--- title: "rclone serve sftp" description: "Serve the remote over SFTP." slug: rclone_serve_sftp url: /commands/rclone_serve_sftp/ # autogenerated - DO NOT EDIT, instead edit the source code in cmd/serve/sftp/ and as part of making a release run "make commanddocs" --- # rclone serve sftp Serve the remote over SFTP. ## Synopsis rclone serve sftp implements an SFTP server to serve the remote over SFTP. This can be used with an SFTP client or you can make a remote of type sftp to use with it. You can use the filter flags (eg --include, --exclude) to control what is served. The server will log errors. Use -v to see access logs. --bwlimit will be respected for file transfers. Use --stats to control the stats printing. You must provide some means of authentication, either with --user/--pass, an authorized keys file (specify location with --authorized-keys - the default is the same as ssh), an --auth-proxy, or set the --no-auth flag for no authentication when logging in. Note that this also implements a small number of shell commands so that it can provide md5sum/sha1sum/df information for the rclone sftp backend. This means that is can support SHA1SUMs, MD5SUMs and the about command when paired with the rclone sftp backend. If you don't supply a --key then rclone will generate one and cache it for later use. By default the server binds to localhost:2022 - if you want it to be reachable externally then supply "--addr :2022" for example. Note that the default of "--vfs-cache-mode off" is fine for the rclone sftp backend, but it may not be with other SFTP clients. ## VFS - Virtual File System This command uses the VFS layer. This adapts the cloud storage objects that rclone uses into something which looks much more like a disk filing system. Cloud storage objects have lots of properties which aren't like disk files - you can't extend them or write to the middle of them, so the VFS layer has to deal with that. Because there is no one right way of doing this there are various options explained below. The VFS layer also implements a directory cache - this caches info about files and directories (but not the data) in memory. ## VFS Directory Cache Using the `--dir-cache-time` flag, you can control how long a directory should be considered up to date and not refreshed from the backend. Changes made through the mount will appear immediately or invalidate the cache. --dir-cache-time duration Time to cache directory entries for. (default 5m0s) --poll-interval duration Time to wait between polling for changes. However, changes made directly on the cloud storage by the web interface or a different copy of rclone will only be picked up once the directory cache expires if the backend configured does not support polling for changes. If the backend supports polling, changes will be picked up within the polling interval. You can send a `SIGHUP` signal to rclone for it to flush all directory caches, regardless of how old they are. Assuming only one rclone instance is running, you can reset the cache like this: kill -SIGHUP $(pidof rclone) If you configure rclone with a [remote control](/rc) then you can use rclone rc to flush the whole directory cache: rclone rc vfs/forget Or individual files or directories: rclone rc vfs/forget file=path/to/file dir=path/to/dir ## VFS File Buffering The `--buffer-size` flag determines the amount of memory, that will be used to buffer data in advance. Each open file will try to keep the specified amount of data in memory at all times. The buffered data is bound to one open file and won't be shared. This flag is a upper limit for the used memory per open file. The buffer will only use memory for data that is downloaded but not not yet read. If the buffer is empty, only a small amount of memory will be used. The maximum memory used by rclone for buffering can be up to `--buffer-size * open files`. ## VFS File Caching These flags control the VFS file caching options. File caching is necessary to make the VFS layer appear compatible with a normal file system. It can be disabled at the cost of some compatibility. For example you'll need to enable VFS caching if you want to read and write simultaneously to a file. See below for more details. Note that the VFS cache is separate from the cache backend and you may find that you need one or the other or both. --cache-dir string Directory rclone will use for caching. --vfs-cache-mode CacheMode Cache mode off|minimal|writes|full (default off) --vfs-cache-max-age duration Max age of objects in the cache. (default 1h0m0s) --vfs-cache-max-size SizeSuffix Max total size of objects in the cache. (default off) --vfs-cache-poll-interval duration Interval to poll the cache for stale objects. (default 1m0s) --vfs-write-back duration Time to writeback files after last use when using cache. (default 5s) If run with `-vv` rclone will print the location of the file cache. The files are stored in the user cache file area which is OS dependent but can be controlled with `--cache-dir` or setting the appropriate environment variable. The cache has 4 different modes selected by `--vfs-cache-mode`. The higher the cache mode the more compatible rclone becomes at the cost of using disk space. Note that files are written back to the remote only when they are closed and if they haven't been accessed for --vfs-write-back second. If rclone is quit or dies with files that haven't been uploaded, these will be uploaded next time rclone is run with the same flags. If using --vfs-cache-max-size note that the cache may exceed this