summaryrefslogtreecommitdiffstats
path: root/sftp-server.8
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--sftp-server.8170
1 files changed, 170 insertions, 0 deletions
diff --git a/sftp-server.8 b/sftp-server.8
new file mode 100644
index 0000000..5311bf9
--- /dev/null
+++ b/sftp-server.8
@@ -0,0 +1,170 @@
+.\" $OpenBSD: sftp-server.8,v 1.31 2021/07/27 14:14:25 jmc Exp $
+.\"
+.\" Copyright (c) 2000 Markus Friedl. All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd $Mdocdate: July 27 2021 $
+.Dt SFTP-SERVER 8
+.Os
+.Sh NAME
+.Nm sftp-server
+.Nd OpenSSH SFTP server subsystem
+.Sh SYNOPSIS
+.Nm sftp-server
+.Bk -words
+.Op Fl ehR
+.Op Fl d Ar start_directory
+.Op Fl f Ar log_facility
+.Op Fl l Ar log_level
+.Op Fl P Ar denied_requests
+.Op Fl p Ar allowed_requests
+.Op Fl u Ar umask
+.Ek
+.Nm
+.Fl Q Ar protocol_feature
+.Sh DESCRIPTION
+.Nm
+is a program that speaks the server side of SFTP protocol
+to stdout and expects client requests from stdin.
+.Nm
+is not intended to be called directly, but from
+.Xr sshd 8
+using the
+.Cm Subsystem
+option.
+.Pp
+Command-line flags to
+.Nm
+should be specified in the
+.Cm Subsystem
+declaration.
+See
+.Xr sshd_config 5
+for more information.
+.Pp
+Valid options are:
+.Bl -tag -width Ds
+.It Fl d Ar start_directory
+Specifies an alternate starting directory for users.
+The pathname may contain the following tokens that are expanded at runtime:
+%% is replaced by a literal '%',
+%d is replaced by the home directory of the user being authenticated,
+and %u is replaced by the username of that user.
+The default is to use the user's home directory.
+This option is useful in conjunction with the
+.Xr sshd_config 5
+.Cm ChrootDirectory
+option.
+.It Fl e
+Causes
+.Nm
+to print logging information to stderr instead of syslog for debugging.
+.It Fl f Ar log_facility
+Specifies the facility code that is used when logging messages from
+.Nm .
+The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
+LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
+The default is AUTH.
+.It Fl h
+Displays
+.Nm
+usage information.
+.It Fl l Ar log_level
+Specifies which messages will be logged by
+.Nm .
+The possible values are:
+QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3.
+INFO and VERBOSE log transactions that
+.Nm
+performs on behalf of the client.
+DEBUG and DEBUG1 are equivalent.
+DEBUG2 and DEBUG3 each specify higher levels of debugging output.
+The default is ERROR.
+.It Fl P Ar denied_requests
+Specifies a comma-separated list of SFTP protocol requests that are banned by
+the server.
+.Nm
+will reply to any denied request with a failure.
+The
+.Fl Q
+flag can be used to determine the supported request types.
+If both denied and allowed lists are specified, then the denied list is
+applied before the allowed list.
+.It Fl p Ar allowed_requests
+Specifies a comma-separated list of SFTP protocol requests that are permitted
+by the server.
+All request types that are not on the allowed list will be logged and replied
+to with a failure message.
+.Pp
+Care must be taken when using this feature to ensure that requests made
+implicitly by SFTP clients are permitted.
+.It Fl Q Ar protocol_feature
+Queries protocol features supported by
+.Nm .
+At present the only feature that may be queried is
+.Dq requests ,
+which may be used to deny or allow specific requests (flags
+.Fl P
+and
+.Fl p
+respectively).
+.It Fl R
+Places this instance of
+.Nm
+into a read-only mode.
+Attempts to open files for writing, as well as other operations that change
+the state of the filesystem, will be denied.
+.It Fl u Ar umask
+Sets an explicit
+.Xr umask 2
+to be applied to newly-created files and directories, instead of the
+user's default mask.
+.El
+.Pp
+On some systems,
+.Nm
+must be able to access
+.Pa /dev/log
+for logging to work, and use of
+.Nm
+in a chroot configuration therefore requires that
+.Xr syslogd 8
+establish a logging socket inside the chroot directory.
+.Sh SEE ALSO
+.Xr sftp 1 ,
+.Xr ssh 1 ,
+.Xr sshd_config 5 ,
+.Xr sshd 8
+.Rs
+.%A T. Ylonen
+.%A S. Lehtinen
+.%T "SSH File Transfer Protocol"
+.%N draft-ietf-secsh-filexfer-02.txt
+.%D October 2001
+.%O work in progress material
+.Re
+.Sh HISTORY
+.Nm
+first appeared in
+.Ox 2.8 .
+.Sh AUTHORS
+.An Markus Friedl Aq Mt markus@openbsd.org