{ "content": [ { "type": "text", "text": "# sftp-server (man)\n\n## NAME\n\nsftp-server — OpenSSH SFTP server subsystem\n\n## SYNOPSIS\n\nsftp-server [-ehR] [-d startdirectory] [-f logfacility] [-l loglevel] [-P deniedrequests]\n[-p allowedrequests] [-u umask]\nsftp-server -Q protocolfeature\n\n## DESCRIPTION\n\nsftp-server is a program that speaks the server side of SFTP protocol to stdout and expects\nclient requests from stdin. sftp-server is not intended to be called directly, but from\nsshd(8) using the Subsystem option.\n\n## Sections\n\n- **NAME**\n- **SYNOPSIS**\n- **DESCRIPTION** (10 subsections)\n- **SEE ALSO**\n- **HISTORY**\n- **AUTHORS**\n\nUse structuredContent.sections for detailed options, examples, and full documentation.\n" } ], "structuredContent": { "command": "sftp-server", "section": "", "mode": "man", "summary": "sftp-server — OpenSSH SFTP server subsystem", "synopsis": "sftp-server [-ehR] [-d startdirectory] [-f logfacility] [-l loglevel] [-P deniedrequests]\n[-p allowedrequests] [-u umask]\nsftp-server -Q protocolfeature", "tldr_summary": null, "tldr_examples": [], "tldr_source": null, "flags": [ { "flag": "-d", "long": null, "arg": null, "description": "Specifies an alternate starting directory for users. The pathname may contain the fol‐ lowing tokens that are expanded at runtime: %% is replaced by a literal '%', %d is re‐ placed by the home directory of the user being authenticated, and %u is replaced by the username of that user. The default is to use the user's home directory. This option is useful in conjunction with the sshdconfig(5) ChrootDirectory option." }, { "flag": "-e", "long": null, "arg": null, "description": "ging." }, { "flag": "-f", "long": null, "arg": null, "description": "Specifies the facility code that is used when logging messages from sftp-server. The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LO‐ CAL5, LOCAL6, LOCAL7. The default is AUTH." }, { "flag": "-h", "long": null, "arg": null, "description": "" }, { "flag": "-l", "long": null, "arg": null, "description": "Specifies which messages will be logged by sftp-server. The possible values are: QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. INFO and VER‐ BOSE log transactions that sftp-server performs on behalf of the client. DEBUG and DE‐ BUG1 are equivalent. DEBUG2 and DEBUG3 each specify higher levels of debugging output. The default is ERROR." }, { "flag": "-P", "long": null, "arg": null, "description": "Specifies a comma-separated list of SFTP protocol requests that are banned by the server. sftp-server will reply to any denied request with a failure. The -Q flag can be used to determine the supported request types. If both denied and allowed lists are specified, then the denied list is applied before the allowed list." }, { "flag": "-p", "long": null, "arg": null, "description": "Specifies a comma-separated list of SFTP protocol requests that are permitted by the server. All request types that are not on the allowed list will be logged and replied to with a failure message. Care must be taken when using this feature to ensure that requests made implicitly by SFTP clients are permitted." }, { "flag": "-Q", "long": null, "arg": null, "description": "Queries protocol features supported by sftp-server. At present the only feature that may be queried is “requests”, which may be used to deny or allow specific requests (flags -P and -p respectively)." }, { "flag": "-R", "long": null, "arg": null, "description": "writing, as well as other operations that change the state of the filesystem, will be denied." }, { "flag": "-u", "long": null, "arg": null, "description": "Sets an explicit umask(2) to be applied to newly-created files and directories, instead of the user's default mask. On some systems, sftp-server must be able to access /dev/log for logging to work, and use of sftp-server in a chroot configuration therefore requires that syslogd(8) establish a logging socket inside the chroot directory." } ], "examples": [], "see_also": [ { "name": "sftp", "section": "1", "url": "https://www.chedong.com/phpMan.php/man/sftp/1/json" }, { "name": "ssh", "section": "1", "url": "https://www.chedong.com/phpMan.php/man/ssh/1/json" }, { "name": "sshdconfig", "section": "5", "url": "https://www.chedong.com/phpMan.php/man/sshdconfig/5/json" }, { "name": "sshd", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/sshd/8/json" } ], "section_outline": [ { "name": "NAME", "lines": 2, "subsections": [] }, { "name": "SYNOPSIS", "lines": 