1180740SdesSFTP-SERVER(8) OpenBSD System Manager's Manual SFTP-SERVER(8) 2180740Sdes 3180740SdesNAME 4180740Sdes sftp-server - SFTP server subsystem 5180740Sdes 6180740SdesSYNOPSIS 7248613Sdes sftp-server [-ehR] [-d start_directory] [-f log_facility] [-l log_level] 8263970Sdes [-P blacklisted_requests] [-p whitelisted_requests] 9248613Sdes [-u umask] 10263970Sdes sftp-server -Q protocol_feature 11180740Sdes 12180740SdesDESCRIPTION 13180740Sdes sftp-server is a program that speaks the server side of SFTP protocol to 14214979Sdes stdout and expects client requests from stdin. sftp-server is not 15214979Sdes intended to be called directly, but from sshd(8) using the Subsystem 16214979Sdes option. 17180740Sdes 18180740Sdes Command-line flags to sftp-server should be specified in the Subsystem 19180740Sdes declaration. See sshd_config(5) for more information. 20180740Sdes 21180740Sdes Valid options are: 22180740Sdes 23248613Sdes -d start_directory 24248613Sdes specifies an alternate starting directory for users. The 25248613Sdes pathname may contain the following tokens that are expanded at 26248613Sdes runtime: %% is replaced by a literal '%', %h is replaced by the 27248613Sdes home directory of the user being authenticated, and %u is 28248613Sdes replaced by the username of that user. The default is to use the 29248613Sdes user's home directory. This option is useful in conjunction with 30248613Sdes the sshd_config(5) ChrootDirectory option. 31248613Sdes 32204861Sdes -e Causes sftp-server to print logging information to stderr instead 33204861Sdes of syslog for debugging. 34204861Sdes 35180740Sdes -f log_facility 36180740Sdes Specifies the facility code that is used when logging messages 37180740Sdes from sftp-server. The possible values are: DAEMON, USER, AUTH, 38180740Sdes LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. 39180740Sdes The default is AUTH. 40180740Sdes 41204861Sdes -h Displays sftp-server usage information. 42204861Sdes 43180740Sdes -l log_level 44214979Sdes Specifies which messages will be logged by sftp-server. The 45214979Sdes possible values are: QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, 46214979Sdes DEBUG1, DEBUG2, and DEBUG3. INFO and VERBOSE log transactions 47214979Sdes that sftp-server performs on behalf of the client. DEBUG and 48214979Sdes DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify higher 49214979Sdes levels of debugging output. The default is ERROR. 50180740Sdes 51263970Sdes -P blacklisted_requests 52263970Sdes Specify a comma-separated list of SFTP protocol requests that are 53263970Sdes banned by the server. sftp-server will reply to any blacklisted 54263970Sdes request with a failure. The -Q flag can be used to determine the 55263970Sdes supported request types. If both a blacklist and a whitelist are 56263970Sdes specified, then the blacklist is applied before the whitelist. 57263970Sdes 58263970Sdes -p whitelisted_requests 59263970Sdes Specify a comma-separated list of SFTP protocol requests that are 60263970Sdes permitted by the server. All request types that are not on the 61263970Sdes whitelist will be logged and replied to with a failure message. 62263970Sdes 63263970Sdes Care must be taken when using this feature to ensure that 64263970Sdes requests made implicitly by SFTP clients are permitted. 65263970Sdes 66263970Sdes -Q protocol_feature 67263970Sdes Query protocol features supported by sftp-server. At present the 68263970Sdes only feature that may be queried is ``requests'', which may be 69263970Sdes used for black or whitelisting (flags -P and -p respectively). 70263970Sdes 71214979Sdes -R Places this instance of sftp-server into a read-only mode. 72214979Sdes Attempts to open files for writing, as well as other operations 73204861Sdes that change the state of the filesystem, will be denied. 74204861Sdes 75204861Sdes -u umask 76204861Sdes Sets an explicit umask(2) to be applied to newly-created files 77204861Sdes and directories, instead of the user's default mask. 78204861Sdes 79180750Sdes For logging to work, sftp-server must be able to access /dev/log. Use of 80197670Sdes sftp-server in a chroot configuration therefore requires that syslogd(8) 81180750Sdes establish a logging socket inside the chroot directory. 82180750Sdes 83180740SdesSEE ALSO 84180740Sdes sftp(1), ssh(1), sshd_config(5), sshd(8) 85180740Sdes 86263970Sdes T. Ylonen and S. Lehtinen, SSH File Transfer Protocol, draft-ietf-secsh- 87263970Sdes filexfer-02.txt, October 2001, work in progress material. 88180740Sdes 89180740SdesHISTORY 90180740Sdes sftp-server first appeared in OpenBSD 2.8. 91180740Sdes 92180740SdesAUTHORS 93180740Sdes Markus Friedl <markus@openbsd.org> 94180740Sdes 95263970SdesOpenBSD 5.5 October 14, 2013 OpenBSD 5.5 96