This always ends up being a bit tricky, and some guides I’ve found on the net differ slightly from what I’ve got here. This seems to work pretty well for me on Debian.
Enter the following into /etc/sshd/config to allow sftp and to lock a user into a specific chroot’ed directory:
Subsystem sftp /usr/lib/openssh/sftp-server
For each user you want to lock down, you’ll first need to add the user, set the shell to false so they can’t log in via ssh and then set their home directory to where you want them chroot’ed:
useradd jorbloggs usermod -s /bin/false joebloggs usermod -d /srv/www/somehome/ joebloggs
Now just add a few details for the user to /etc/sshd/config:
Match User joebloggs X11Forwarding no AllowTcpForwarding no ForceCommand internal-sftp ChrootDirectory %h
The users home directory must be owned by root and only writable by root – bit weird, but you get odd auth messages and it doesn’t work otherwise. There’s probably a work-around for this, but for me it doesn’t really matter. If or when I do need a work around I’ll post it here. Feel free to leave comments with tips/suggestions!