size for two reasons. Firstly because it is only checked every --vfs-cache-poll-interval. Secondly because open files cannot be evicted from the cache. ### --vfs-cache-mode off In this mode (the default) the cache will read directly from the remote and write directly to the remote without caching anything on disk. This will mean some operations are not possible * Files can't be opened for both read AND write * Files opened for write can't be seeked * Existing files opened for write must have O_TRUNC set * Files open for read with O_TRUNC will be opened write only * Files open for write only will behave as if O_TRUNC was supplied * Open modes O_APPEND, O_TRUNC are ignored * If an upload fails it can't be retried ### --vfs-cache-mode minimal This is very similar to "off" except that files opened for read AND write will be buffered to disk. This means that files opened for write will be a lot more compatible, but uses the minimal disk space. These operations are not possible * Files opened for write only can't be seeked * Existing files opened for write must have O_TRUNC set * Files opened for write only will ignore O_APPEND, O_TRUNC * If an upload fails it can't be retried ### --vfs-cache-mode writes In this mode files opened for read only are still read directly from the remote, write only and read/write files are buffered to disk first. This mode should support all normal file system operations. If an upload fails it will be retried at exponentially increasing intervals up to 1 minute. ### --vfs-cache-mode full In this mode all reads and writes are buffered to and from disk. When data is read from the remote this is buffered to disk as well. In this mode the files in the cache will be sparse files and rclone will keep track of which bits of the files it has dowloaded. So if an application only reads the starts of each file, then rclone will only buffer the start of the file. These files will appear to be their full size in the cache, but they will be sparse files with only the data that has been downloaded present in them. This mode should support all normal file system operations and is otherwise identical to --vfs-cache-mode writes. When reading a file rclone will read --buffer-size plus --vfs-read-ahead bytes ahead. The --buffer-size is buffered in memory whereas the --vfs-read-ahead is buffered on disk. When using this mode it is recommended that --buffer-size is not set too big and --vfs-read-ahead is set large if required. ## VFS Performance These flags may be used to enable/disable features of the VFS for performance or other reasons. In particular S3 and Swift benefit hugely from the --no-modtime flag (or use --use-server-modtime for a slightly different effect) as each read of the modification time takes a transaction. --no-checksum Don't compare checksums on up/download. --no-modtime Don't read/write the modification time (can speed things up). --no-seek Don't allow seeking in files. --read-only Mount read-only. When rclone reads files from a remote it reads them in chunks. This means that rather than requesting the whole file rclone reads the chunk specified. This is advantageous because some cloud providers account for reads being all the data requested, not all the data delivered. Rclone will keep doubling the chunk size requested starting at --vfs-read-chunk-size with a maximum of --vfs-read-chunk-size-limit unless it is set to "off" in which case there will be no limit. --vfs-read-chunk-size SizeSuffix Read the source objects in chunks. (default 128M) --vfs-read-chunk-size-limit SizeSuffix Max chunk doubling size (default "off") Sometimes rclone is delivered reads or writes out of order. Rather than seeking rclone will wait a short time for the in sequence read or write to come in. These flags only come into effect when not using an on disk cache file. --vfs-read-wait duration Time to wait for in-sequence read before seeking. (default 20ms) --vfs-write-wait duration Time to wait for in-sequence write before giving error. (default 1s) ## VFS Case Sensitivity Linux file systems are case-sensitive: two files can differ only by case, and the exact case must be used when opening a file. File systems in modern Windows are case-insensitive but case-preserving: although existing files can be opened using any case, the exact case used to create the file is preserved and available for programs to query. It is not allowed for two files in the same directory to differ only by case. Usually file systems on macOS are case-insensitive. It is possible to make macOS file systems case-sensitive but that is not the default The "--vfs-case-insensitive" mount flag controls how rclone handles these two cases. If its value is "false", rclone passes file names to the mounted file system as-is. If the flag is "true" (or appears without a value on command line), rclone may perform a "fixup" as explained below. The user may specify a file name to open/delete/rename/etc with a case different than what is stored on mounted file system. If an argument refers to an existing file with exactly the same name, then the case of the existing file on the disk will be used. However, if a file name with exactly the same name is not found but a name differing only by case exists, rclone will transparently fixup the name. This fixup happens only when an existing file is requested. Case sensitivity of file names created anew by rclone is controlled by an underlying mounted file system. Note that case sensitivity of the operating system running rclone (the target) may differ from