4, "subsections": [] }, { "name": "DESCRIPTION", "lines": 9, "subsections": [ { "name": "-d", "lines": 6, "flag": "-d" }, { "name": "-e", "lines": 2, "flag": "-e" }, { "name": "-f", "lines": 4, "flag": "-f" }, { "name": "-h", "lines": 1, "flag": "-h" }, { "name": "-l", "lines": 6, "flag": "-l" }, { "name": "-P", "lines": 5, "flag": "-P" }, { "name": "-p", "lines": 7, "flag": "-p" }, { "name": "-Q", "lines": 4, "flag": "-Q" }, { "name": "-R", "lines": 3, "flag": "-R" }, { "name": "-u", "lines": 7, "flag": "-u" } ] }, { "name": "SEE ALSO", "lines": 5, "subsections": [] }, { "name": "HISTORY", "lines": 2, "subsections": [] }, { "name": "AUTHORS", "lines": 3, "subsections": [] } ], "sections": { "NAME": { "content": "sftp-server — OpenSSH SFTP server subsystem\n", "subsections": [] }, "SYNOPSIS": { "content": "sftp-server [-ehR] [-d startdirectory] [-f logfacility] [-l loglevel] [-P deniedrequests]\n[-p allowedrequests] [-u umask]\nsftp-server -Q protocolfeature\n", "subsections": [] }, "DESCRIPTION": { "content": "sftp-server is a program that speaks the server side of SFTP protocol to stdout and expects\nclient requests from stdin. sftp-server is not intended to be called directly, but from\nsshd(8) using the Subsystem option.\n\nCommand-line flags to sftp-server should be specified in the Subsystem declaration. See\nsshdconfig(5) for more information.\n\nValid options are:\n", "subsections": [ { "name": "-d", "content": "Specifies an alternate starting directory for users. The pathname may contain the fol‐\nlowing tokens that are expanded at runtime: %% is replaced by a literal '%', %d is re‐\nplaced by the home directory of the user being authenticated, and %u is replaced by the\nusername of that user. The default is to use the user's home directory. This option\nis useful in conjunction with the sshdconfig(5) ChrootDirectory option.\n", "flag": "-d" }, { "name": "-e", "content": "ging.\n", "flag": "-e" }, { "name": "-f", "content": "Specifies the facility code that is used when logging messages from sftp-server. The\npossible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LO‐\nCAL5, LOCAL6, LOCAL7. The default is AUTH.\n", "flag": "-f" }, { "name": "-h", "content": "", "flag": "-h" }, { "name": "-l", "content": "Specifies which messages will be logged by sftp-server. The possible values are:\nQUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. INFO and VER‐\nBOSE log transactions that sftp-server performs on behalf of the client. DEBUG and DE‐\nBUG1 are equivalent. DEBUG2 and DEBUG3 each specify higher levels of debugging output.\nThe default is ERROR.\n", "flag": "-l" }, { "name": "-P", "content": "Specifies a comma-separated list of SFTP protocol requests that are banned by the\nserver. sftp-server will reply to any denied request with a failure. The -Q flag can\nbe used to determine the supported request types. If both denied and allowed lists are\nspecified, then the denied list is applied before the allowed list.\n", "flag": "-P" }, { "name": "-p", "content": "Specifies a comma-separated list of SFTP protocol requests that are permitted by the\nserver. All request types that are not on the allowed list will be logged and replied\nto with a failure message.\n\nCare must be taken when using this feature to ensure that requests made implicitly by\nSFTP clients are permitted.\n", "flag": "-p" }, { "name": "-Q", "content": "Queries protocol features supported by sftp-server. At present the only feature that\nmay be queried is “requests”, which may be used to deny or allow specific requests\n(flags -P and -p respectively).\n", "flag": "-Q" }, { "name": "-R", "content": "writing, as well as other operations that change the state of the filesystem, will be\ndenied.\n", "flag": "-R" }, { "name": "-u", "content": "Sets an explicit umask(2) to be applied to newly-created files and directories, instead\nof the user's default mask.\n\nOn some systems, sftp-server must be able to access /dev/log for logging to work, and use of\nsftp-server in a chroot configuration therefore requires that syslogd(8) establish a logging\nsocket inside the chroot directory.\n", "flag": "-u" } ] }, "SEE ALSO": { "content": "sftp(1), ssh(1), sshdconfig(5), sshd(8)\n\nT. Ylonen and S. Lehtinen, SSH File Transfer Protocol, draft-ietf-secsh-filexfer-02.txt,\nOctober 2001, work in progress material.\n", "subsections": [] }, "HISTORY": { "content": "sftp-server first appeared in OpenBSD 2.8.\n", "subsections": [] }, "AUTHORS": { "content": "Markus Friedl \n\nBSD July 27, 2021 BSD", "subsections": [] } } } }