Go to main content

man pages section 8: System Administration Commands

Exit Print View

Updated: Wednesday, July 27, 2022
 
 

sftp-server (8)

Name

sftp-server - OpenSSH SFTP server subsystem

Synopsis

sftp-server [-ehR] [-d start_directory] [-f log_facility] [-l log_level]
[-P denied_requests] [-p allowed_requests] [-u umask]
sftp-server -Q protocol_feature

Description

SFTP-SERVER(8)            BSD System Manager's Manual           SFTP-SERVER(8)

NAME
     sftp-server -- OpenSSH SFTP server subsystem

SYNOPSIS
     sftp-server [-ehR] [-d start_directory] [-f log_facility] [-l log_level]
                 [-P denied_requests] [-p allowed_requests] [-u umask]
     sftp-server -Q protocol_feature

DESCRIPTION
     sftp-server is a program that speaks the server side of SFTP protocol to
     stdout and expects client requests from stdin.  sftp-server is not
     intended to be called directly, but from sshd(8) using the Subsystem
     option.

     Command-line flags to sftp-server should be specified in the Subsystem
     declaration.  See sshd_config(5) for more information.

     Valid options are:

     -d start_directory
             specifies an alternate starting directory for users.  The path-
             name may contain the following tokens that are expanded at run-
             time: %% is replaced by a literal '%', %d is replaced by the home
             directory of the user being authenticated, and %u is replaced by
             the username of that user.  The default is to use the user's home
             directory.  This option is useful in conjunction with the
             sshd_config(5) ChrootDirectory option.

     -e      Causes sftp-server to print logging information to stderr instead
             of syslog for debugging.

     -f log_facility
             Specifies the facility code that is used when logging messages
             from sftp-server.  The possible values are: DAEMON, USER, AUTH,
             LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
             The default is AUTH.

     -h      Displays sftp-server usage information.

     -l log_level
             Specifies which messages will be logged by sftp-server.  The pos-
             sible values are: QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG,
             DEBUG1, DEBUG2, and DEBUG3.  INFO and VERBOSE log transactions
             that sftp-server performs on behalf of the client.  DEBUG and
             DEBUG1 are equivalent.  DEBUG2 and DEBUG3 each specify higher
             levels of debugging output.  The default is ERROR.

     -P denied_requests
             Specify a comma-separated list of SFTP protocol requests that are
             banned by the server.  sftp-server will reply to any denied
             request with a failure.  The -Q flag can be used to determine the
             supported request types.  If both denied and allowed lists are
             specified, then the denied list is applied before the allowed
             list.

     -p allowed_requests
             Specify a comma-separated list of SFTP protocol requests that are
             permitted by the server.  All request types that are not on the
             allowed list will be logged and replied to with a failure mes-
             sage.

             Care must be taken when using this feature to ensure that
             requests made implicitly by SFTP clients are permitted.

     -Q protocol_feature
             Query protocol features supported by sftp-server.  At present the
             only feature that may be queried is ``requests'', which may be
             used to deny or allow specific requests (flags -P and -p respec-
             tively).

     -R      Places this instance of sftp-server into a read-only mode.
             Attempts to open files for writing, as well as other operations
             that change the state of the filesystem, will be denied.

     -u umask
             Sets an explicit umask(2) to be applied to newly-created files
             and directories, instead of the user's default mask.

     On some systems, sftp-server must be able to access /dev/log for logging
     to work, and use of sftp-server in a chroot configuration therefore
     requires that syslogd(8) establish a logging socket inside the chroot
     directory.


ATTRIBUTES
     See attributes(7) for descriptions of the following attributes:

     +---------------+--------------------------+
     |ATTRIBUTE TYPE |     ATTRIBUTE VALUE      |
     +---------------+--------------------------+
     |Availability   | service/network/ssh      |
     +---------------+--------------------------+
     |Stability      | Pass-through uncommitted |
     +---------------+--------------------------+

SEE ALSO
     sftp(1), ssh(1), sshd_config(5), sshd(8)

     T. Ylonen and S. Lehtinen, SSH File Transfer Protocol, draft-ietf-secsh-
     filexfer-02.txt, October 2001, work in progress material.

HISTORY
     sftp-server first appeared in OpenBSD 2.8.

AUTHORS
     Markus Friedl <markus@openbsd.org>



NOTES
     Source code for open source software components in Oracle Solaris can be
     found at https://www.oracle.com/downloads/opensource/solaris-source-code-
     downloads.html.

     This software was built from source available at https://github.com/ora-
     cle/solaris-userland.  The original community source was downloaded from
     https://mirrors.sonic.net/pub/OpenBSD/OpenSSH/porta-
     ble/openssh-8.4p1.tar.gz.

     Further information about this software can be found on the open source
     community website at https://www.openssh.com/.

BSD                              June 22, 2020                             BSD
Copyright © 1993, 2022, Oracle and/or its affiliates.  
Previous
Next