]>
Commit | Line | Data |
---|---|---|
efad4deb | 1 | .\" $OpenBSD: sftp-server.8,v 1.31 2021/07/27 14:14:25 jmc Exp $ |
e4340be5 | 2 | .\" |
92a2e38f | 3 | .\" Copyright (c) 2000 Markus Friedl. All rights reserved. |
e4340be5 DM |
4 | .\" |
5 | .\" Redistribution and use in source and binary forms, with or without | |
6 | .\" modification, are permitted provided that the following conditions | |
7 | .\" are met: | |
8 | .\" 1. Redistributions of source code must retain the above copyright | |
9 | .\" notice, this list of conditions and the following disclaimer. | |
10 | .\" 2. Redistributions in binary form must reproduce the above copyright | |
11 | .\" notice, this list of conditions and the following disclaimer in the | |
12 | .\" documentation and/or other materials provided with the distribution. | |
13 | .\" | |
14 | .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR | |
15 | .\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES | |
16 | .\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. | |
17 | .\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, | |
18 | .\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT | |
19 | .\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, | |
20 | .\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY | |
21 | .\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | |
22 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | |
23 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | |
24 | .\" | |
efad4deb | 25 | .Dd $Mdocdate: July 27 2021 $ |
7b28dc5e DM |
26 | .Dt SFTP-SERVER 8 |
27 | .Os | |
28 | .Sh NAME | |
29 | .Nm sftp-server | |
483cc723 | 30 | .Nd OpenSSH SFTP server subsystem |
7b28dc5e DM |
31 | .Sh SYNOPSIS |
32 | .Nm sftp-server | |
6eaeebf2 | 33 | .Bk -words |
db7bf825 | 34 | .Op Fl ehR |
502ab0ef | 35 | .Op Fl d Ar start_directory |
fef95ad8 DM |
36 | .Op Fl f Ar log_facility |
37 | .Op Fl l Ar log_level | |
473b4af4 | 38 | .Op Fl P Ar denied_requests |
39 | .Op Fl p Ar allowed_requests | |
6b286a46 | 40 | .Op Fl u Ar umask |
6eaeebf2 DM |
41 | .Ek |
42 | .Nm | |
43 | .Fl Q Ar protocol_feature | |
7b28dc5e DM |
44 | .Sh DESCRIPTION |
45 | .Nm | |
46 | is a program that speaks the server side of SFTP protocol | |
47 | to stdout and expects client requests from stdin. | |
48 | .Nm | |
49 | is not intended to be called directly, but from | |
50a41ed0 | 50 | .Xr sshd 8 |
7b28dc5e DM |
51 | using the |
52 | .Cm Subsystem | |
53 | option. | |
fef95ad8 DM |
54 | .Pp |
55 | Command-line flags to | |
56 | .Nm | |
57 | should be specified in the | |
58 | .Cm Subsystem | |
59 | declaration. | |
7b28dc5e | 60 | See |
1f20394e | 61 | .Xr sshd_config 5 |
7b28dc5e | 62 | for more information. |
fef95ad8 DM |
63 | .Pp |
64 | Valid options are: | |
65 | .Bl -tag -width Ds | |
aa7ad303 | 66 | .It Fl d Ar start_directory |
efad4deb | 67 | Specifies an alternate starting directory for users. |
502ab0ef DM |
68 | The pathname may contain the following tokens that are expanded at runtime: |
69 | %% is replaced by a literal '%', | |
da0277e3 | 70 | %d is replaced by the home directory of the user being authenticated, |
502ab0ef DM |
71 | and %u is replaced by the username of that user. |
72 | The default is to use the user's home directory. | |
73 | This option is useful in conjunction with the | |
74 | .Xr sshd_config 5 | |
75 | .Cm ChrootDirectory | |
76 | option. | |
7bee06ab DT |
77 | .It Fl e |
78 | Causes | |
79 | .Nm | |
80 | to print logging information to stderr instead of syslog for debugging. | |
fef95ad8 DM |
81 | .It Fl f Ar log_facility |
82 | Specifies the facility code that is used when logging messages from | |
