Friday, October 23, 2009

chroot sftp for Tutorial

I use to author and publish this blog. After clicking the PUBLISH POST button, moves the post to, which means that I need to give access to my server.

To do this securely, I only allow access to through SFTP and I chroot the user to /home/blogger so that only blog files are permitted to be updated. I set this up on my ubuntu virtual machine through, which by the way is a fantastic hosting provider.

Here are the steps to chroot
1) Verify that you have an OpenSSH >= 4.9. Update OpenSSH if needed.
root@web1:/# ssh -V
OpenSSH_5.1p1 Debian-3ubuntu1, OpenSSL 0.9.8g 19 Oct 2007

2) Create the user and change the owner and group of its home directory to root.
root@web1:/# /usr/sbin/useradd blogger
root@web1:/# passwd blogger   
root@web1:/# chown -R root.root /home/blogger

3) Edit /etc/ssh/sshd_config to set up the chroot.
Subsystem sftp internal-sftp
Match user blogger
      ChrootDirectory /home/blogger
      AllowTcpForwarding no
      ForceCommand internal-sftp

Be sure to delete Subsystem sftp /usr/lib/openssh/sftp-server. More information on

4) Restart ssh.
/etc/init.d/ssh restart

5) Verify that you can sftp in with the blogger user and that the root directory for the user is /home/blogger.
perry-hertlers-mac-pro:~ perry$ sftp
Connecting to's password: 
sftp> pwd
Remote working directory: /
sftp> ls

OK, now we have the chrooted sftp access for blogger set up, but we still need to server those files on the web site. We can simply set up a symbolic link to /home/blogger from our virtual host directory.
root@web1:/# ln -s /home/blogger /var/www/

Now we are securely giving sftp access to our web server.


Comments: Post a Comment

Subscribe to Post Comments [Atom]

<< Home

This page is powered by Blogger. Isn't yours?

Subscribe to Posts [Atom]