[thirdparty/openssh-portable.git] / sftp-server.8

.\" $OpenBSD: sftp-server.8,v 1.31 2021/07/27 14:14:25 jmc Exp $
.\"
.\" Copyright (c) 2000 Markus Friedl.  All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\"    notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\"    notice, this list of conditions and the following disclaimer in the
.\"    documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd $Mdocdate: July 27 2021 $
.Dt SFTP-SERVER 8
.Os
.Sh NAME
.Nm sftp-server
.Nd OpenSSH SFTP server subsystem
.Sh SYNOPSIS
.Nm sftp-server
.Bk -words
.Op Fl ehR
.Op Fl d Ar start_directory
.Op Fl f Ar log_facility
.Op Fl l Ar log_level
.Op Fl P Ar denied_requests
.Op Fl p Ar allowed_requests
.Op Fl u Ar umask
.Ek
.Nm
.Fl Q Ar protocol_feature
.Sh DESCRIPTION
.Nm
is a program that speaks the server side of SFTP protocol
to stdout and expects client requests from stdin.
.Nm
is not intended to be called directly, but from
.Xr sshd 8
using the
.Cm Subsystem
option.
.Pp
Command-line flags to
.Nm
should be specified in the
.Cm Subsystem
declaration.
See
.Xr sshd_config 5
for more information.
.Pp
Valid options are:
.Bl -tag -width Ds
.It Fl d Ar start_directory
Specifies an alternate starting directory for users.
The pathname may contain the following tokens that are expanded at runtime:
%% is replaced by a literal '%',
%d is replaced by the home directory of the user being authenticated,
and %u is replaced by the username of that user.
The default is to use the user's home directory.
This option is useful in conjunction with the
.Xr sshd_config 5
.Cm ChrootDirectory
option.
.It Fl e
Causes
.Nm
to print logging information to stderr instead of syslog for debugging.
.It Fl f Ar log_facility
Specifies the facility code that is used when logging messages from
.Nm .
The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
The default is AUTH.
.It Fl h
Displays
.Nm
usage information.
.It Fl l Ar log_level
Specifies which messages will be logged by
.Nm .
The possible values are:
QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3.
INFO and VERBOSE log transactions that
.Nm
performs on behalf of the client.
DEBUG and DEBUG1 are equivalent.
DEBUG2 and DEBUG3 each specify higher levels of debugging output.
The default is ERROR.
.It Fl P Ar denied_requests
Specifies a comma-separated list of SFTP protocol requests that are banned by
the server.
.Nm
will reply to any denied request with a failure.
The
.Fl Q
flag can be used to determine the supported request types.
If both denied and allowed lists are specified, then the denied list is
applied before the allowed list.
.It Fl p Ar allowed_requests
Specifies a comma-separated list of SFTP protocol requests that are permitted
by the server.
All request types that are not on the allowed list will be logged and replied
to with a failure message.
.Pp
Care must be taken when using this feature to ensure that requests made
implicitly by SFTP clients are permitted.
.It Fl Q Ar protocol_feature
Queries protocol features supported by
.Nm .
At present the only feature that may be queried is
.Dq requests ,
which may be used to deny or allow specific requests (flags
.Fl P
and
.Fl p
respectively).
.It Fl R
Places this instance of
.Nm
into a read-only mode.
Attempts to open files for writing, as well as other operations that change
the state of the filesystem, will be denied.
.It Fl u Ar umask
Sets an explicit
.Xr umask 2
to be applied to newly-created files and directories, instead of the
user's default mask.
.El
.Pp
On some systems,
.Nm
must be able to access
.Pa /dev/log
for logging to work, and use of
.Nm
in a chroot configuration therefore requires that
.Xr syslogd 8
establish a logging socket inside the chroot directory.
