-SFTP-SERVER(8) OpenBSD System Manager's Manual SFTP-SERVER(8)
+SFTP-SERVER(8) System Manager's Manual SFTP-SERVER(8)
NAME
- sftp-server - SFTP server subsystem
+ sftp-server M-bM-^@M-^S SFTP server subsystem
SYNOPSIS
- sftp-server [-ehR] [-f log_facility] [-l log_level] [-u umask]
+ sftp-server [-ehR] [-d start_directory] [-f log_facility] [-l log_level]
+ [-P blacklisted_requests] [-p whitelisted_requests]
+ [-u umask]
+ sftp-server -Q protocol_feature
DESCRIPTION
sftp-server is a program that speaks the server side of SFTP protocol to
Valid options are:
+ -d start_directory
+ specifies an alternate starting directory for users. The
+ pathname may contain the following tokens that are expanded at
+ runtime: %% is replaced by a literal '%', %d is replaced by the
+ home directory of the user being authenticated, and %u is
+ replaced by the username of that user. The default is to use the
+ user's home directory. This option is useful in conjunction with
+ the sshd_config(5) ChrootDirectory option.
+
-e Causes sftp-server to print logging information to stderr instead
of syslog for debugging.
DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify higher
levels of debugging output. The default is ERROR.
+ -P blacklisted_requests
+ Specify a comma-separated list of SFTP protocol requests that are
+ banned by the server. sftp-server will reply to any blacklisted
+ request with a failure. The -Q flag can be used to determine the
+ supported request types. If both a blacklist and a whitelist are
+ specified, then the blacklist is applied before the whitelist.
+
+ -p whitelisted_requests
+ Specify a comma-separated list of SFTP protocol requests that are
+ permitted by the server. All request types that are not on the
+ whitelist will be logged and replied to with a failure message.
+
+ Care must be taken when using this feature to ensure that
+ requests made implicitly by SFTP clients are permitted.
+
+ -Q protocol_feature
+ Query protocol features supported by sftp-server. At present the
+ only feature that may be queried is M-bM-^@M-^\requestsM-bM-^@M-^], which may be used
+ for black or whitelisting (flags -P and -p respectively).
+
-R Places this instance of sftp-server into a read-only mode.
Attempts to open files for writing, as well as other operations
that change the state of the filesystem, will be denied.
Sets an explicit umask(2) to be applied to newly-created files
and directories, instead of the user's default mask.
- For logging to work, sftp-server must be able to access /dev/log. Use of
- sftp-server in a chroot configuration therefore requires that syslogd(8)
- establish a logging socket inside the chroot directory.
+ On some systems, sftp-server must be able to access /dev/log for logging
+ to work, and use of sftp-server in a chroot configuration therefore
+ requires that syslogd(8) establish a logging socket inside the chroot
+ directory.
SEE ALSO
sftp(1), ssh(1), sshd_config(5), sshd(8)
- T. Ylonen and S. Lehtinen, SSH File Transfer Protocol,
- draft-ietf-secsh-filexfer-00.txt, January 2001, work in progress
- material.
+ T. Ylonen and S. Lehtinen, SSH File Transfer Protocol, draft-ietf-secsh-
+ filexfer-02.txt, October 2001, work in progress material.
HISTORY
sftp-server first appeared in OpenBSD 2.8.
AUTHORS
Markus Friedl <markus@openbsd.org>
-OpenBSD 5.0 January 9, 2010 OpenBSD 5.0
+OpenBSD 5.7 December 11, 2014 OpenBSD 5.7