Friday, October 23, 2009

chroot sftp for blogger.com Tutorial

I use blogger.com to author and publish this blog. After clicking the PUBLISH POST button, blogger.com moves the post to hertler.org, which means that I need to give blogger.com access to my server.

To do this securely, I only allow blogger.com access to hertler.org through SFTP and I chroot the blogger.com user to /home/blogger so that only blog files are permitted to be updated. I set this up on my ubuntu virtual machine through hostingrails.com, which by the way is a fantastic hosting provider.

Here are the steps to chroot blogger.com:
1) Verify that you have an OpenSSH >= 4.9. Update OpenSSH if needed.
root@web1:/# ssh -V
OpenSSH_5.1p1 Debian-3ubuntu1, OpenSSL 0.9.8g 19 Oct 2007


2) Create the blogger.com user and change the owner and group of its home directory to root.
root@web1:/# /usr/sbin/useradd blogger
root@web1:/# passwd blogger   
root@web1:/# chown -R root.root /home/blogger



3) Edit /etc/ssh/sshd_config to set up the chroot.
Subsystem sftp internal-sftp
Match user blogger
      ChrootDirectory /home/blogger
      AllowTcpForwarding no
      ForceCommand internal-sftp

Be sure to delete Subsystem sftp /usr/lib/openssh/sftp-server. More information on

4) Restart ssh.
/etc/init.d/ssh restart


5) Verify that you can sftp in with the blogger user and that the root directory for the user is /home/blogger.
perry-hertlers-mac-pro:~ perry$ sftp blogger@hertler.org
Connecting to hertler.org...
blogger@hertler.org's password: 
sftp> pwd
Remote working directory: /
sftp> ls
testfileinbloggerhomedir.txt           
sftp> 



OK, now we have the chrooted sftp access for blogger set up, but we still need to server those files on the web site. We can simply set up a symbolic link to /home/blogger from our virtual host directory.
root@web1:/# ln -s /home/blogger /var/www/blog.hertler.org/current


Now we are securely giving blogger.com sftp access to our web server.

Labels:


Comments: Post a Comment

Subscribe to Post Comments [Atom]





<< Home

This page is powered by Blogger. Isn't yours?

Subscribe to Posts [Atom]