Annotation of src/usr.bin/ssh/sftp-server.8, Revision 1.24
1.24 ! djm 1: .\" $OpenBSD: sftp-server.8,v 1.23 2013/07/16 00:07:52 schwarze Exp $
1.2 deraadt 2: .\"
1.5 deraadt 3: .\" Copyright (c) 2000 Markus Friedl. All rights reserved.
1.2 deraadt 4: .\"
5: .\" Redistribution and use in source and binary forms, with or without
6: .\" modification, are permitted provided that the following conditions
7: .\" are met:
8: .\" 1. Redistributions of source code must retain the above copyright
9: .\" notice, this list of conditions and the following disclaimer.
10: .\" 2. Redistributions in binary form must reproduce the above copyright
11: .\" notice, this list of conditions and the following disclaimer in the
12: .\" documentation and/or other materials provided with the distribution.
13: .\"
14: .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
15: .\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
16: .\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
17: .\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
18: .\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
19: .\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
20: .\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
21: .\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22: .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
23: .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24: .\"
1.24 ! djm 25: .Dd $Mdocdate: July 16 2013 $
1.1 markus 26: .Dt SFTP-SERVER 8
27: .Os
28: .Sh NAME
29: .Nm sftp-server
30: .Nd SFTP server subsystem
31: .Sh SYNOPSIS
32: .Nm sftp-server
1.24 ! djm 33: .Bk -words
1.18 djm 34: .Op Fl ehR
1.20 djm 35: .Op Fl d Ar start_directory
1.11 djm 36: .Op Fl f Ar log_facility
37: .Op Fl l Ar log_level
1.16 djm 38: .Op Fl u Ar umask
1.24 ! djm 39: .Ek
! 40: .Nm
! 41: .Fl Q Ar protocol_feature
1.1 markus 42: .Sh DESCRIPTION
43: .Nm
44: is a program that speaks the server side of SFTP protocol
45: to stdout and expects client requests from stdin.
46: .Nm
47: is not intended to be called directly, but from
1.3 aaron 48: .Xr sshd 8
1.1 markus 49: using the
50: .Cm Subsystem
51: option.
1.11 djm 52: .Pp
53: Command-line flags to
54: .Nm
55: should be specified in the
56: .Cm Subsystem
57: declaration.
1.1 markus 58: See
1.10 jmc 59: .Xr sshd_config 5
1.1 markus 60: for more information.
1.11 djm 61: .Pp
62: Valid options are:
63: .Bl -tag -width Ds
1.21 jmc 64: .It Fl d Ar start_directory
1.20 djm 65: specifies an alternate starting directory for users.
66: The pathname may contain the following tokens that are expanded at runtime:
67: %% is replaced by a literal '%',
68: %h is replaced by the home directory of the user being authenticated,
69: and %u is replaced by the username of that user.
70: The default is to use the user's home directory.
71: This option is useful in conjunction with the
72: .Xr sshd_config 5
73: .Cm ChrootDirectory
74: option.
1.17 djm 75: .It Fl e
76: Causes
77: .Nm
78: to print logging information to stderr instead of syslog for debugging.
1.11 djm 79: .It Fl f Ar log_facility
80: Specifies the facility code that is used when logging messages from
81: .Nm .
82: The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
83: LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
84: The default is AUTH.
1.17 djm 85: .It Fl h
86: Displays
87: .Nm
88: usage information.
1.11 djm 89: .It Fl l Ar log_level
90: Specifies which messages will be logged by
91: .Nm .
92: The possible values are:
93: QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3.
94: INFO and VERBOSE log transactions that
95: .Nm
96: performs on behalf of the client.
97: DEBUG and DEBUG1 are equivalent.
98: DEBUG2 and DEBUG3 each specify higher levels of debugging output.
99: The default is ERROR.
1.24 ! djm 100: .It Fl P Ar blacklisted_requests
! 101: Specify a comma-separated list of sftp protocol requests that are banned by
! 102: the server.
! 103: .Nm
! 104: will reply to any blacklisted request with a failure.
! 105: The
! 106: .Fl Q
! 107: flag allows querying
! 108: .Nm
! 109: to determine the supported request types.
! 110: If both a blacklist and a whitelist are specified, then the blacklist is
! 111: applied before the whitelist.
! 112: .It Fl p Ar whitelisted_requests
! 113: Specify a comma-separated list of sftp protocol requests that are permitted
! 114: by the server.
! 115: All request types that are not on the whitelist will be logged and replied
! 116: to with a failure message.
! 117: .Pp
! 118: Care must be taken when using this feature to ensure that requests made
! 119: implicitly by sftp clients are permitted.
! 120: .It Fl Q Ar protocol_feature
! 121: Query protocol features supported by
! 122: .Nm .
! 123: At present the only feature that may be queried is
! 124: .Dq requests ,
! 125: that may be used for whitelisting or blacklisting (flags
! 126: .Fl p
! 127: and
! 128: .Fl P
! 129: respectively.)
1.18 djm 130: .It Fl R
131: Places this instance of
132: .Nm
133: into a read-only mode.
134: Attempts to open files for writing, as well as other operations that change
1.19 jmc 135: the state of the filesystem, will be denied.
1.16 djm 136: .It Fl u Ar umask
137: Sets an explicit
138: .Xr umask 2
139: to be applied to newly-created files and directories, instead of the
140: user's default mask.
1.11 djm 141: .El
1.13 djm 142: .Pp
143: For logging to work,
144: .Nm
145: must be able to access
146: .Pa /dev/log .
147: Use of
148: .Nm
1.15 sobrado 149: in a chroot configuration therefore requires that
1.13 djm 150: .Xr syslogd 8
151: establish a logging socket inside the chroot directory.
1.3 aaron 152: .Sh SEE ALSO
1.6 markus 153: .Xr sftp 1 ,
1.3 aaron 154: .Xr ssh 1 ,
1.10 jmc 155: .Xr sshd_config 5 ,
1.3 aaron 156: .Xr sshd 8
1.6 markus 157: .Rs
1.8 deraadt 158: .%A T. Ylonen
159: .%A S. Lehtinen
1.6 markus 160: .%T "SSH File Transfer Protocol"
1.22 dtucker 161: .%N draft-ietf-secsh-filexfer-02.txt
162: .%D October 2001
1.6 markus 163: .%O work in progress material
164: .Re
1.1 markus 165: .Sh HISTORY
166: .Nm
167: first appeared in
168: .Ox 2.8 .
1.9 jmc 169: .Sh AUTHORS
1.23 schwarze 170: .An Markus Friedl Aq Mt markus@openbsd.org