man pages section 1M: System Administration Commands

Exit Print View

Updated: July 2014



sftp-server - SFTP server subsystem


/usr/lib/ssh/sftp-server [-f log_facility] [-l log_level]


sftp-server implements the server side of the SSH File Transfer Protocol as defined in the IETF draft-ietf-secsh-filexfer.

sftp-server is a subsystem for sshd(1M) and must not be run directly. Command-line flags to sftp-server should be specified in the Subsystem declaration. See sshd_config(4) for more information.

To enable the sftp-server subsystem for sshd add the following to /etc/ssh/sshd_config:

Subsystem   sftp     /usr/lib/ssh/sftp-server

To run sftp-server in a chroot configuration, use internal-sftp instead of /usr/lib/ssh/sftp-server. Otherwise, the chroot directory must contain the necessary files and directories to support the user's session. See the ChrootDirectory and Subsystem options in sshd_config(4)) for more information on how sshd and sftp-server work with chroot(2).

See sshd_config(4) for a description of the format and contents of that file.

There is no relationship between the protocol used by sftp-server and the FTP protocol (RFC 959) provided by in.ftpd.

For logging to work, sftp-server must be able to access /dev/log. Use of sftp-server in a chroot configuration therefore requires that syslogd(1M) establish a logging socket inside the chroot directory.



Valid options are listed below. As stated above, these options, if used, are specified in the Subsystem declaration of sshd_config.

–f log_facility

Specifies the facility code that is used when logging messages from sftp-server. The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The default is AUTH.

–l log_level

Specifies which messages will be logged by sftp-server. The possible values are: QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. INFO and VERBOSE log transactions that sftp-server performs on behalf of the client. DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify higher levels of debugging output. The default is ERROR.

–u umask

Sets an explicit umask(2) to be applied to newly-created files and directories, instead of the user's default mask.

Exit Status

The following exit values are returned:


Successful completion.


An error occurred.



Server-side binary.


See attributes(5) for descriptions of the following attributes:

Interface Stability

See also

sftp(1), ssh(1), ssh-add(1), ssh-keygen(1), sshd(1M), syslogd(1M), chroot(2), umask(2), sshd_config(4), attributes(5)