I've had to setup a few SFTP servers as of late with "jailed" or chroot'ed users. All in all this is pretty straight forward but there is one thing I always forget I do at the end to make it 'cleaner' for users when they login.
Create the root sftp directory for our users to be jailed too.
# mkdir /sftp
Setup the group the sftp users will be in.
# groupadd sftpgroup
Create an sftp user, set their primary group as 'sftponly' , and set their password.
# useradd -g sftpgroup -d /sftp/sftpuser -m -s /sbin/nologin sftpuser # passwd sftpuser
Setup the sftp subsystem of the ssh daemon. Comment out 'sftp-server' and add in internal-sftp
# vi /etc/ssh/sshd_config #Subsystem sftp /usr/libexec/openssh/sftp-server Subsystem sftp internal-sftp
At the bottom of the sshd_config add the following for the group's chroot directory.
Match Group sftpgroup ChrootDirectory /sftp ForceCommand internal-sftp
Now you can restart the ssh daemon to enable the new configs
# service sshd restart
Now the one little extra bit I like to do is to not only have them chroot'ed but also make the user's home/root directory writeable by them and keep them out of the real root and jump into other directories.
So we lock the user out of being able to read the root directory and then 'fake' the user's home directory path back to itself.
# chmod 711 /sftp # cd sftp # ln -s . sftp
What this does is trick the system into what their home directory is. The configuration we put into the sshd_config tells the system when the user logs in that their
/sftp/ so then the system tries to put the user in their home directory
/sftp/sftpuser. However, without creating a soft link back to itself that path does not exist. So the link makes this possible and the user can write to their directory.