sftp-server.8 5.3 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178
  1. .\" $OpenBSD: sftp-server.8,v 1.30 2020/06/22 06:36:40 jmc Exp $
  2. .\"
  3. .\" Copyright (c) 2000 Markus Friedl. All rights reserved.
  4. .\"
  5. .\" Redistribution and use in source and binary forms, with or without
  6. .\" modification, are permitted provided that the following conditions
  7. .\" are met:
  8. .\" 1. Redistributions of source code must retain the above copyright
  9. .\" notice, this list of conditions and the following disclaimer.
  10. .\" 2. Redistributions in binary form must reproduce the above copyright
  11. .\" notice, this list of conditions and the following disclaimer in the
  12. .\" documentation and/or other materials provided with the distribution.
  13. .\"
  14. .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
  15. .\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
  16. .\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
  17. .\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
  18. .\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  19. .\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
  20. .\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
  21. .\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
  22. .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
  23. .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  24. .\"
  25. .Dd $Mdocdate: June 22 2020 $
  26. .Dt SFTP-SERVER 8
  27. .Os
  28. .Sh NAME
  29. .Nm sftp-server
  30. .Nd OpenSSH SFTP server subsystem
  31. .Sh SYNOPSIS
  32. .Nm sftp-server
  33. .Bk -words
  34. .Op Fl ehR
  35. .Op Fl d Ar start_directory
  36. .Op Fl f Ar log_facility
  37. .Op Fl l Ar log_level
  38. .Op Fl P Ar denied_requests
  39. .Op Fl p Ar allowed_requests
  40. .Op Fl u Ar umask
  41. .Op Fl m Ar force_file_perms
  42. .Ek
  43. .Nm
  44. .Fl Q Ar protocol_feature
  45. .Sh DESCRIPTION
  46. .Nm
  47. is a program that speaks the server side of SFTP protocol
  48. to stdout and expects client requests from stdin.
  49. .Nm
  50. is not intended to be called directly, but from
  51. .Xr sshd 8
  52. using the
  53. .Cm Subsystem
  54. option.
  55. .Pp
  56. Command-line flags to
  57. .Nm
  58. should be specified in the
  59. .Cm Subsystem
  60. declaration.
  61. See
  62. .Xr sshd_config 5
  63. for more information.
  64. .Pp
  65. Valid options are:
  66. .Bl -tag -width Ds
  67. .It Fl d Ar start_directory
  68. specifies an alternate starting directory for users.
  69. The pathname may contain the following tokens that are expanded at runtime:
  70. %% is replaced by a literal '%',
  71. %d is replaced by the home directory of the user being authenticated,
  72. and %u is replaced by the username of that user.
  73. The default is to use the user's home directory.
  74. This option is useful in conjunction with the
  75. .Xr sshd_config 5
  76. .Cm ChrootDirectory
  77. option.
  78. .It Fl e
  79. Causes
  80. .Nm
  81. to print logging information to stderr instead of syslog for debugging.
  82. .It Fl f Ar log_facility
  83. Specifies the facility code that is used when logging messages from
  84. .Nm .
  85. The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
  86. LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
  87. The default is AUTH.
  88. .It Fl h
  89. Displays
  90. .Nm
  91. usage information.
  92. .It Fl l Ar log_level
  93. Specifies which messages will be logged by
  94. .Nm .
  95. The possible values are:
  96. QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3.
  97. INFO and VERBOSE log transactions that
  98. .Nm
  99. performs on behalf of the client.
  100. DEBUG and DEBUG1 are equivalent.
  101. DEBUG2 and DEBUG3 each specify higher levels of debugging output.
  102. The default is ERROR.
  103. .It Fl P Ar denied_requests
  104. Specify a comma-separated list of SFTP protocol requests that are banned by
  105. the server.
  106. .Nm
  107. will reply to any denied request with a failure.
  108. The
  109. .Fl Q
  110. flag can be used to determine the supported request types.
  111. If both denied and allowed lists are specified, then the denied list is
  112. applied before the allowed list.
  113. .It Fl p Ar allowed_requests
  114. Specify a comma-separated list of SFTP protocol requests that are permitted
  115. by the server.
  116. All request types that are not on the allowed list will be logged and replied
  117. to with a failure message.
  118. .Pp
  119. Care must be taken when using this feature to ensure that requests made
  120. implicitly by SFTP clients are permitted.
  121. .It Fl Q Ar protocol_feature
  122. Query protocol features supported by
  123. .Nm .
  124. At present the only feature that may be queried is
  125. .Dq requests ,
  126. which may be used to deny or allow specific requests (flags
  127. .Fl P
  128. and
  129. .Fl p
  130. respectively).
  131. .It Fl R
  132. Places this instance of
  133. .Nm
  134. into a read-only mode.
  135. Attempts to open files for writing, as well as other operations that change
  136. the state of the filesystem, will be denied.
  137. .It Fl u Ar umask
  138. Sets an explicit
  139. .Xr umask 2
  140. to be applied to newly-created files and directories, instead of the
  141. user's default mask.
  142. .It Fl m Ar force_file_perms
  143. Sets explicit file permissions to be applied to newly-created files instead
  144. of the default or client requested mode. Numeric values include:
  145. 777, 755, 750, 666, 644, 640, etc. Using both -m and -u switches makes the
  146. umask (-u) effective only for newly created directories and explicit mode (-m)
  147. for newly created files.
  148. .El
  149. .Pp
  150. On some systems,
  151. .Nm
  152. must be able to access
  153. .Pa /dev/log
  154. for logging to work, and use of
  155. .Nm
  156. in a chroot configuration therefore requires that
  157. .Xr syslogd 8
  158. establish a logging socket inside the chroot directory.
  159. .Sh SEE ALSO
  160. .Xr sftp 1 ,
  161. .Xr ssh 1 ,
  162. .Xr sshd_config 5 ,
  163. .Xr sshd 8
  164. .Rs
  165. .%A T. Ylonen
  166. .%A S. Lehtinen
  167. .%T "SSH File Transfer Protocol"
  168. .%N draft-ietf-secsh-filexfer-02.txt
  169. .%D October 2001
  170. .%O work in progress material
  171. .Re
  172. .Sh HISTORY
  173. .Nm
  174. first appeared in
  175. .Ox 2.8 .
  176. .Sh AUTHORS
  177. .An Markus Friedl Aq Mt markus@openbsd.org