SSH access
Buru SFTP Server serves SFTP and SCP file transfers over SSH. On top of that, SSH endpoints can expose a shell for remote command-line access, either restricted or a full interactive terminal. This page explains the available shell types and the settings that control terminal sessions.
For step-by-step setup, see Configure SSH Access.
Terminal shell grants full filesystem access
The terminal shell type gives SSH users an interactive shell that runs under the server's service account — or under the user's own Windows account when impersonation is configured for that user.
Virtual path mappings do not apply — the user can reach the entire filesystem, restricted only by the OS-level permissions of whichever account runs the shell.
Only enable it for trusted users, and run the server under a dedicated service account with limited NTFS permissions — never as SYSTEM.
The sshShell.allowSystemAccount setting is false by default for this reason.
Shell types
The shell type determines what happens when a client opens an SSH session:
| Shell type | Description |
|---|---|
none (default) | Minimal shell restricted to the user's virtual path mappings. SCP file transfers are available. |
legacy | Same as none, but also supports SSH aliases. |
terminal | Full interactive terminal (cmd.exe, PowerShell, or a custom executable). The user is not restricted to their path mappings — they can access the file system under the service account's permissions. |
The terminal shell type requires Windows 10 version 1809+ or Windows Server 2019+.
When terminal is selected, SCP becomes unavailable on that endpoint. If you need both SCP and terminal access, configure separate SSH endpoints — one with SCP enabled and one with terminal access.
Minimal shell commands
The none and legacy shells expose a small set of built-in commands that operate within the user's path mappings:
cd cp dir
echo exit groups
help hostname ls
mkdir mv pwd
rm rmdir set
uname whoamiThe legacy shell additionally runs SSH aliases defined by the administrator.
Terminal executable and home directory
When the shell type is terminal, two additional settings control how the shell process is launched:
-
Shell executable — the program started for each terminal session. Defaults to
cmd.exe. The SSH client can also request a specific executable on the command line, in which case the server runs that instead of the configured default:# Launch the configured default shell ssh user@host # Launch PowerShell regardless of the server default ssh user@host powershell.exe -
Home directory — the working directory the shell is launched from. Defaults to the server's installation directory.
Both are server-wide defaults (sshShell.defaultShellPath and sshShell.defaultHomeDirectory) and can be overridden per user.
See also
- Configure SSH Access — step-by-step setup
sshShellreference — all shell configuration optionsbindingsreference — SSH endpoint configurationaliasesreference — command aliases for thelegacyshell