123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178 |
- .\" $OpenBSD: sftp-server.8,v 1.30 2020/06/22 06:36:40 jmc Exp $
- .\"
- .\" Copyright (c) 2000 Markus Friedl. All rights reserved.
- .\"
- .\" Redistribution and use in source and binary forms, with or without
- .\" modification, are permitted provided that the following conditions
- .\" are met:
- .\" 1. Redistributions of source code must retain the above copyright
- .\" notice, this list of conditions and the following disclaimer.
- .\" 2. Redistributions in binary form must reproduce the above copyright
- .\" notice, this list of conditions and the following disclaimer in the
- .\" documentation and/or other materials provided with the distribution.
- .\"
- .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- .\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- .\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- .\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- .\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- .\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- .\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- .\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- .\"
- .Dd $Mdocdate: June 22 2020 $
- .Dt SFTP-SERVER 8
- .Os
- .Sh NAME
- .Nm sftp-server
- .Nd OpenSSH SFTP server subsystem
- .Sh SYNOPSIS
- .Nm sftp-server
- .Bk -words
- .Op Fl ehR
- .Op Fl d Ar start_directory
- .Op Fl f Ar log_facility
- .Op Fl l Ar log_level
- .Op Fl P Ar denied_requests
- .Op Fl p Ar allowed_requests
- .Op Fl u Ar umask
- .Op Fl m Ar force_file_perms
- .Ek
- .Nm
- .Fl Q Ar protocol_feature
- .Sh DESCRIPTION
- .Nm
- is a program that speaks the server side of SFTP protocol
- to stdout and expects client requests from stdin.
- .Nm
- is not intended to be called directly, but from
- .Xr sshd 8
- using the
- .Cm Subsystem
- option.
- .Pp
- Command-line flags to
- .Nm
- should be specified in the
- .Cm Subsystem
- declaration.
- See
- .Xr sshd_config 5
- for more information.
- .Pp
- Valid options are:
- .Bl -tag -width Ds
- .It Fl d Ar start_directory
- specifies an alternate starting directory for users.
- The pathname may contain the following tokens that are expanded at runtime:
- %% is replaced by a literal '%',
- %d is replaced by the home directory of the user being authenticated,
- and %u is replaced by the username of that user.
- The default is to use the user's home directory.
- This option is useful in conjunction with the
- .Xr sshd_config 5
- .Cm ChrootDirectory
- option.
- .It Fl e
- Causes
- .Nm
- to print logging information to stderr instead of syslog for debugging.
- .It Fl f Ar log_facility
- Specifies the facility code that is used when logging messages from
- .Nm .
- The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
- LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
- The default is AUTH.
- .It Fl h
- Displays
- .Nm
- usage information.
- .It Fl l Ar log_level
- Specifies which messages will be logged by
- .Nm .
- The possible values are:
- QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3.
- INFO and VERBOSE log transactions that
- .Nm
- performs on behalf of the client.
- DEBUG and DEBUG1 are equivalent.
- DEBUG2 and DEBUG3 each specify higher levels of debugging output.
- The default is ERROR.
- .It Fl P Ar denied_requests
- Specify a comma-separated list of SFTP protocol requests that are banned by
- the server.
- .Nm
- will reply to any denied request with a failure.
- The
- .Fl Q
- flag can be used to determine the supported request types.
- If both denied and allowed lists are specified, then the denied list is
- applied before the allowed list.
- .It Fl p Ar allowed_requests
- Specify a comma-separated list of SFTP protocol requests that are permitted
- by the server.
- All request types that are not on the allowed list will be logged and replied
- to with a failure message.
- .Pp
- Care must be taken when using this feature to ensure that requests made
- implicitly by SFTP clients are permitted.
- .It Fl Q Ar protocol_feature
- Query protocol features supported by
- .Nm .
- At present the only feature that may be queried is
- .Dq requests ,
- which may be used to deny or allow specific requests (flags
- .Fl P
- and
- .Fl p
- respectively).
- .It Fl R
- Places this instance of
- .Nm
- into a read-only mode.
- Attempts to open files for writing, as well as other operations that change
- the state of the filesystem, will be denied.
- .It Fl u Ar umask
- Sets an explicit
- .Xr umask 2
- to be applied to newly-created files and directories, instead of the
- user's default mask.
- .It Fl m Ar force_file_perms
- Sets explicit file permissions to be applied to newly-created files instead
- of the default or client requested mode. Numeric values include:
- 777, 755, 750, 666, 644, 640, etc. Using both -m and -u switches makes the
- umask (-u) effective only for newly created directories and explicit mode (-m)
- for newly created files.
- .El
- .Pp
- On some systems,
- .Nm
- must be able to access
- .Pa /dev/log
- for logging to work, and use of
- .Nm
- in a chroot configuration therefore requires that
- .Xr syslogd 8
- establish a logging socket inside the chroot directory.
- .Sh SEE ALSO
- .Xr sftp 1 ,
- .Xr ssh 1 ,
- .Xr sshd_config 5 ,
- .Xr sshd 8
- .Rs
- .%A T. Ylonen
- .%A S. Lehtinen
- .%T "SSH File Transfer Protocol"
- .%N draft-ietf-secsh-filexfer-02.txt
- .%D October 2001
- .%O work in progress material
- .Re
- .Sh HISTORY
- .Nm
- first appeared in
- .Ox 2.8 .
- .Sh AUTHORS
- .An Markus Friedl Aq Mt markus@openbsd.org
|