|SFTP-SERVER(8)||System Manager's Manual||SFTP-SERVER(8)|
SFTP server subsystem
sftp-serveris a program that speaks the server side of SFTP protocol to stdout and expects client requests from stdin.
sftp-serveris not intended to be called directly, but from sshd(8) using the
Subsystemoption. Command-line flags to
sftp-servershould be specified in the
Subsystemdeclaration. See sshd_config(5) for more information. Valid options are:
- specifies an alternate starting directory for users. The pathname may
contain the following tokens that are expanded at runtime: %% is replaced
by a literal '%', %h is replaced by the home directory of the user being
authenticated, and %u is replaced by the username of that user. The
default is to use the user's home directory. This option is useful in
conjunction with the sshd_config(5)
sftp-serverto print logging information to stderr instead of syslog for debugging.
- Specifies the facility code that is used when logging messages from
sftp-server. The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The default is AUTH.
- Specifies which messages will be logged by
sftp-server. The possible values are: QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. INFO and VERBOSE log transactions that
sftp-serverperforms on behalf of the client. DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify higher levels of debugging output. The default is ERROR.
- Specify a comma-separated list of SFTP protocol requests that are banned
by the server.
sftp-serverwill reply to any blacklisted request with a failure. The
-Qflag can be used to determine the supported request types. If both a blacklist and a whitelist are specified, then the blacklist is applied before the whitelist.
- Specify a comma-separated list of SFTP protocol requests that are permitted by the server. All request types that are not on the whitelist will be logged and replied to with a failure message. Care must be taken when using this feature to ensure that requests made implicitly by SFTP clients are permitted.
- Query protocol features supported by
sftp-server. At present the only feature that may be queried is “requests”, which may be used for black or whitelisting (flags
- Places this instance of
sftp-serverinto a read-only mode. Attempts to open files for writing, as well as other operations that change the state of the filesystem, will be denied.
- Sets an explicit umask(2) to be applied to newly-created files and directories, instead of the user's default mask.
sftp-servermust be able to access /dev/log for logging to work, and use of
sftp-serverin a chroot configuration therefore requires that syslogd(8) establish a logging socket inside the chroot directory.
SEE ALSO¶sftp(1), ssh(1), sshd_config(5), sshd(8) T. Ylonen and S. Lehtinen, SSH File Transfer Protocol, draft-ietf-secsh-filexfer-02.txt, October 2001, work in progress material.
sftp-serverfirst appeared in OpenBSD 2.8.
AUTHORS¶Markus Friedl <email@example.com>
|July 28, 2014||Debian|