SFTP-SERVER(8) System Manager's Manual SFTP-SERVER(8)
NAME
sftp-server — OpenSSH SFTP server subsystem
SYNOPSIS
sftp-server [-ehR] [-d start_directory] [-f log_facility] [-l log_level]
[-P denied_requests] [-p allowed_requests] [-u umask]
sftp-server -Q protocol_feature
DESCRIPTION
sftp-server is a program that speaks the server side of SFTP protocol to
stdout and expects client requests from stdin. sftp-server is not in-
tended to be called directly, but from sshd(8) using the Subsystem op-
tion.
Command-line flags to sftp-server should be specified in the Subsystem
declaration. See sshd_config(5) for more information.
Valid options are:
-d start_directory
Specifies an alternate starting directory for users. The path-
name may contain the following tokens that are expanded at run-
time: %% is replaced by a literal '%', %d is replaced by the
home directory of the user being authenticated, and %u is re-
placed by the username of that user. The default is to use the
user's home directory. This option is useful in conjunction
with the sshd_config(5) ChrootDirectory option.
-e Causes sftp-server to print logging information to stderr in-
stead of syslog for debugging.
-f log_facility
Specifies the facility code that is used when logging messages
from sftp-server. The possible values are: DAEMON, USER, AUTH,
LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
The default is AUTH.
-h Displays sftp-server usage information.
-l log_level
Specifies which messages will be logged by sftp-server. The
possible values are: QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG,
DEBUG1, DEBUG2, and DEBUG3. INFO and VERBOSE log transactions
that sftp-server performs on behalf of the client. DEBUG and
DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify higher
levels of debugging output. The default is ERROR.
-P denied_requests
Specifies a comma-separated list of SFTP protocol requests that
are banned by the server. sftp-server will reply to any denied
request with a failure. The -Q flag can be used to determine
the supported request types. If both denied and allowed lists
are specified, then the denied list is applied before the al-
lowed list.
-p allowed_requests
Specifies a comma-separated list of SFTP protocol requests that
are permitted by the server. All request types that are not on
the allowed list will be logged and replied to with a failure
message.
Care must be taken when using this feature to ensure that re-
quests made implicitly by SFTP clients are permitted.
-Q protocol_feature
Queries protocol features supported by sftp-server. At present
the only feature that may be queried is “requests”, which may be
used to deny or allow specific requests (flags -P and -p respec-
tively).
-R Places this instance of sftp-server into a read-only mode. At-
tempts to open files for writing, as well as other operations
that change the state of the filesystem, will be denied.
-u umask
Sets an explicit umask(2) to be applied to newly-created files
and directories, instead of the user's default mask.
On some systems, sftp-server must be able to access /dev/log for logging
to work, and use of sftp-server in a chroot configuration therefore re-
quires that syslogd(8) establish a logging socket inside the chroot di-
rectory.
SEE ALSO
sftp(1), ssh(1), sshd_config(5), sshd(8)
T. Ylonen and S. Lehtinen, SSH File Transfer Protocol, draft-ietf-secsh-
filexfer-02.txt, October 2001, work in progress material.
HISTORY
sftp-server first appeared in OpenBSD 2.8.
AUTHORS
Markus Friedl <markus@openbsd.org>
Debian July 27, 2021 SFTP-SERVER(8)
Generated by dwww version 1.16 on Tue Dec 16 04:01:14 CET 2025.