case sensitivity of a file system mounted by rclone (the source). The flag controls whether "fixup" is performed to satisfy the target. If the flag is not provided on the command line, then its default value depends on the operating system where rclone runs: "true" on Windows and macOS, "false" otherwise. If the flag is provided without a value, then it is "true". ## Auth Proxy If you supply the parameter `--auth-proxy /path/to/program` then rclone will use that program to generate backends on the fly which then are used to authenticate incoming requests. This uses a simple JSON based protocl with input on STDIN and output on STDOUT. **PLEASE NOTE:** `--auth-proxy` and `--authorized-keys` cannot be used together, if `--auth-proxy` is set the authorized keys option will be ignored. There is an example program [bin/test_proxy.py](https://github.com/rclone/rclone/blob/master/test_proxy.py) in the rclone source code. The program's job is to take a `user` and `pass` on the input and turn those into the config for a backend on STDOUT in JSON format. This config will have any default parameters for the backend added, but it won't use configuration from environment variables or command line options - it is the job of the proxy program to make a complete config. This config generated must have this extra parameter - `_root` - root to use for the backend And it may have this parameter - `_obscure` - comma separated strings for parameters to obscure If password authentication was used by the client, input to the proxy process (on STDIN) would look similar to this: ``` { "user": "me", "pass": "mypassword" } ``` If public-key authentication was used by the client, input to the proxy process (on STDIN) would look similar to this: ``` { "user": "me", "public_key": "AAAAB3NzaC1yc2EAAAADAQABAAABAQDuwESFdAe14hVS6omeyX7edc...JQdf" } ``` And as an example return this on STDOUT ``` { "type": "sftp", "_root": "", "_obscure": "pass", "user": "me", "pass": "mypassword", "host": "sftp.example.com" } ``` This would mean that an SFTP backend would be created on the fly for the `user` and `pass`/`public_key` returned in the output to the host given. Note that since `_obscure` is set to `pass`, rclone will obscure the `pass` parameter before creating the backend (which is required for sftp backends). The program can manipulate the supplied `user` in any way, for example to make proxy to many different sftp backends, you could make the `user` be `user@example.com` and then set the `host` to `example.com` in the output and the user to `user`. For security you'd probably want to restrict the `host` to a limited list. Note that an internal cache is keyed on `user` so only use that for configuration, don't use `pass` or `public_key`. This also means that if a user's password or public-key is changed the cache will need to expire (which takes 5 mins) before it takes effect. This can be used to build general purpose proxies to any kind of backend that rclone supports. ``` rclone serve sftp remote:path [flags] ``` ## Options ``` --addr string IPaddress:Port or :Port to bind server to. (default "localhost:2022") --auth-proxy string A program to use to create the backend from the auth. --authorized-keys string Authorized keys file (default "~/.ssh/authorized_keys") --dir-cache-time duration Time to cache directory entries for. (default 5m0s) --dir-perms FileMode Directory permissions (default 0777) --file-perms FileMode File permissions (default 0666) --gid uint32 Override the gid field set by the filesystem. (default 1000) -h, --help help for sftp --key stringArray SSH private host key file (Can be multi-valued, leave blank to auto generate) --no-auth Allow connections with no authentication if set. --no-checksum Don't compare checksums on up/download. --no-modtime Don't read/write the modification time (can speed things up). --no-seek Don't allow seeking in files. --pass string Password for authentication. --poll-interval duration Time to wait between polling for changes. Must be smaller than dir-cache-time. Only on supported remotes. Set to 0 to disable. (default 1m0s) --read-only Mount read-only. --uid uint32 Override the uid field set by the filesystem. (default 1000) --umask int Override the permission bits set by the filesystem. (default 2) --user string User name for authentication. --vfs-cache-max-age duration Max age of objects in the cache. (default 1h0m0s) --vfs-cache-max-size SizeSuffix Max total size of objects in the cache. (default off) --vfs-cache-mode CacheMode Cache mode off|minimal|writes|full (default off) --vfs-cache-poll-interval duration Interval to poll the cache for stale objects. (default 1m0s) --vfs-case-insensitive If a file name not found, find a case insensitive match. --vfs-read-ahead SizeSuffix Extra read ahead over --buffer-size when using cache-mode full. --vfs-read-chunk-size SizeSuffix Read the source objects in chunks. (default 128M) --vfs-read-chunk-size-limit SizeSuffix If greater than --vfs-read-chunk-size, double the chunk size after each chunk read, until the limit is reached. 'off' is unlimited. (default off) --vfs-read-wait duration Time to wait for in-sequence read before seeking. (default 20ms) --vfs-write-back duration Time to writeback files after last use when using cache. (default 5s) --vfs-write-wait duration Time to wait for in-sequence write before giving error. (default 1s) ``` See the [global flags page](/flags/) for global options not listed here. ## SEE ALSO * [rclone serve](/commands/rclone_serve/) - Serve a remote over a protocol.