Go to main content

man pages section 1M: System Administration Commands

Exit Print View

Updated: July 2017

sftp-server.openssh (1m)


sftp-server.openssh - SFTP server subsystem


sftp-server   [-ehR]   [-d   start_directory]   [-f  log_facility]  [-l
log_level]  [-P  blacklisted_requests]  [-p  whitelisted_requests]  [-u
sftp-server -Q protocol_feature


SFTP-SERVER(8)              System Manager's Manual             SFTP-SERVER(8)

       sftp-server - SFTP server subsystem

       sftp-server   [-ehR]   [-d   start_directory]   [-f  log_facility]  [-l
       log_level]  [-P  blacklisted_requests]  [-p  whitelisted_requests]  [-u
       sftp-server -Q protocol_feature

       sftp-server  is  a program that speaks the server side of SFTP protocol
       to stdout and expects client requests from stdin.  sftp-server  is  not
       intended  to  be called directly, but from sshd(1M) using the Subsystem

       Command-line flags to sftp-server should be specified in the  Subsystem
       declaration.  See sshd_config(4) for more information.

       Valid options are:

       -d start_directory
              specifies  an alternate starting directory for users.  The path-
              name may contain the following tokens that are expanded at  run-
              time:  %%  is  replaced  by a literal '%', %d is replaced by the
              home directory of  the  user  being  authenticated,  and  %u  is
              replaced  by  the  username of that user.  The default is to use
              the user's home directory.  This option is useful in conjunction
              with the sshd_config(4) ChrootDirectory option.

       -e     Causes  sftp-server  to  print  logging  information  to  stderr
              instead of syslog for debugging.

       -f log_facility
              Specifies the facility code that is used when  logging  messages
              from  .   The  possible  values are: DAEMON, USER, AUTH, LOCAL0,
              LOCAL1, LOCAL2, LOCAL3, LOCAL4,  LOCAL5,  LOCAL6,  LOCAL7.   The
              default is AUTH.

       -h     Displays sftp-server usage information.

       -l log_level
              Specifies  which messages will be logged by .  The possible val-
              ues are: QUIET, FATAL,  ERROR,  INFO,  VERBOSE,  DEBUG,  DEBUG1,
              DEBUG2,  and  DEBUG3.   INFO  and  VERBOSE log transactions that
              sftp-server performs on behalf of the client.  DEBUG and  DEBUG1
              are equivalent.  DEBUG2 and DEBUG3 each specify higher levels of
              debugging output.  The default is ERROR.

       -P blacklisted_requests
              Specify a comma-separated list of SFTP  protocol  requests  that
              are  banned by the server.  sftp-server will reply to any black-
              listed request with a failure.  The  -Q  flag  can  be  used  to
              determine  the supported request types.  If both a blacklist and
              a whitelist are specified, then the blacklist is applied  before
              the whitelist.

       -p whitelisted_requests
              Specify  a  comma-separated  list of SFTP protocol requests that
              are permitted by the server.  All request types that are not  on
              the  whitelist will be logged and replied to with a failure mes-

              Care must be taken  when  using  this  feature  to  ensure  that
              requests made implicitly by SFTP clients are permitted.

       -Q protocol_feature
              Query protocol features supported by .  At present the only fea-
              ture that may be queried is ``requests'', which may be used  for
              black or whitelisting (flags -P and -p respectively).

       -R     Places  this  instance  of  sftp-server  into  a read-only mode.
              Attempts to open files for writing, as well as other  operations
              that change the state of the filesystem, will be denied.

       -u umask
              Sets  an  explicit umask(2) to be applied to newly-created files
              and directories, instead of the user's default mask.

       On some systems, sftp-server must be able to access /dev/log  for  log-
       ging  to  work, and use of sftp-server in a chroot configuration there-
       fore requires that syslogd(8) establish a  logging  socket  inside  the
       chroot directory.

       See attributes(5) for descriptions of the following attributes:

       |Availability   | network/openssh          |
       |Stability      | Pass-through uncommitted |
       sftp(1), ssh(1), sshd_config(4), sshd(1M)

       S.  Lehtinen  and  T.  Ylonen,  SSH File Transfer Protocol, draft-ietf-
       secsh-filexfer-02.txt, October 2001, work in progress material.

       sftp-server first appeared in OpenBSD 2.8 .

       Markus Friedl <Mt markus@openbsd.org>

       This    software    was    built    from    source     available     at
       https://java.net/projects/solaris-userland.    The  original  community
       source   was   downloaded   from     http://mirrors.sonic.net/pub/Open-

       Further information about this software can be found on the open source
       community website at http://www.openssh.org/.

                               December 11 2014                 SFTP-SERVER(8)