Restrict SFTP User to Home Directory
From Mike Beane's Blog
In this post, I'll show you how to set up secure ftp (SFTP) access to your Ubuntu server. (Instructions for Debian are very similar: leave out the sudo part and follow these steps as root:)
For this to work, you'll need Ubuntu 8.10 "Intrepid", Debian 5.0 "Lenny" or newer. In this example, mark is the user that can gain superuser rights through sudo. "peter" and a few other users are the ones I want to give sftp access to their personal folder, but not shell access or anything else.
Step 1: If it doesn't exist yet, create a group for the users you want to have sftp access only:
sudo groupadd sftponly
Step 2: Add user "peter" to this group:
sudo adduser peter sftponly
Step 3: Install openssh-server if it's not installed yet.
sudo apt-get install openssh-server
Step 4: Open the default OpenSSH server configuration for editing:
sudo nano /etc/ssh/sshd_config
Step 5: Change the default sftp server from:
Subsystem sftp /usr/lib/openssh/sftp-server
to
Subsystem sftp internal-sftp
Step 6: Some users can only use sftp, but not other OpenSSH features like remote login. Let's create a rule for that group of users (we'll create the group afterwards). Add the following section to the bottom of /etc/ssh/sshd_config:
Match group sftponly ChrootDirectory /home/%u X11Forwarding no AllowTcpForwarding no ForceCommand internal-sftp
Step 7: Pass ownership of peter's directory you want to be sftp accessible to the superuser:
sudo chown root.root /home/peter
Step 8: Now we change peter's home directory (normally /home/peter) to /:
sudo usermod -d / peter
Step 9: Repeat steps 2, 7 and 8 for any other users that you want to give sftp access.
Step 10: restart sshd
sudo /etc/init.d/ssh restart
Note: to disable the sftp user to use ssh login, change to
sudo usermod -s=/bin/false username
reference: http://blog.markvdb.be/2009/01/sftp-on-ubuntu-and-debian-in-9-easy.html