.Sh SEE ALSO
.Xr sftp 1 ,
.Xr ssh 1 ,
.Xr sshd_config 5 ,
.Xr sshd 8
.Rs
.%A T. Ylonen
.%A S. Lehtinen
.%T "SSH File Transfer Protocol"
.%N draft-ietf-secsh-filexfer-02.txt
.%D October 2001
.%O work in progress material
.Re
.Sh HISTORY
.Nm
first appeared in
.Ox 2.8 .
.Sh AUTHORS
.An Markus Friedl Aq Mt markus@openbsd.org
Commit	Line	Data
efad4deb	1	.\" $OpenBSD: sftp-server.8,v 1.31 2021/07/27 14:14:25 jmc Exp $
e4340be5	2	.\"
92a2e38f	3	.\" Copyright (c) 2000 Markus Friedl. All rights reserved.
e4340be5 DM	4	.\"
	5	.\" Redistribution and use in source and binary forms, with or without
	6	.\" modification, are permitted provided that the following conditions
	7	.\" are met:
	8	.\" 1. Redistributions of source code must retain the above copyright
	9	.\" notice, this list of conditions and the following disclaimer.
	10	.\" 2. Redistributions in binary form must reproduce the above copyright
	11	.\" notice, this list of conditions and the following disclaimer in the
	12	.\" documentation and/or other materials provided with the distribution.
	13	.\"
	14	.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
	15	.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
	16	.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
	17	.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
	18	.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
	19	.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
	20	.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
	21	.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
	22	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
	23	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
	24	.\"
efad4deb	25	.Dd $Mdocdate: July 27 2021 $
7b28dc5e DM	26	.Dt SFTP-SERVER 8
	27	.Os
	28	.Sh NAME
	29	.Nm sftp-server
483cc723	30	.Nd OpenSSH SFTP server subsystem
7b28dc5e DM	31	.Sh SYNOPSIS
7b28dc5e DM	32	.Nm sftp-server
6eaeebf2	33	.Bk -words
db7bf825	34	.Op Fl ehR
502ab0ef	35	.Op Fl d Ar start_directory
fef95ad8 DM	36	.Op Fl f Ar log_facility
fef95ad8 DM	37	.Op Fl l Ar log_level
473b4af4	38	.Op Fl P Ar denied_requests
473b4af4	39	.Op Fl p Ar allowed_requests
6b286a46	40	.Op Fl u Ar umask
6eaeebf2 DM	41	.Ek
	42	.Nm
	43	.Fl Q Ar protocol_feature
7b28dc5e DM	44	.Sh DESCRIPTION
	45	.Nm
	46	is a program that speaks the server side of SFTP protocol
	47	to stdout and expects client requests from stdin.
	48	.Nm
	49	is not intended to be called directly, but from
50a41ed0	50	.Xr sshd 8
7b28dc5e DM	51	using the
	52	.Cm Subsystem
	53	option.
fef95ad8 DM	54	.Pp
	55	Command-line flags to
	56	.Nm
	57	should be specified in the
	58	.Cm Subsystem
	59	declaration.
7b28dc5e	60	See
1f20394e	61	.Xr sshd_config 5
7b28dc5e	62	for more information.
fef95ad8 DM	63	.Pp
	64	Valid options are:
	65	.Bl -tag -width Ds
aa7ad303	66	.It Fl d Ar start_directory
efad4deb	67	Specifies an alternate starting directory for users.
502ab0ef DM	68	The pathname may contain the following tokens that are expanded at runtime:
502ab0ef DM	69	%% is replaced by a literal '%',
da0277e3	70	%d is replaced by the home directory of the user being authenticated,
502ab0ef DM	71	and %u is replaced by the username of that user.
	72	The default is to use the user's home directory.
	73	This option is useful in conjunction with the
	74	.Xr sshd_config 5
	75	.Cm ChrootDirectory
	76	option.
7bee06ab DT	77	.It Fl e
	78	Causes
	79	.Nm
	80	to print logging information to stderr instead of syslog for debugging.
fef95ad8 DM	81	.It Fl f Ar log_facility
	82	Specifies the facility code that is used when logging messages from
	83	.Nm .
