Annotation of src/usr.bin/ssh/sftp-server.8, Revision 1.26
1.26 ! schwarze 1: .\" $OpenBSD: sftp-server.8,v 1.25 2013/10/14 14:18:56 jmc Exp $
1.2 deraadt 2: .\"
1.5 deraadt 3: .\" Copyright (c) 2000 Markus Friedl. All rights reserved.
1.2 deraadt 4: .\"
5: .\" Redistribution and use in source and binary forms, with or without
6: .\" modification, are permitted provided that the following conditions
7: .\" are met:
8: .\" 1. Redistributions of source code must retain the above copyright
9: .\" notice, this list of conditions and the following disclaimer.
10: .\" 2. Redistributions in binary form must reproduce the above copyright
11: .\" notice, this list of conditions and the following disclaimer in the
12: .\" documentation and/or other materials provided with the distribution.
13: .\"
14: .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
15: .\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
16: .\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
17: .\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
18: .\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
19: .\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
20: .\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
21: .\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22: .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
23: .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24: .\"
1.26 ! schwarze 25: .Dd $Mdocdate: October 14 2013 $
1.1 markus 26: .Dt SFTP-SERVER 8
27: .Os
28: .Sh NAME
29: .Nm sftp-server
30: .Nd SFTP server subsystem
31: .Sh SYNOPSIS
32: .Nm sftp-server
1.24 djm 33: .Bk -words
1.18 djm 34: .Op Fl ehR
1.20 djm 35: .Op Fl d Ar start_directory
1.11 djm 36: .Op Fl f Ar log_facility
37: .Op Fl l Ar log_level
1.25 jmc 38: .Op Fl P Ar blacklisted_requests
39: .Op Fl p Ar whitelisted_requests
1.16 djm 40: .Op Fl u Ar umask
1.24 djm 41: .Ek
42: .Nm
43: .Fl Q Ar protocol_feature
1.1 markus 44: .Sh DESCRIPTION
45: .Nm
46: is a program that speaks the server side of SFTP protocol
47: to stdout and expects client requests from stdin.
48: .Nm
49: is not intended to be called directly, but from
1.3 aaron 50: .Xr sshd 8
1.1 markus 51: using the
52: .Cm Subsystem
53: option.
1.11 djm 54: .Pp
55: Command-line flags to
56: .Nm
57: should be specified in the
58: .Cm Subsystem
59: declaration.
1.1 markus 60: See
1.10 jmc 61: .Xr sshd_config 5
1.1 markus 62: for more information.
1.11 djm 63: .Pp
64: Valid options are:
65: .Bl -tag -width Ds
1.21 jmc 66: .It Fl d Ar start_directory
1.20 djm 67: specifies an alternate starting directory for users.
68: The pathname may contain the following tokens that are expanded at runtime:
69: %% is replaced by a literal '%',
70: %h is replaced by the home directory of the user being authenticated,
71: and %u is replaced by the username of that user.
72: The default is to use the user's home directory.
73: This option is useful in conjunction with the
74: .Xr sshd_config 5
75: .Cm ChrootDirectory
76: option.
1.17 djm 77: .It Fl e
78: Causes
79: .Nm
80: to print logging information to stderr instead of syslog for debugging.
1.11 djm 81: .It Fl f Ar log_facility
82: Specifies the facility code that is used when logging messages from
83: .Nm .
84: The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
85: LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
86: The default is AUTH.
1.17 djm 87: .It Fl h
88: Displays
89: .Nm
90: usage information.
1.11 djm 91: .It Fl l Ar log_level
92: Specifies which messages will be logged by
93: .Nm .
94: The possible values are:
95: QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3.
96: INFO and VERBOSE log transactions that
97: .Nm
98: performs on behalf of the client.
99: DEBUG and DEBUG1 are equivalent.
100: DEBUG2 and DEBUG3 each specify higher levels of debugging output.
101: The default is ERROR.
1.24 djm 102: .It Fl P Ar blacklisted_requests
1.25 jmc 103: Specify a comma-separated list of SFTP protocol requests that are banned by
1.24 djm 104: the server.
105: .Nm
106: will reply to any blacklisted request with a failure.
107: The
108: .Fl Q
1.25 jmc 109: flag can be used to determine the supported request types.
1.24 djm 110: If both a blacklist and a whitelist are specified, then the blacklist is
111: applied before the whitelist.
112: .It Fl p Ar whitelisted_requests
1.25 jmc 113: Specify a comma-separated list of SFTP protocol requests that are permitted
1.24 djm 114: by the server.
115: All request types that are not on the whitelist will be logged and replied
116: to with a failure message.
117: .Pp
118: Care must be taken when using this feature to ensure that requests made
1.25 jmc 119: implicitly by SFTP clients are permitted.
1.24 djm 120: .It Fl Q Ar protocol_feature
121: Query protocol features supported by
122: .Nm .
123: At present the only feature that may be queried is
124: .Dq requests ,
1.25 jmc 125: which may be used for black or whitelisting (flags
126: .Fl P
127: and
1.24 djm 128: .Fl p
1.25 jmc 129: respectively).
1.18 djm 130: .It Fl R
131: Places this instance of
132: .Nm
133: into a read-only mode.
134: Attempts to open files for writing, as well as other operations that change
1.19 jmc 135: the state of the filesystem, will be denied.
1.16 djm 136: .It Fl u Ar umask
137: Sets an explicit
138: .Xr umask 2
139: to be applied to newly-created files and directories, instead of the
140: user's default mask.
1.11 djm 141: .El
1.13 djm 142: .Pp
1.26 ! schwarze 143: On some systems,
1.13 djm 144: .Nm
145: must be able to access
1.26 ! schwarze 146: .Pa /dev/log
! 147: for logging to work, and use of
1.13 djm 148: .Nm
1.15 sobrado 149: in a chroot configuration therefore requires that
1.13 djm 150: .Xr syslogd 8
151: establish a logging socket inside the chroot directory.
1.3 aaron 152: .Sh SEE ALSO
1.6 markus 153: .Xr sftp 1 ,
1.3 aaron 154: .Xr ssh 1 ,
1.10 jmc 155: .Xr sshd_config 5 ,
1.3 aaron 156: .Xr sshd 8
1.6 markus 157: .Rs
1.8 deraadt 158: .%A T. Ylonen
159: .%A S. Lehtinen
1.6 markus 160: .%T "SSH File Transfer Protocol"
1.22 dtucker 161: .%N draft-ietf-secsh-filexfer-02.txt
162: .%D October 2001
1.6 markus 163: .%O work in progress material
164: .Re
1.1 markus 165: .Sh HISTORY
166: .Nm
167: first appeared in
168: .Ox 2.8 .
1.9 jmc 169: .Sh AUTHORS
1.23 schwarze 170: .An Markus Friedl Aq Mt markus@openbsd.org