83 | .Nm . | |
84 | The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, | |
85 | LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. | |
86 | The default is AUTH. | |
7bee06ab DT |
87 | .It Fl h |
88 | Displays | |
89 | .Nm | |
90 | usage information. | |
fef95ad8 DM |
91 | .It Fl l Ar log_level |
92 | Specifies which messages will be logged by | |
93 | .Nm . | |
94 | The possible values are: | |
95 | QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. | |
96 | INFO and VERBOSE log transactions that | |
97 | .Nm | |
98 | performs on behalf of the client. | |
99 | DEBUG and DEBUG1 are equivalent. | |
100 | DEBUG2 and DEBUG3 each specify higher levels of debugging output. | |
101 | The default is ERROR. | |
473b4af4 | 102 | .It Fl P Ar denied_requests |
efad4deb | 103 | Specifies a comma-separated list of SFTP protocol requests that are banned by |
6eaeebf2 DM |
104 | the server. |
105 | .Nm | |
473b4af4 | 106 | will reply to any denied request with a failure. |
6eaeebf2 DM |
107 | The |
108 | .Fl Q | |
6efab271 | 109 | flag can be used to determine the supported request types. |
473b4af4 | 110 | If both denied and allowed lists are specified, then the denied list is |
111 | applied before the allowed list. | |
112 | .It Fl p Ar allowed_requests | |
efad4deb | 113 | Specifies a comma-separated list of SFTP protocol requests that are permitted |
6eaeebf2 | 114 | by the server. |
02a9222c | 115 | All request types that are not on the allowed list will be logged and replied |
6eaeebf2 DM |
116 | to with a failure message. |
117 | .Pp | |
118 | Care must be taken when using this feature to ensure that requests made | |
6efab271 | 119 | implicitly by SFTP clients are permitted. |
6eaeebf2 | 120 | .It Fl Q Ar protocol_feature |
efad4deb | 121 | Queries protocol features supported by |
6eaeebf2 DM |
122 | .Nm . |
123 | At present the only feature that may be queried is | |
124 | .Dq requests , | |
473b4af4 | 125 | which may be used to deny or allow specific requests (flags |
6eaeebf2 | 126 | .Fl P |
6efab271 DM |
127 | and |
128 | .Fl p | |
129 | respectively). | |
db7bf825 DT |
130 | .It Fl R |
131 | Places this instance of | |
132 | .Nm | |
133 | into a read-only mode. | |
134 | Attempts to open files for writing, as well as other operations that change | |
838891fe | 135 | the state of the filesystem, will be denied. |
6b286a46 DT |
136 | .It Fl u Ar umask |
137 | Sets an explicit | |
138 | .Xr umask 2 | |
139 | to be applied to newly-created files and directories, instead of the | |
140 | user's default mask. | |
fef95ad8 | 141 | .El |
276571c2 | 142 | .Pp |
426117b2 | 143 | On some systems, |
276571c2 DM |
144 | .Nm |
145 | must be able to access | |
426117b2 DM |
146 | .Pa /dev/log |
147 | for logging to work, and use of | |
276571c2 | 148 | .Nm |
5837b51a | 149 | in a chroot configuration therefore requires that |
276571c2 DM |
150 | .Xr syslogd 8 |
151 | establish a logging socket inside the chroot directory. | |
7b28dc5e | 152 | .Sh SEE ALSO |
160ec62d | 153 | .Xr sftp 1 , |
7b28dc5e | 154 | .Xr ssh 1 , |
1f20394e | 155 | .Xr sshd_config 5 , |
50a41ed0 | 156 | .Xr sshd 8 |
160ec62d | 157 | .Rs |
90fd060b BL |
158 | .%A T. Ylonen |
159 | .%A S. Lehtinen | |
160ec62d | 160 | .%T "SSH File Transfer Protocol" |
5d8b702d DT |
161 | .%N draft-ietf-secsh-filexfer-02.txt |
162 | .%D October 2001 | |
160ec62d BL |
163 | .%O work in progress material |
164 | .Re | |
50a41ed0 DM |
165 | .Sh HISTORY |
166 | .Nm | |
25bd3c06 DT |
167 | first appeared in |
168 | .Ox 2.8 . | |
169 | .Sh AUTHORS | |
bf836e53 | 170 | .An Markus Friedl Aq Mt markus@openbsd.org |