OpenSSH was the first version of the famous daemon that came with an built-in chroot functionality. Chrooting the sshd and restricting the shell access to a few commands can be a great solution to grant a few users secure access to exchange files.
Replace the line – “Subsystem sftp /usr/lib/openssh/sftp-server” with -
Subsystem sftp internal-sftp
Match user user1
# The following two directives force user1 to become chrooted
# and only have sftp available. No other chroot setup is required.
# For additional paranoia, disallow all types of port forwardings.
2. Now add a user as follows -
useradd -d /user1 -s /bin/false user1
chown -R user1:user1 user1/
4. Restart your sshd daemon ( kill -HUP <sshd pid>
Non – standard only restrict shell access -
You want to allow a user to place files or folder on his/her home directory through sft client or winscp client but you don want to any kind of shell access. Here is a simple tricks to restrict this.
Just change his login shell to /usr/local/libexec/sftp-server (Solaris) or /usr/lib/openssh/sftp-server ( Linux).
Moreover if you want to restrict access over your sensitive data just disable the others read (r) and execute (x) perm of that files and folder.