	84	The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
	85	LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
	86	The default is AUTH.
7bee06ab DT	87	.It Fl h
	88	Displays
	89	.Nm
	90	usage information.
fef95ad8 DM	91	.It Fl l Ar log_level
	92	Specifies which messages will be logged by
	93	.Nm .
	94	The possible values are:
	95	QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3.
	96	INFO and VERBOSE log transactions that
	97	.Nm
	98	performs on behalf of the client.
	99	DEBUG and DEBUG1 are equivalent.
	100	DEBUG2 and DEBUG3 each specify higher levels of debugging output.
	101	The default is ERROR.
473b4af4	102	.It Fl P Ar denied_requests
efad4deb	103	Specifies a comma-separated list of SFTP protocol requests that are banned by
6eaeebf2 DM	104	the server.
6eaeebf2 DM	105	.Nm
473b4af4	106	will reply to any denied request with a failure.
6eaeebf2 DM	107	The
6eaeebf2 DM	108	.Fl Q
6efab271	109	flag can be used to determine the supported request types.
473b4af4	110	If both denied and allowed lists are specified, then the denied list is
	111	applied before the allowed list.
	112	.It Fl p Ar allowed_requests
efad4deb	113	Specifies a comma-separated list of SFTP protocol requests that are permitted
6eaeebf2	114	by the server.
02a9222c	115	All request types that are not on the allowed list will be logged and replied
6eaeebf2 DM	116	to with a failure message.
	117	.Pp
	118	Care must be taken when using this feature to ensure that requests made
6efab271	119	implicitly by SFTP clients are permitted.
6eaeebf2	120	.It Fl Q Ar protocol_feature
efad4deb	121	Queries protocol features supported by
6eaeebf2 DM	122	.Nm .
	123	At present the only feature that may be queried is
	124	.Dq requests ,
473b4af4	125	which may be used to deny or allow specific requests (flags
6eaeebf2	126	.Fl P
6efab271 DM	127	and
	128	.Fl p
	129	respectively).
db7bf825 DT	130	.It Fl R
	131	Places this instance of
	132	.Nm
	133	into a read-only mode.
	134	Attempts to open files for writing, as well as other operations that change
838891fe	135	the state of the filesystem, will be denied.
6b286a46 DT	136	.It Fl u Ar umask
	137	Sets an explicit
	138	.Xr umask 2
	139	to be applied to newly-created files and directories, instead of the
	140	user's default mask.
fef95ad8	141	.El
276571c2	142	.Pp
426117b2	143	On some systems,
276571c2 DM	144	.Nm
276571c2 DM	145	must be able to access
426117b2 DM	146	.Pa /dev/log
426117b2 DM	147	for logging to work, and use of
276571c2	148	.Nm
5837b51a	149	in a chroot configuration therefore requires that
276571c2 DM	150	.Xr syslogd 8
276571c2 DM	151	establish a logging socket inside the chroot directory.
7b28dc5e	152	.Sh SEE ALSO
160ec62d	153	.Xr sftp 1 ,
7b28dc5e	154	.Xr ssh 1 ,
1f20394e	155	.Xr sshd_config 5 ,
50a41ed0	156	.Xr sshd 8
160ec62d	157	.Rs
90fd060b BL	158	.%A T. Ylonen
90fd060b BL	159	.%A S. Lehtinen
160ec62d	160	.%T "SSH File Transfer Protocol"
5d8b702d DT	161	.%N draft-ietf-secsh-filexfer-02.txt
5d8b702d DT	162	.%D October 2001
160ec62d BL	163	.%O work in progress material
160ec62d BL	164	.Re
50a41ed0 DM	165	.Sh HISTORY
50a41ed0 DM	166	.Nm
25bd3c06 DT	167	first appeared in
	168	.Ox 2.8 .
	169	.Sh AUTHORS
bf836e53	170	.An Markus Friedl Aq Mt markus@openbsd.org