mirror of
https://git.hardenedbsd.org/hardenedbsd/HardenedBSD.git
synced 2024-12-26 21:13:11 +01:00
172 lines
5.0 KiB
Groff
172 lines
5.0 KiB
Groff
.\" $OpenBSD: sftp-server.8,v 1.25 2013/10/14 14:18:56 jmc Exp $
|
|
.\" $FreeBSD$
|
|
.\"
|
|
.\" Copyright (c) 2000 Markus Friedl. All rights reserved.
|
|
.\"
|
|
.\" Redistribution and use in source and binary forms, with or without
|
|
.\" modification, are permitted provided that the following conditions
|
|
.\" are met:
|
|
.\" 1. Redistributions of source code must retain the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer.
|
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer in the
|
|
.\" documentation and/or other materials provided with the distribution.
|
|
.\"
|
|
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
|
.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
|
.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
|
.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
|
.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
|
.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
|
.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
|
.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
|
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
|
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
.\"
|
|
.Dd October 14, 2013
|
|
.Dt SFTP-SERVER 8
|
|
.Os
|
|
.Sh NAME
|
|
.Nm sftp-server
|
|
.Nd SFTP server subsystem
|
|
.Sh SYNOPSIS
|
|
.Nm sftp-server
|
|
.Bk -words
|
|
.Op Fl ehR
|
|
.Op Fl d Ar start_directory
|
|
.Op Fl f Ar log_facility
|
|
.Op Fl l Ar log_level
|
|
.Op Fl P Ar blacklisted_requests
|
|
.Op Fl p Ar whitelisted_requests
|
|
.Op Fl u Ar umask
|
|
.Ek
|
|
.Nm
|
|
.Fl Q Ar protocol_feature
|
|
.Sh DESCRIPTION
|
|
.Nm
|
|
is a program that speaks the server side of SFTP protocol
|
|
to stdout and expects client requests from stdin.
|
|
.Nm
|
|
is not intended to be called directly, but from
|
|
.Xr sshd 8
|
|
using the
|
|
.Cm Subsystem
|
|
option.
|
|
.Pp
|
|
Command-line flags to
|
|
.Nm
|
|
should be specified in the
|
|
.Cm Subsystem
|
|
declaration.
|
|
See
|
|
.Xr sshd_config 5
|
|
for more information.
|
|
.Pp
|
|
Valid options are:
|
|
.Bl -tag -width Ds
|
|
.It Fl d Ar start_directory
|
|
specifies an alternate starting directory for users.
|
|
The pathname may contain the following tokens that are expanded at runtime:
|
|
%% is replaced by a literal '%',
|
|
%h is replaced by the home directory of the user being authenticated,
|
|
and %u is replaced by the username of that user.
|
|
The default is to use the user's home directory.
|
|
This option is useful in conjunction with the
|
|
.Xr sshd_config 5
|
|
.Cm ChrootDirectory
|
|
option.
|
|
.It Fl e
|
|
Causes
|
|
.Nm
|
|
to print logging information to stderr instead of syslog for debugging.
|
|
.It Fl f Ar log_facility
|
|
Specifies the facility code that is used when logging messages from
|
|
.Nm .
|
|
The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
|
|
LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
|
|
The default is AUTH.
|
|
.It Fl h
|
|
Displays
|
|
.Nm
|
|
usage information.
|
|
.It Fl l Ar log_level
|
|
Specifies which messages will be logged by
|
|
.Nm .
|
|
The possible values are:
|
|
QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3.
|
|
INFO and VERBOSE log transactions that
|
|
.Nm
|
|
performs on behalf of the client.
|
|
DEBUG and DEBUG1 are equivalent.
|
|
DEBUG2 and DEBUG3 each specify higher levels of debugging output.
|
|
The default is ERROR.
|
|
.It Fl P Ar blacklisted_requests
|
|
Specify a comma-separated list of SFTP protocol requests that are banned by
|
|
the server.
|
|
.Nm
|
|
will reply to any blacklisted request with a failure.
|
|
The
|
|
.Fl Q
|
|
flag can be used to determine the supported request types.
|
|
If both a blacklist and a whitelist are specified, then the blacklist is
|
|
applied before the whitelist.
|
|
.It Fl p Ar whitelisted_requests
|
|
Specify a comma-separated list of SFTP protocol requests that are permitted
|
|
by the server.
|
|
All request types that are not on the whitelist will be logged and replied
|
|
to with a failure message.
|
|
.Pp
|
|
Care must be taken when using this feature to ensure that requests made
|
|
implicitly by SFTP clients are permitted.
|
|
.It Fl Q Ar protocol_feature
|
|
Query protocol features supported by
|
|
.Nm .
|
|
At present the only feature that may be queried is
|
|
.Dq requests ,
|
|
which may be used for black or whitelisting (flags
|
|
.Fl P
|
|
and
|
|
.Fl p
|
|
respectively).
|
|
.It Fl R
|
|
Places this instance of
|
|
.Nm
|
|
into a read-only mode.
|
|
Attempts to open files for writing, as well as other operations that change
|
|
the state of the filesystem, will be denied.
|
|
.It Fl u Ar umask
|
|
Sets an explicit
|
|
.Xr umask 2
|
|
to be applied to newly-created files and directories, instead of the
|
|
user's default mask.
|
|
.El
|
|
.Pp
|
|
For logging to work,
|
|
.Nm
|
|
must be able to access
|
|
.Pa /dev/log .
|
|
Use of
|
|
.Nm
|
|
in a chroot configuration therefore requires that
|
|
.Xr syslogd 8
|
|
establish a logging socket inside the chroot directory.
|
|
.Sh SEE ALSO
|
|
.Xr sftp 1 ,
|
|
.Xr ssh 1 ,
|
|
.Xr sshd_config 5 ,
|
|
.Xr sshd 8
|
|
.Rs
|
|
.%A T. Ylonen
|
|
.%A S. Lehtinen
|
|
.%T "SSH File Transfer Protocol"
|
|
.%N draft-ietf-secsh-filexfer-02.txt
|
|
.%D October 2001
|
|
.%O work in progress material
|
|
.Re
|
|
.Sh HISTORY
|
|
.Nm
|
|
first appeared in
|
|
.Ox 2.8 .
|
|
.Sh AUTHORS
|
|
.An Markus Friedl Aq Mt markus@openbsd.org
|