7.7.  Client configuration storage

7.7.1.  Overview and Parameters

The ThinLinc client does not use Hiveconf for its configuration. Instead, the Linux and macOS clients uses a plain text format with key/value pairs and the Windows client stores the values in the Windows registry.

Note

The configuration parameters should seldom be edited by hand. For a system wide configuration, create a parameter set using the client and copy it to the system wide file.

Configuration Parameters Used by the ThinLinc Client

Both the Windows and the Linux version of the ThinLinc client use the same names for their configuration parameters, although the storage technique used is different (text files vs. registry keys). In this section we will list the parameters and explain their possible values.

ALLOW_HOSTKEY_UPDATE

Set to 1 if SSH host key updates should be allowed. This parameter cannot be changed from the GUI. The result of setting ALLOW_HOSTKEY_UPDATE to 0 is that the client cannot connect to the server if the host key is wrong. This enhances security if there is a risk for a man in the middle attack.

AUTHENTICATION_METHOD

This parameter can be set to "password", "publickey", "scpublickey" or "kerberos" to select the authentication mode used by the client.

AUTOLOGIN

If this parameter is set to 1, the client will automatically login at start, using the server name, user name and password specified in the configuration storage.

CERTIFICATE

Specifies the smart card certificate to use when authenticating.

CERTIFICATE_NAMING

Controls how the client presents a certificate to the user. The parameter consists of a comma separated list of naming tokens that represent bits of information from each card or certificate. Possible tokens:

card_label

The label specified on the smart card.

pin_label

The label associated with the PIN protecting this certificate.

subject_*

A field from the subject in the certificate. Can for example be the common name by specifying subject_cn or subject_commonName. Any registered object identifier descriptor can be used (see IANA for a full list).

issuer_*

A field from the issuer in the certificate, in the same manner as for subject_*.

The client will use as many of the tokens as necessary to give each certificate a unique name. That means that certificates on two different cards can be presented with a different number of tokens depending on how much the information between the certificates overlap. An index number will be added to the name if the names are still not unique when all tokens are used.

CUSTOM_COMPRESSION

Set to 1 if a custom compression method is selected.

CUSTOM_COMPRESSION_LEVEL

The selected compression level. An integer between 1 and 9.

DISPLAY_MODE

The display mode. Can be set to values "SIMPLE" and "ADVANCED", or be left empty. In the latter case, the default behaviour is to use simple mode if a server name is given as a parameter and advanced mode otherwise.

FULL_SCREEN_MODE

Set to 1 if the client should run in fullscreen mode.

FULL_SCREEN_ALL_MONITORS

Set to 1 if the client should use all monitors in full screen mode, instead of just the current monitor.

HOST_ALIASES

This parameter specifies a list of hostname and port translations. This translation list is consulted whenever the client is about to initiate a network connection. This includes the SSH connection to the ThinLinc agent machine. The syntax for this parameter is:

[fromhost][:fromport]=[tohost][:toport] ...

If fromhost is omitted, the translation will apply to all hosts. The same principle is used for ports. If tohost or toport is omitted, the original host or port will be used. Multiple translations are separated with whitespace. The translation stops as soon as one match is found.

JPEG_COMPRESSION

Set to 1 if JPEG compression is wanted.

JPEG_COMPRESSION_LEVEL

The wanted compression level.

KILL_EXISTING_SESSIONS

Set to 1 if existing sessions should be ended.

Note

It makes little sense to change this value. The client never saves this setting.

LOGIN_NAME

The username.

LOWERCASE_LOGIN_NAME

Set to 1 if the client should convert the entered username to lowercase before logging into the server. This affects both the login user name and the name of the user to shadow (if applicable).

NEW_PASSWORD_REGEXP

This parameter specifies a regular expression. If an interactive SSH prompt matches this expression, the response is taken as a new password. The new password will be used for the SSH connection to the agent machine. It will also be sent to the server to enable Single Sign-On.

NFS_EXPORTS

A list of local drive paths and permissions. The syntax for this parameter is:

[path1],[permissions1],[path2],[permissions2] ...

As seen above, each path should be followed by the desired permissions disabled(not exported), ro(read only) or rw(read and write). See Section 7.4.1, “ Options tab ” for their meaning. This list specifies local drives to be exported.

NFS_ROOT_WARNING

Set to 1 to enable a warning if running as root and exporting local drives.

NFS_SERVER_ENABLED

Set to 1 if local drives should be exported.

OPTIONS_POPUP_KEY

Key code for key to activate option pop-up menu.

