1 files changed, 36 insertions, 2 deletions
diff --git a/sftp-server.8 b/sftp-server.8
index cc925b96e..1e0b277b4 100644
--- a/sftp-server.8
+++ b/sftp-server.8
@@ -1,4 +1,4 @@
-.\" $OpenBSD: sftp-server.8,v 1.23 2013/07/16 00:07:52 schwarze Exp $
+.\" $OpenBSD: sftp-server.8,v 1.25 2013/10/14 14:18:56 jmc Exp $
 .\"
 .\" Copyright (c) 2000 Markus Friedl.  All rights reserved.
 .\"
@@ -22,7 +22,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: July 16 2013 $
+.Dd $Mdocdate: October 14 2013 $
 .Dt SFTP-SERVER 8
 .Os
 .Sh NAME
@@ -30,11 +30,17 @@
 .Nd SFTP server subsystem
 .Sh SYNOPSIS
 .Nm sftp-server
+.Bk -words
 .Op Fl ehR
 .Op Fl d Ar start_directory
 .Op Fl f Ar log_facility
 .Op Fl l Ar log_level
+.Op Fl P Ar blacklisted_requests
+.Op Fl p Ar whitelisted_requests
 .Op Fl u Ar umask
+.Ek
+.Nm
+.Fl Q Ar protocol_feature
 .Sh DESCRIPTION
 .Nm
 is a program that speaks the server side of SFTP protocol
@@ -93,6 +99,34 @@ performs on behalf of the client.
 DEBUG and DEBUG1 are equivalent.
 DEBUG2 and DEBUG3 each specify higher levels of debugging output.
 The default is ERROR.
+.It Fl P Ar blacklisted_requests
+Specify a comma-separated list of SFTP protocol requests that are banned by
+the server.
+.Nm
+will reply to any blacklisted request with a failure.
+The
+.Fl Q
+flag can be used to determine the supported request types.
+If both a blacklist and a whitelist are specified, then the blacklist is
+applied before the whitelist.
+.It Fl p Ar whitelisted_requests
+Specify a comma-separated list of SFTP protocol requests that are permitted
+by the server.
+All request types that are not on the whitelist will be logged and replied
+to with a failure message.
+.Pp
+Care must be taken when using this feature to ensure that requests made
+implicitly by SFTP clients are permitted.
+.It Fl Q Ar protocol_feature
+Query protocol features supported by
+.Nm .
+At present the only feature that may be queried is
+.Dq requests ,
+which may be used for black or whitelisting (flags
+.Fl P
+and
+.Fl p
+respectively).
 .It Fl R
 Places this instance of
 .Nm

diff --git a/sftp-server.8 b/sftp-server.8 index cc925b96e..1e0b277b4 100644 --- a/sftp-server.8 +++ b/sftp-server.8
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: sftp-server.8,v 1.23 2013/07/16 00:07:52 schwarze Exp $	1	.\" $OpenBSD: sftp-server.8,v 1.25 2013/10/14 14:18:56 jmc Exp $
2	.\"	2	.\"
3	.\" Copyright (c) 2000 Markus Friedl. All rights reserved.	3	.\" Copyright (c) 2000 Markus Friedl. All rights reserved.
4	.\"	4	.\"
@@ -22,7 +22,7 @@
22	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	22	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
23	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	23	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24	.\"	24	.\"
25	.Dd $Mdocdate: July 16 2013 $	25	.Dd $Mdocdate: October 14 2013 $
26	.Dt SFTP-SERVER 8	26	.Dt SFTP-SERVER 8
27	.Os	27	.Os
28	.Sh NAME	28	.Sh NAME
@@ -30,11 +30,17 @@
30	.Nd SFTP server subsystem	30	.Nd SFTP server subsystem
31	.Sh SYNOPSIS	31	.Sh SYNOPSIS
32	.Nm sftp-server	32	.Nm sftp-server
		33	.Bk -words
33	.Op Fl ehR	34	.Op Fl ehR
34	.Op Fl d Ar start_directory	35	.Op Fl d Ar start_directory
35	.Op Fl f Ar log_facility	36	.Op Fl f Ar log_facility
36	.Op Fl l Ar log_level	37	.Op Fl l Ar log_level
		38	.Op Fl P Ar blacklisted_requests
		39	.Op Fl p Ar whitelisted_requests
37	.Op Fl u Ar umask	40	.Op Fl u Ar umask
		41	.Ek
		42	.Nm
		43	.Fl Q Ar protocol_feature
38	.Sh DESCRIPTION	44	.Sh DESCRIPTION
39	.Nm	45	.Nm
40	is a program that speaks the server side of SFTP protocol	46	is a program that speaks the server side of SFTP protocol
@@ -93,6 +99,34 @@ performs on behalf of the client.
93	DEBUG and DEBUG1 are equivalent.	99	DEBUG and DEBUG1 are equivalent.
94	DEBUG2 and DEBUG3 each specify higher levels of debugging output.	100	DEBUG2 and DEBUG3 each specify higher levels of debugging output.
95	The default is ERROR.	101	The default is ERROR.
		102	.It Fl P Ar blacklisted_requests
		103	Specify a comma-separated list of SFTP protocol requests that are banned by
		104	the server.
		105	.Nm
		106	will reply to any blacklisted request with a failure.
		107	The
		108	.Fl Q
		109	flag can be used to determine the supported request types.
		110	If both a blacklist and a whitelist are specified, then the blacklist is
		111	applied before the whitelist.
		112	.It Fl p Ar whitelisted_requests
		113	Specify a comma-separated list of SFTP protocol requests that are permitted
		114	by the server.
		115	All request types that are not on the whitelist will be logged and replied
		116	to with a failure message.
		117	.Pp
		118	Care must be taken when using this feature to ensure that requests made
		119	implicitly by SFTP clients are permitted.
		120	.It Fl Q Ar protocol_feature
		121	Query protocol features supported by
		122	.Nm .
		123	At present the only feature that may be queried is
		124	.Dq requests ,
		125	which may be used for black or whitelisting (flags
		126	.Fl P
		127	and
		128	.Fl p
		129	respectively).
96	.It Fl R	130	.It Fl R
97	Places this instance of	131	Places this instance of
98	.Nm	132	.Nm