Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
SFTP-SERVER(8)		FreeBSD	System Manager's Manual		SFTP-SERVER(8)

     sftp-server -- OpenSSH SFTP server	subsystem

     sftp-server [-ehR]	[-d start_directory] [-f log_facility] [-l log_level]
		 [-P denied_requests] [-p allowed_requests] [-u	umask]
     sftp-server -Q protocol_feature

     sftp-server is a program that speaks the server side of SFTP protocol to
     stdout and	expects	client requests	from stdin.  sftp-server is not	in-
     tended to be called directly, but from sshd(8) using the Subsystem	op-

     Command-line flags	to sftp-server should be specified in the Subsystem
     declaration.  See sshd_config(5) for more information.

     Valid options are:

     -d	start_directory
	     Specifies an alternate starting directory for users.  The path-
	     name may contain the following tokens that	are expanded at	run-
	     time: %% is replaced by a literal '%', %d is replaced by the home
	     directory of the user being authenticated,	and %u is replaced by
	     the username of that user.	 The default is	to use the user's home
	     directory.	 This option is	useful in conjunction with the
	     sshd_config(5) ChrootDirectory option.

     -e	     Causes sftp-server	to print logging information to	stderr instead
	     of	syslog for debugging.

     -f	log_facility
	     Specifies the facility code that is used when logging messages
	     from sftp-server.	The possible values are: DAEMON, USER, AUTH,
	     The default is AUTH.

     -h	     Displays sftp-server usage	information.

     -l	log_level
	     Specifies which messages will be logged by	sftp-server.  The pos-
	     sible values are: QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DE-
	     BUG1, DEBUG2, and DEBUG3.	INFO and VERBOSE log transactions that
	     sftp-server performs on behalf of the client.  DEBUG and DEBUG1
	     are equivalent.  DEBUG2 and DEBUG3	each specify higher levels of
	     debugging output.	The default is ERROR.

     -P	denied_requests
	     Specifies a comma-separated list of SFTP protocol requests	that
	     are banned	by the server.	sftp-server will reply to any denied
	     request with a failure.  The -Q flag can be used to determine the
	     supported request types.  If both denied and allowed lists	are
	     specified,	then the denied	list is	applied	before the allowed

     -p	allowed_requests
	     Specifies a comma-separated list of SFTP protocol requests	that
	     are permitted by the server.  All request types that are not on
	     the allowed list will be logged and replied to with a failure

	     Care must be taken	when using this	feature	to ensure that re-
	     quests made implicitly by SFTP clients are	permitted.

     -Q	protocol_feature
	     Queries protocol features supported by sftp-server.  At present
	     the only feature that may be queried is "requests", which may be
	     used to deny or allow specific requests (flags -P and -p respec-

     -R	     Places this instance of sftp-server into a	read-only mode.	 At-
	     tempts to open files for writing, as well as other	operations
	     that change the state of the filesystem, will be denied.

     -u	umask
	     Sets an explicit umask(2) to be applied to	newly-created files
	     and directories, instead of the user's default mask.

     On	some systems, sftp-server must be able to access /dev/log for logging
     to	work, and use of sftp-server in	a chroot configuration therefore re-
     quires that syslogd(8) establish a	logging	socket inside the chroot di-

     sftp(1), ssh(1), sshd_config(5), sshd(8)

     T.	Ylonen and S. Lehtinen,	SSH File Transfer Protocol, draft-ietf-secsh-
     filexfer-02.txt, October 2001, work in progress material.

     sftp-server first appeared	in OpenBSD 2.8.

     Markus Friedl <>

FreeBSD	13.0			 July 27, 2021			  FreeBSD 13.0


Want to link to this manual page? Use this URL:

home | help