PASSWORD

This parameter allows you to specify a password in the configuration file. It must be specified using a hexadecimal ASCII notation, which means that every character is specified by its hexadecimal value.

Warning

The password value is not encrypted. It should be treated as a clear text password. Avoid storing configuration files with a PASSWORD parameter on disk or transmit such files over networks without encryption.

PKCS11_MODULE

Specifies the PKCS#11 module that will be used to communicate with the smart card. The path can be relative the base prefix of the ThinLinc client or an absolute path.

PRINTER_ENABLED

Set to 1 if local printers should be enabled.

PRINTER_SELECTION

Set to 1 if the local printer selection dialog should be displayed on every print on Windows and macOS clients. Otherwise printing jobs will be sent to the default local printer.

PRIVATE_KEY

This parameter specifies the path to the private key to be used to authenticate the user.

RECONNECT_POLICY

This parameter can be set to "single-disconnected" or "ask" to control the client's reconnect policy. See Section 7.4.1, “ Options tab ” for their meaning.

REMOTE_RESIZE

Set to 1 if the client should resize the remote session when the local window changes.

REMOVE_CONFIGURATION

If 1, the user configuration file (or the file specified by -C) will be removed after the client has started. Settings changed in the GUI will not be stored to disk. If the client fails to remove the file, it will try to truncate it instead.

SCREEN_SIZE_SELECTION

The default size of the ThinLinc session. Possible values:

  • 0 for 640x480

  • 1 for 800x600

  • 2 for 1024x768

  • 3 for 1280x1024

  • 4 for 1600x1200

  • 5 for Current monitor

  • 6 for Work area (maximized)

  • 7 for Custom screen size, set using the SCREEN_X_SIZE and SCREEN_Y_SIZE parameters.

  • 8 for All available monitors

SCREEN_X_SIZE

Custom width of session, if SCREEN_SIZE_SELECTION is set to 7.

SCREEN_Y_SIZE

Custom height of session, if SCREEN_SIZE_SELECTION is set to 7.

SEND_SYSKEYS

Set to 1 if the client should send system keys (like Alt+Tab) to the remote system when in full screen mode.

SERIAL1_DAEMON_DEVICE

The path to the first local serial port device to be exported.

SERIAL1_PORT_ENABLED

Set to 1 if the first local serial port should be exported.

SERIAL2_DAEMON_DEVICE

The path to the second local serial port device to be exported.

SERIAL2_PORT_ENABLED

Set to 1 if the second local serial port should be exported.

SERIAL_PORTS_ENABLED

Set to 1 if local serial ports should be exported.

SERVER_NAME

The hostname or IP of the ThinLinc server. When using ThinLinc in a cluster setup this should be the hostname or IP of the Master server machine.

SHADOWING_ENABLED

Set to 1 if shadowing should be enabled.

SHADOW_NAME

The username of the user who's session should be shadowed.

SMARTCARD_AUTOCONNECT

Set to 1 if the client should automatically attempt a connection when a smart card with a suitable certificate is found, this will only work if SMARTCARD_SUBJECT_AS_NAME also is set to 1.

SMARTCARD_DISCONNECT

Set to 1 if the client should disconnect automatically when the smart card used for authentication is removed.

SMARTCARD_EXPORT_ENABLED

Set to 1 if local smartcard readers should be exported.

SMARTCARD_FILTER_n

This is a item list of certificate filters replace n with a sequence number that defined the order of the filter in the list.

The filter string consists of three fields where each field is sperated using a | (pipe), the defined three fields are: name, attributes and key usage which are documented below. Here follows an example of a filter string showing its format:

SMARTCARD_FILTER_1=Telia|o=TeliaSonera|5

name

The name of the filter which will be displayed in the list of filters defined in the user interface.

attributes

This field holds a comma separated list of certificate attributes that is used when matching against available certificates, for example O=TeliaSonera.

key usage

Key usage is a bitmask value used to match against a certificate's key usage flags. It indicates the intended usage of the certificate, such as identification, signing etc.

Use this to match certificates that is intended to be used for logon. For example, identification certificates will be matched using a value of 5, digital signature + key encipherment = 5. The values are described in the following table:

   1  digital signature
   2  non-repudiation
   4  key encipherment
   8  data enciperment
  16  key agreement
  32  certificate signing
  64  CRL signing
 128  enchiper only
 256  decipher only

SMARTCARD_PASSPHRASE_SSO

Set to 1 if the client should transmit the smart card passphrase to the ThinLinc server to enable smart card single sign-on. See Section 7.4.5, “ Security tab ” for security implications.

