From openssh version 4.9p1 up, chroot jail module has been built in, which makes the chroot jail restriction in sftp as possible as in ftp. Or it means ftp no more!
referring to this link: http://www.minstrel.org.uk/papers/sftp/builtin/
after downloading and tar -zxvf the source tar ball:
./configure –prefix=/usr –sysconfdir=/etc/ssh –with-pam –with-tcp-wrappers
make; make install
then vi or nano the /etc/ssh/sshd_config:
replacing the Subsystem line with
Subsystem sftp internal-sftp
adding these line at the end of the file:
Match group sftponly
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no
now create the group ‘sftponly’:
sudo groupadd sftponly
now create a user for chroot jailed sftp and this user will also be prevented from ssh-ing:
sudo useradd -g sftponly -d /home/user1 -s /bin/false
or if you want to assign an already existed user to this purpose:
sudo usermod -g sftponly -d /home/user1 -s /bin/false
now do something about his directory:
sudo chown root:root /home/user1; sudo chmod 755 /home/user1
now you can sftp to this chroot jailed directory but you will find you can’t write into it. Here is the trick:
cd /home/user1; sudo mkdir home; cd home; sudo mkdir user1; chown user1:sftponly user1
this solves the problem. This is because in chroot jailed situation, /home/user1 actually acts as / for sftped user1 and /home/user1/home/user1 actually acts as /home/user1 and since it is owned by user1, it can be written.
Don’t try to directly chown /home/user1 to user1:sftponly or chmod to 777, it’ll cause sftp login to fail.