1SFTP-SERVER(8) System Manager's Manual SFTP-SERVER(8) 2 3NAME 4 sftp-server M-bM-^@M-^S SFTP server subsystem 5 6SYNOPSIS 7 sftp-server [-ehR] [-d start_directory] [-f log_facility] [-l log_level] 8 [-P blacklisted_requests] [-p whitelisted_requests] 9 [-u umask] 10 sftp-server -Q protocol_feature 11 12DESCRIPTION 13 sftp-server is a program that speaks the server side of SFTP protocol to 14 stdout and expects client requests from stdin. sftp-server is not 15 intended to be called directly, but from sshd(8) using the Subsystem 16 option. 17 18 Command-line flags to sftp-server should be specified in the Subsystem 19 declaration. See sshd_config(5) for more information. 20 21 Valid options are: 22 23 -d start_directory 24 specifies an alternate starting directory for users. The 25 pathname may contain the following tokens that are expanded at 26 runtime: %% is replaced by a literal '%', %d is replaced by the 27 home directory of the user being authenticated, and %u is 28 replaced by the username of that user. The default is to use the 29 user's home directory. This option is useful in conjunction with 30 the sshd_config(5) ChrootDirectory option. 31 32 -e Causes sftp-server to print logging information to stderr instead 33 of syslog for debugging. 34 35 -f log_facility 36 Specifies the facility code that is used when logging messages 37 from sftp-server. The possible values are: DAEMON, USER, AUTH, 38 LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. 39 The default is AUTH. 40 41 -h Displays sftp-server usage information. 42 43 -l log_level 44 Specifies which messages will be logged by sftp-server. The 45 possible values are: QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, 46 DEBUG1, DEBUG2, and DEBUG3. INFO and VERBOSE log transactions 47 that sftp-server performs on behalf of the client. DEBUG and 48 DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify higher 49 levels of debugging output. The default is ERROR. 50 51 -P blacklisted_requests 52 Specify a comma-separated list of SFTP protocol requests that are 53 banned by the server. sftp-server will reply to any blacklisted 54 request with a failure. The -Q flag can be used to determine the 55 supported request types. If both a blacklist and a whitelist are 56 specified, then the blacklist is applied before the whitelist. 57 58 -p whitelisted_requests 59 Specify a comma-separated list of SFTP protocol requests that are 60 permitted by the server. All request types that are not on the 61 whitelist will be logged and replied to with a failure message. 62 63 Care must be taken when using this feature to ensure that 64 requests made implicitly by SFTP clients are permitted. 65 66 -Q protocol_feature 67 Query protocol features supported by sftp-server. At present the 68 only feature that may be queried is M-bM-^@M-^\requestsM-bM-^@M-^], which may be used 69 for black or whitelisting (flags -P and -p respectively). 70 71 -R Places this instance of sftp-server into a read-only mode. 72 Attempts to open files for writing, as well as other operations 73 that change the state of the filesystem, will be denied. 74 75 -u umask 76 Sets an explicit umask(2) to be applied to newly-created files 77 and directories, instead of the user's default mask. 78 79 On some systems, sftp-server must be able to access /dev/log for logging 80 to work, and use of sftp-server in a chroot configuration therefore 81 requires that syslogd(8) establish a logging socket inside the chroot 82 directory. 83 84SEE ALSO 85 sftp(1), ssh(1), sshd_config(5), sshd(8) 86 87 T. Ylonen and S. Lehtinen, SSH File Transfer Protocol, draft-ietf-secsh- 88 filexfer-02.txt, October 2001, work in progress material. 89 90HISTORY 91 sftp-server first appeared in OpenBSD 2.8. 92 93AUTHORS 94 Markus Friedl <markus@openbsd.org> 95 96OpenBSD 6.0 December 11, 2014 OpenBSD 6.0 97