sftp-server

sftp-server [-deimopqruv]

-d
    Debug mode. Causes sftp-server to log debugging information to stderr.

-e
    Log errors to syslog instead of stderr.

-i
    Force sftp-server to use the internal sftp protocol even if newer protocol extensions are requested.

-m umask
    Specify an alternate umask to apply when creating new files. The default is 077.

-o option=value
    Configures sftp-server options. See the manual page for possible values. Common options include ChrootDirectory, User and Group.

-p
    Preserve access and modification times, atimes and mtimes, respectively.

-q
    Quiet mode. Suppresses warnings and diagnostic messages.

-r
    Restricts clients to only upload data. Download requests are blocked

-u
    Do not perform any privilege separation or chroot operations. This option is mainly for testing and debugging purposes. Should not be used in production environments.

-v
    Verbose mode. Increases the level of debugging output.

The sftp-server command is a subsystem program of OpenSSH that provides secure file transfer capabilities over an encrypted SSH connection. It's not typically executed directly by users, but rather invoked by the SSH daemon (sshd) when an sftp client requests a secure file transfer session. The server receives requests from the client, performs the requested operations (e.g., file upload, download, directory listing, file manipulation) on the server's filesystem, and sends responses back to the client. All data transmitted between the client and server is encrypted, ensuring confidentiality and integrity. Access control is managed through standard filesystem permissions and SSH authentication mechanisms.

Using the sftp-server rather than older protocols like FTP is highly recommended for security reasons, especially when transferring sensitive data or operating in untrusted environments. It avoids sending passwords in the clear and protects against man-in-the-middle attacks. The sftp-server supports a variety of file transfer operations, including resuming interrupted transfers and handling large files efficiently.

The sftp-server is typically invoked indirectly via sshd configuration. Direct execution is rare. Correct permissions on the filesystem are critical to ensure security. Misconfigured chroot environments can lead to security vulnerabilities.

sftp-server is typically invoked via the Subsystem directive in the sshd_config file. For example:

Subsystem sftp /usr/lib/openssh/sftp-server

Or with some specific options:

Subsystem sftp /usr/lib/openssh/sftp-server -l INFO -f AUTH

The ChrootDirectory option, configured via the sshd_config file, allows restricting users to a specific directory on the server. This significantly enhances security by preventing users from accessing files or directories outside their designated chroot jail. Correctly setting up the chroot environment is crucial to avoid security breaches.

The sftp-server was developed as part of the OpenSSH project to provide a secure replacement for FTP. It was designed to leverage the security features of SSH, such as encryption and authentication, to protect data during file transfer. It has become a standard component of most Linux distributions and is widely used for secure file transfer.

ssh(1), sshd(8), sftp(1)