1 SFTP-SERVER(8) OpenBSD System Manager's Manual SFTP-SERVER(8)
4 sftp-server - SFTP server subsystem
7 sftp-server [-ehR] [-d start_directory] [-f log_facility] [-l log_level]
8 [-P blacklisted_requests] [-p whitelisted_requests]
10 sftp-server -Q protocol_feature
13 sftp-server is a program that speaks the server side of SFTP protocol to
14 stdout and expects client requests from stdin. sftp-server is not
15 intended to be called directly, but from sshd(8) using the Subsystem
18 Command-line flags to sftp-server should be specified in the Subsystem
19 declaration. See sshd_config(5) for more information.
24 specifies an alternate starting directory for users. The
25 pathname may contain the following tokens that are expanded at
26 runtime: %% is replaced by a literal '%', %h is replaced by the
27 home directory of the user being authenticated, and %u is
28 replaced by the username of that user. The default is to use the
29 user's home directory. This option is useful in conjunction with
30 the sshd_config(5) ChrootDirectory option.
32 -e Causes sftp-server to print logging information to stderr instead
33 of syslog for debugging.
36 Specifies the facility code that is used when logging messages
37 from sftp-server. The possible values are: DAEMON, USER, AUTH,
38 LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
41 -h Displays sftp-server usage information.
44 Specifies which messages will be logged by sftp-server. The
45 possible values are: QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG,
46 DEBUG1, DEBUG2, and DEBUG3. INFO and VERBOSE log transactions
47 that sftp-server performs on behalf of the client. DEBUG and
48 DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify higher
49 levels of debugging output. The default is ERROR.
51 -P blacklisted_requests
52 Specify a comma-separated list of SFTP protocol requests that are
53 banned by the server. sftp-server will reply to any blacklisted
54 request with a failure. The -Q flag can be used to determine the
55 supported request types. If both a blacklist and a whitelist are
56 specified, then the blacklist is applied before the whitelist.
58 -p whitelisted_requests
59 Specify a comma-separated list of SFTP protocol requests that are
60 permitted by the server. All request types that are not on the
61 whitelist will be logged and replied to with a failure message.
63 Care must be taken when using this feature to ensure that
64 requests made implicitly by SFTP clients are permitted.
67 Query protocol features supported by sftp-server. At present the
68 only feature that may be queried is ``requests'', which may be
69 used for black or whitelisting (flags -P and -p respectively).
71 -R Places this instance of sftp-server into a read-only mode.
72 Attempts to open files for writing, as well as other operations
73 that change the state of the filesystem, will be denied.
76 Sets an explicit umask(2) to be applied to newly-created files
77 and directories, instead of the user's default mask.
79 For logging to work, sftp-server must be able to access /dev/log. Use of
80 sftp-server in a chroot configuration therefore requires that syslogd(8)
81 establish a logging socket inside the chroot directory.
84 sftp(1), ssh(1), sshd_config(5), sshd(8)
86 T. Ylonen and S. Lehtinen, SSH File Transfer Protocol, draft-ietf-secsh-
87 filexfer-02.txt, October 2001, work in progress material.
90 sftp-server first appeared in OpenBSD 2.8.
93 Markus Friedl <markus@openbsd.org>
95 OpenBSD 5.5 October 14, 2013 OpenBSD 5.5