should be provided in the login window. + +.TP +\fBpassword\fR=\fI<password>\fR|\fIask\fR +Specifies the password used for authenticating in the connection. +If set to \fIask\fR, password should be provided in the login window. + +.TP +\fBip\fR=\fI127.0.0.1\fR +Specifies the ip address of the host to connect to. + +.TP +\fBport\fR=\fI<number>\fR|\fI\-1\fR +Specifies the port number to connect to. If set to \fI\-1\fR, the default port for the specified library is used. + +.TP +\fBxserverbpp\fR=\fI<number>\fR +Specifies color depth of the backend X server. The default is the color +depth of the client. Only Xvnc and X11rdp use that setting. Xorg runs at +\fI24\fR bpp. + +.TP +\fBcode\fR=\fI<number>\fR|\fI0\fR +Specifies the session type. The default, \fI0\fR, is Xvnc, \fI10\fR is +X11rdp, and \fI20\fR is Xorg with xorgxrdp modules. + +.SH "EXAMPLES" +This is an example \fBxrdp.ini\fR: + +.nf +[Globals] +bitmap_cache=true +bitmap_compression=true + +[vnc1] +name=sesman +lib=../vnc/libvnc.so +username=ask +password=ask +ip=127.0.0.1 +port=\-1 +.fi + +.SH "FILES" +${XRDP_CFG_DIR}/xrdp.ini + +.SH "SEE ALSO" +.BR xrdp (8), +.BR sesman (8), +.BR sesrun (8), +.BR sesman.ini (5) + +for more info on \fBxrdp\fR see http://www.xrdp.org/ |