diff options
Diffstat (limited to '')
-rw-r--r-- | sftp-server.8 | 170 |
1 files changed, 170 insertions, 0 deletions
diff --git a/sftp-server.8 b/sftp-server.8 new file mode 100644 index 0000000..5311bf9 --- /dev/null +++ b/sftp-server.8 @@ -0,0 +1,170 @@ +.\" $OpenBSD: sftp-server.8,v 1.31 2021/07/27 14:14:25 jmc Exp $ +.\" +.\" Copyright (c) 2000 Markus Friedl. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR +.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES +.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. +.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, +.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF +.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +.\" +.Dd $Mdocdate: July 27 2021 $ +.Dt SFTP-SERVER 8 +.Os +.Sh NAME +.Nm sftp-server +.Nd OpenSSH SFTP server subsystem +.Sh SYNOPSIS +.Nm sftp-server +.Bk -words +.Op Fl ehR +.Op Fl d Ar start_directory +.Op Fl f Ar log_facility +.Op Fl l Ar log_level +.Op Fl P Ar denied_requests +.Op Fl p Ar allowed_requests +.Op Fl u Ar umask +.Ek +.Nm +.Fl Q Ar protocol_feature +.Sh DESCRIPTION +.Nm +is a program that speaks the server side of SFTP protocol +to stdout and expects client requests from stdin. +.Nm +is not intended to be called directly, but from +.Xr sshd 8 +using the +.Cm Subsystem +option. +.Pp +Command-line flags to +.Nm +should be specified in the +.Cm Subsystem +declaration. +See +.Xr sshd_config 5 +for more information. +.Pp +Valid options are: +.Bl -tag -width Ds +.It Fl d Ar start_directory +Specifies an alternate starting directory for users. +The pathname may contain the following tokens that are expanded at runtime: +%% is replaced by a literal '%', +%d is replaced by the home directory of the user being authenticated, +and %u is replaced by the username of that user. +The default is to use the user's home directory. +This option is useful in conjunction with the +.Xr sshd_config 5 +.Cm ChrootDirectory +option. +.It Fl e +Causes +.Nm +to print logging information to stderr instead of syslog for debugging. +.It Fl f Ar log_facility +Specifies the facility code that is used when logging messages from +.Nm . +The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, +LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. +The default is AUTH. +.It Fl h +Displays +.Nm +usage information. +.It Fl l Ar log_level +Specifies which messages will be logged by +.Nm . +The possible values are: +QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. +INFO and VERBOSE log transactions that +.Nm +performs on behalf of the client. +DEBUG and DEBUG1 are equivalent. +DEBUG2 and DEBUG3 each specify higher levels of debugging output. +The default is ERROR. +.It Fl P Ar denied_requests +Specifies a comma-separated list of SFTP protocol requests that are banned by +the server. +.Nm +will reply to any denied request with a failure. +The +.Fl Q +flag can be used to determine the supported request types. +If both denied and allowed lists are specified, then the denied list is +applied before the allowed list. +.It Fl p Ar allowed_requests +Specifies a comma-separated list of SFTP protocol requests that are permitted +by the server. +All request types that are not on the allowed list will be logged and replied +to with a failure message. +.Pp +Care must be taken when using this feature to ensure that requests made +implicitly by SFTP clients are permitted. +.It Fl Q Ar protocol_feature +Queries protocol features supported by +.Nm . +At present the only feature that may be queried is +.Dq requests , +which may be used to deny or allow specific requests (flags +.Fl P +and +.Fl p +respectively). +.It Fl R +Places this instance of +.Nm +into a read-only mode. +Attempts to open files for writing, as well as other operations that change +the state of the filesystem, will be denied. +.It Fl u Ar umask +Sets an explicit +.Xr umask 2 +to be applied to newly-created files and directories, instead of the +user's default mask. +.El +.Pp +On some systems, +.Nm +must be able to access +.Pa /dev/log +for logging to work, and use of +.Nm +in a chroot configuration therefore requires that +.Xr syslogd 8 +establish a logging socket inside the chroot directory. +.Sh SEE ALSO +.Xr sftp 1 , +.Xr ssh 1 , +.Xr sshd_config 5 , +.Xr sshd 8 +.Rs +.%A T. Ylonen +.%A S. Lehtinen +.%T "SSH File Transfer Protocol" +.%N draft-ietf-secsh-filexfer-02.txt +.%D October 2001 +.%O work in progress material +.Re +.Sh HISTORY +.Nm +first appeared in +.Ox 2.8 . +.Sh AUTHORS +.An Markus Friedl Aq Mt markus@openbsd.org |