Network
sftp-server
SFTP server subsystem for SSH.
Additional Notes
sftp-server is the SFTP (SSH File Transfer Protocol) server subsystem that runs as part of sshd. It provides file transfer, directory listing, and remote filesystem operations over a secure SSH connection. It is automatically invoked by sshd when an SFTP client connects and requests the sftp subsystem.
The SFTP protocol (not to be confused with FTPS) runs entirely over the SSH transport layer, inheriting SSH's authentication, encryption, and integrity protections. The server is configured in /etc/ssh/sshd_config via the Subsystem sftp directive, which can point to the sftp-server binary or the newer internal-sftp implementation.
Syntax
sftp-server [-d startdir] [-e] [-f log_facility] [-l log_level] [-P blacklisted_requests] [-p whitelisted_requests] [-u umask]
Parameters
options: Flags that change howsftp-serverbehaves.target: Optional file, device, interface, user, service, or command target when the command supports one.
Common Options
-d startdir: Change to the specified directory before starting the session.-e: Log to stderr instead of syslog.-f facility: Specify the syslog facility (default:AUTH).-l level: Specify the logging level (default:INFO).-P requests: Blacklist specific SFTP protocol requests (comma-separated).-p requests: Whitelist specific SFTP protocol requests (comma-separated).-u umask: Set the file creation umask for new files.-R: Reject rename operations.-r: Reject remote readlink operations (preserve link targets).
Examples
sftp-server -d /srv/sftp -u 0027
Start an SFTP server session rooted at /srv/sftp with a restrictive umask.
sftp-server -l DEBUG
Start the SFTP server with debug-level logging.
Practical Notes
sftp-serveris not intended to be run directly from the command line; it is invoked bysshd.- The
internal-sftpsubsystem (configured insshd_config) is a newer in-process implementation that avoids launching a separate process per SFTP connection. - Chroot directories for SFTP users are configured with
ChrootDirectoryinsshd_config. - SFTP-only accounts are typically set up with
Subsystem sftp internal-sftpand forced internal SFTP withForceCommand internal-sftp. - Logging is directed to syslog by default under the AUTH facility.