SFTP-SERVER(8) MAINTENANCE COMMANDS SFTP-SERVER(8)
NAME
sftp-server - SFTP server subsystem
SYNOPSIS
sftp-server [-ehR] [-d start_directory] [-f log_facility]
[-l log_level] [-P blacklisted_requests] [-p
whitelisted_requests] [-u umask]
sftp-server -Q protocol_feature
DESCRIPTION
sftp-server is a program that speaks the server side of SFTP
protocol to stdout and expects client requests from stdin.
sftp-server is not intended to be called directly, but from
sshd(8) using the Subsystem option.
Command-line flags to sftp-server should be specified in the
Subsystem declaration. See sshd_config(5) for more informa-
tion.
Valid options are:
-d start_directory
specifies an alternate starting directory for users.
The pathname may contain the following tokens that are
expanded at runtime: %% is replaced by a literal '%',
%d is replaced by the home directory of the user being
authenticated, and %u is replaced by the username of
that user. The default is to use the user's home
directory. This option is useful in conjunction with
the sshd_config(5) ChrootDirectory option.
-e Causes sftp-server to print logging information to
stderr instead of syslog for debugging.
-f log_facility
Specifies the facility code that is used when logging
messages from The possible values are: DAEMON, USER,
AUTH, LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5,
LOCAL6, LOCAL7. The default is AUTH.
-h Displays sftp-server usage information.
-l log_level
Specifies which messages will be logged by The possible
values are: QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG,
DEBUG1, DEBUG2, and DEBUG3. INFO and VERBOSE log tran-
sactions that sftp-server performs on behalf of the
client. DEBUG and DEBUG1 are equivalent. DEBUG2 and
DEBUG3 each specify higher levels of debugging output.
The default is ERROR.
-P blacklisted_requests
Last change: December 11 2014 1
SFTP-SERVER(8) MAINTENANCE COMMANDS SFTP-SERVER(8)
Specify a comma-separated list of SFTP protocol
requests that are banned by the server. sftp-server
will reply to any blacklisted request with a failure.
The -Q flag can be used to determine the supported
request types. If both a blacklist and a whitelist are
specified, then the blacklist is applied before the
whitelist.
-p whitelisted_requests
Specify a comma-separated list of SFTP protocol
requests that are permitted by the server. All request
types that are not on the whitelist will be logged and
replied to with a failure message.
Care must be taken when using this feature to ensure
that requests made implicitly by SFTP clients are per-
mitted.
-Q protocol_feature
Query protocol features supported by At present the
only feature that may be queried is ``requests'', which
may be used for black or whitelisting (flags -P and -p
respectively).
-R Places this instance of sftp-server into a read-only
mode. Attempts to open files for writing, as well as
other operations that change the state of the filesys-
tem, will be denied.
-u umask
Sets an explicit umask(2) to be applied to newly-
created files and directories, instead of the user's
default mask.
On some systems, sftp-server must be able to access
/dev/log for logging to work, and use of sftp-server in
a chroot configuration therefore requires that sys-
logd(8) establish a logging socket inside the chroot
directory.
SEE ALSO
sftp(1), ssh(1), sshd_config(5), sshd(8)
S. Lehtinen and T. Ylonen, SSH File Transfer Protocol,
draft-ietf-secsh-filexfer-02.txt, October 2001, work in pro-
gress material.
HISTORY
sftp-server first appeared in OpenBSD 2.8 .
AUTHORS
Markus Friedl <Mt markus@openbsd.org>
Last change: December 11 2014 2
Man(1) output converted with
man2html