SMARTCARD_SUBJECT_AS_NAME

Set to 1 if the certificate subject should be used as logon name, this will hide the name field from login window.

SOUND_ENABLED

Set to 1 if sound redirection should be enabled.

SOUND_SYSTEM

Which local sound system to use. Only used on platforms that have multiple sound systems to choose from. Possible values:

AUTO

Automatically choose the most appropriate sound system of those available.

PULSE

Use the local PulseAudio server as determined by X11 properties or environment variables.

ALSA

Use the default ALSA device.

OSS

Use the default OSS device.

SSH_ARBITRARY

Custom port number for ThinLinc connection.

SSH_COMPRESSION

Set to 1 to use the compression built into SSH.

SSH_PORT_SELECTION

Port selection for ThinLinc connection. Possible values:

  • 0 for port 22 (standard ssh port).

  • 1 for port 80.

  • 2 for custom port set in the SSH_ARBITRARY parameter.

START_PROGRAM_COMMAND

Specifies the command to use when starting the session, if START_PROGRAM_ENABLED is active.

START_PROGRAM_ENABLED

Specifies if the client should request that the server starts the session with the command supplied by the client.

UPDATE_ENABLED

Set to 1 to enable periodic checks for new versions.

UPDATE_INTERVAL

This parameter specifies the time interval, in seconds, between client update checks.

UPDATE_LASTCHECK

This parameter specifies the time that the last update check was performed.

UPDATE_MANDATORY

If set to 1, updating to new client versions is mandatory.

UPDATE_URL

The HTTP URL to client update configuration file.

VNC_AUTOSELECT

Set to 1 to dymanically autoselect the compression algorithm during the session.

VNC_COLOR_LEVEL

The color level used for the session.

VNC_ENCODING_SELECTION

The encoding to use for VNC. Possible values:

  • 0 for Raw

  • 5 for Hextile

  • 7 for Tight

  • 16 for ZRLE

YESNO_PROMPT_REGEXP

This parameter specifies a regular expression. If an interactive SSH prompt matches this expression, a graphical yes/no dialog will be presented, instead of a dialog for text input. Additionally, if the prompt is known to the client, an alternate text will be used. The dialog buttons Yes and No will send "yes" and "no" to the server, respectively.

7.7.2.  Configuration Parameter Storage

Configuration parameters are typically stored in text based configuration files. The format is simple: Each parameter is written on one line, followed by an equal sign (=) and the value of the parameter, as in the following example:

SOUND_ENABLED = 0
SERVER_NAME = demo.thinlinc.com

By using the -C option, additional configuration files can be specified. Any name is accepted, but the file extension .tlclient is recommended. The Windows, Linux, and macOS packages configures the system to automatically recognize such files as configuration files for the ThinLinc Client. Additionally, the Internet Media Type "application-vnd.cendio.thinlinc.clientconf" is linked to such configuration files.

7.7.2.1.  Linux Client Configuration Files

The Linux client first reads the file /opt/thinlinc/etc/tlclient.conf, if it exists. It then reads the file .thinlinc/tlclient.conf in the user's home directory, and the values there override the values from /opt/thinlinc/etc/tlclient.conf. This way, a system administrator can set global defaults for client operations, while each user can still customize the client to wanted behavior.

7.7.2.2.  macOS Client Configuration Files

The macOS client first reads the file /Library/Application Support/ThinLinc Client/tlclient.conf if it exists. It then reads the .thinlinc/tlclient.conf in the user's home directory, and the values there overrides the values from /Library/Application Support/ThinLinc Client/tlclient.conf. This way, a system administrator can set global defaults for client operations, while each user can still customize the client to wanted behavior.

7.7.2.3.  Windows Client Configuration

On Windows, the ThinLinc client reads its configuration from the registry. All ThinLinc client data is stored under Software\Cendio\ThinLinc\tlclient in the HKLM and HKCU hives. The parameter names are the same as for the Linux client.

The behaviour of global and user-specific settings are identical to that of the Linux client, where settings in HKLM correspond to /opt/thinlinc/etc/tlclient.conf and those in HKCU correspond to .thinlinc/tlclient.conf.

7.7.3.  Adding Custom Branding to the ThinLinc Client Login Window

It is possible to add a custom logo to the main ThinLinc client window, making it easily distinguishable from a generic client. The custom logo will be placed to the right of the input fields.

Adding the logo is easy. The new logo must be a PNG file with maximum width and height of 50 pixels. On Windows, just add the file branding.png in the same directory as the executable with the custom logo. On Linux, the file name is /opt/thinlinc/lib/tlclient/branding.png.