1180740SdesSFTP-SERVER(8)          OpenBSD System Manager's Manual         SFTP-SERVER(8)
2180740Sdes
3180740SdesNAME
4180740Sdes     sftp-server - SFTP server subsystem
5180740Sdes
6180740SdesSYNOPSIS
7248613Sdes     sftp-server [-ehR] [-d start_directory] [-f log_facility] [-l log_level]
8263970Sdes                 [-P blacklisted_requests] [-p whitelisted_requests]
9248613Sdes                 [-u umask]
10263970Sdes     sftp-server -Q protocol_feature
11180740Sdes
12180740SdesDESCRIPTION
13180740Sdes     sftp-server is a program that speaks the server side of SFTP protocol to
14214979Sdes     stdout and expects client requests from stdin.  sftp-server is not
15214979Sdes     intended to be called directly, but from sshd(8) using the Subsystem
16214979Sdes     option.
17180740Sdes
18180740Sdes     Command-line flags to sftp-server should be specified in the Subsystem
19180740Sdes     declaration.  See sshd_config(5) for more information.
20180740Sdes
21180740Sdes     Valid options are:
22180740Sdes
23248613Sdes     -d start_directory
24248613Sdes             specifies an alternate starting directory for users.  The
25248613Sdes             pathname may contain the following tokens that are expanded at
26248613Sdes             runtime: %% is replaced by a literal '%', %h is replaced by the
27248613Sdes             home directory of the user being authenticated, and %u is
28248613Sdes             replaced by the username of that user.  The default is to use the
29248613Sdes             user's home directory.  This option is useful in conjunction with
30248613Sdes             the sshd_config(5) ChrootDirectory option.
31248613Sdes
32204861Sdes     -e      Causes sftp-server to print logging information to stderr instead
33204861Sdes             of syslog for debugging.
34204861Sdes
35180740Sdes     -f log_facility
36180740Sdes             Specifies the facility code that is used when logging messages
37180740Sdes             from sftp-server.  The possible values are: DAEMON, USER, AUTH,
38180740Sdes             LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
39180740Sdes             The default is AUTH.
40180740Sdes
41204861Sdes     -h      Displays sftp-server usage information.
42204861Sdes
43180740Sdes     -l log_level
44214979Sdes             Specifies which messages will be logged by sftp-server.  The
45214979Sdes             possible values are: QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG,
46214979Sdes             DEBUG1, DEBUG2, and DEBUG3.  INFO and VERBOSE log transactions
47214979Sdes             that sftp-server performs on behalf of the client.  DEBUG and
48214979Sdes             DEBUG1 are equivalent.  DEBUG2 and DEBUG3 each specify higher
49214979Sdes             levels of debugging output.  The default is ERROR.
50180740Sdes
51263970Sdes     -P blacklisted_requests
52263970Sdes             Specify a comma-separated list of SFTP protocol requests that are
53263970Sdes             banned by the server.  sftp-server will reply to any blacklisted
54263970Sdes             request with a failure.  The -Q flag can be used to determine the
55263970Sdes             supported request types.  If both a blacklist and a whitelist are
56263970Sdes             specified, then the blacklist is applied before the whitelist.
57263970Sdes
58263970Sdes     -p whitelisted_requests
59263970Sdes             Specify a comma-separated list of SFTP protocol requests that are
60263970Sdes             permitted by the server.  All request types that are not on the
61263970Sdes             whitelist will be logged and replied to with a failure message.
62263970Sdes
63263970Sdes             Care must be taken when using this feature to ensure that
64263970Sdes             requests made implicitly by SFTP clients are permitted.
65263970Sdes
66263970Sdes     -Q protocol_feature
67263970Sdes             Query protocol features supported by sftp-server.  At present the
68263970Sdes             only feature that may be queried is ``requests'', which may be
69263970Sdes             used for black or whitelisting (flags -P and -p respectively).
70263970Sdes
71214979Sdes     -R      Places this instance of sftp-server into a read-only mode.
72214979Sdes             Attempts to open files for writing, as well as other operations
73204861Sdes             that change the state of the filesystem, will be denied.
74204861Sdes
75204861Sdes     -u umask
76204861Sdes             Sets an explicit umask(2) to be applied to newly-created files
77204861Sdes             and directories, instead of the user's default mask.
78204861Sdes
79180750Sdes     For logging to work, sftp-server must be able to access /dev/log.  Use of
80197670Sdes     sftp-server in a chroot configuration therefore requires that syslogd(8)
81180750Sdes     establish a logging socket inside the chroot directory.
82180750Sdes
83180740SdesSEE ALSO
84180740Sdes     sftp(1), ssh(1), sshd_config(5), sshd(8)
85180740Sdes
86263970Sdes     T. Ylonen and S. Lehtinen, SSH File Transfer Protocol, draft-ietf-secsh-
87263970Sdes     filexfer-02.txt, October 2001, work in progress material.
88180740Sdes
89180740SdesHISTORY
90180740Sdes     sftp-server first appeared in OpenBSD 2.8.
91180740Sdes
92180740SdesAUTHORS
93180740Sdes     Markus Friedl <markus@openbsd.org>
94180740Sdes
95263970SdesOpenBSD 5.5                    October 14, 2013                    OpenBSD 5.5
96