1.\" $OpenBSD: sftp-server.8,v 1.25 2013/10/14 14:18:56 jmc Exp $ 2.\" $FreeBSD$ 3.\" 4.\" Copyright (c) 2000 Markus Friedl. All rights reserved. 5.\" 6.\" Redistribution and use in source and binary forms, with or without 7.\" modification, are permitted provided that the following conditions 8.\" are met: 9.\" 1. Redistributions of source code must retain the above copyright 10.\" notice, this list of conditions and the following disclaimer. 11.\" 2. Redistributions in binary form must reproduce the above copyright 12.\" notice, this list of conditions and the following disclaimer in the 13.\" documentation and/or other materials provided with the distribution. 14.\" 15.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 16.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 17.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 18.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 19.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 20.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 21.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 22.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 23.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 24.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25.\" 26.Dd October 14, 2013 27.Dt SFTP-SERVER 8 28.Os 29.Sh NAME 30.Nm sftp-server 31.Nd SFTP server subsystem 32.Sh SYNOPSIS 33.Nm sftp-server 34.Bk -words 35.Op Fl ehR 36.Op Fl d Ar start_directory 37.Op Fl f Ar log_facility 38.Op Fl l Ar log_level 39.Op Fl P Ar blacklisted_requests 40.Op Fl p Ar whitelisted_requests 41.Op Fl u Ar umask 42.Ek 43.Nm 44.Fl Q Ar protocol_feature 45.Sh DESCRIPTION 46.Nm 47is a program that speaks the server side of SFTP protocol 48to stdout and expects client requests from stdin. 49.Nm 50is not intended to be called directly, but from 51.Xr sshd 8 52using the 53.Cm Subsystem 54option. 55.Pp 56Command-line flags to 57.Nm 58should be specified in the 59.Cm Subsystem 60declaration. 61See 62.Xr sshd_config 5 63for more information. 64.Pp 65Valid options are: 66.Bl -tag -width Ds 67.It Fl d Ar start_directory 68specifies an alternate starting directory for users. 69The pathname may contain the following tokens that are expanded at runtime: 70%% is replaced by a literal '%', 71%h is replaced by the home directory of the user being authenticated, 72and %u is replaced by the username of that user. 73The default is to use the user's home directory. 74This option is useful in conjunction with the 75.Xr sshd_config 5 76.Cm ChrootDirectory 77option. 78.It Fl e 79Causes 80.Nm 81to print logging information to stderr instead of syslog for debugging. 82.It Fl f Ar log_facility 83Specifies the facility code that is used when logging messages from 84.Nm . 85The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, 86LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. 87The default is AUTH. 88.It Fl h 89Displays 90.Nm 91usage information. 92.It Fl l Ar log_level 93Specifies which messages will be logged by 94.Nm . 95The possible values are: 96QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. 97INFO and VERBOSE log transactions that 98.Nm 99performs on behalf of the client. 100DEBUG and DEBUG1 are equivalent. 101DEBUG2 and DEBUG3 each specify higher levels of debugging output. 102The default is ERROR. 103.It Fl P Ar blacklisted_requests 104Specify a comma-separated list of SFTP protocol requests that are banned by 105the server. 106.Nm 107will reply to any blacklisted request with a failure. 108The 109.Fl Q 110flag can be used to determine the supported request types. 111If both a blacklist and a whitelist are specified, then the blacklist is 112applied before the whitelist. 113.It Fl p Ar whitelisted_requests 114Specify a comma-separated list of SFTP protocol requests that are permitted 115by the server. 116All request types that are not on the whitelist will be logged and replied 117to with a failure message. 118.Pp 119Care must be taken when using this feature to ensure that requests made 120implicitly by SFTP clients are permitted. 121.It Fl Q Ar protocol_feature 122Query protocol features supported by 123.Nm . 124At present the only feature that may be queried is 125.Dq requests , 126which may be used for black or whitelisting (flags 127.Fl P 128and 129.Fl p 130respectively). 131.It Fl R 132Places this instance of 133.Nm 134into a read-only mode. 135Attempts to open files for writing, as well as other operations that change 136the state of the filesystem, will be denied. 137.It Fl u Ar umask 138Sets an explicit 139.Xr umask 2 140to be applied to newly-created files and directories, instead of the 141user's default mask. 142.El 143.Pp 144For logging to work, 145.Nm 146must be able to access 147.Pa /dev/log . 148Use of 149.Nm 150in a chroot configuration therefore requires that 151.Xr syslogd 8 152establish a logging socket inside the chroot directory. 153.Sh SEE ALSO 154.Xr sftp 1 , 155.Xr ssh 1 , 156.Xr sshd_config 5 , 157.Xr sshd 8 158.Rs 159.%A T. Ylonen 160.%A S. Lehtinen 161.%T "SSH File Transfer Protocol" 162.%N draft-ietf-secsh-filexfer-02.txt 163.%D October 2001 164.%O work in progress material 165.Re 166.Sh HISTORY 167.Nm 168first appeared in 169.Ox 2.8 . 170.Sh AUTHORS 171.An Markus Friedl Aq Mt markus@openbsd.org 172